Adaptive Threat Profiling Use Cases
Threat Detection Use Case
In this example, we will continue with the definition of the High_Risk_Users use case, with the goal of identifying any unusual activity which might suggest an endpoint has been compromised.
-
Create a policy that detects the usage of The Onion Router (TOR), Peer-to-Peer (P2P), and Anonymizers / Proxies and add the source IP address of these to the High_Risk_Users feed.
[edit security policies global policy Unwanted_Applications] admin@vSRX# show match { source-address any; destination-address any; application junos-defaults; dynamic-application [ junos:p2p junos:web:proxy junos:TOR junos:TOR2WEB ]; } then { deny { application-services { security-intelligence { add-source-ip-to-feed { High_Risk_Users; } } } } log { session-close;
-
Create a second policy that looks for communication with known malicious sites and malware Command-and-Control (C2) infrastructure as well as newly registered domains and adds it to High_Risk_Users feed.
[edit security policies global policy URL-C2-Detection] admin@vSRX# show match { source-address any; destination-address any; application [ junos-http junos-https ]; dynamic-application any; url-category [ Enhanced_Compromised_Websites Enhanced_Emerging_Exploits Enhanced_Keyloggers Enhanced_Malicious_Embedded_Link Enhanced_Malicious_Embedded_iFrame Enhanced_Malicious_Web_Sites Enhanced_Newly_Registered_Websites ]; } then { deny { application-services { security-intelligence { add-source-ip-to-feed { High_Risk_Users; } } } } log { session-close; } } } }
-
Create an IDP policy that identifies unusual scanning activity and brute-force attempts.
[edit security idp idp-policy Threat_Profiling rulebase-ips rule Scanners] admin@vSRX# show match { attacks { predefined-attacks [ SCAN:NMAP:FINGERPRINT SCAN:METASPLOIT:SMB-ACTIVE SCAN:METASPLOIT:LSASS SMB:AUDIT:BRUTE-LOGIN APP:RDP-BRUTE-FORCE FTP:PASSWORD:BRUTE-FORCE LDAP:FAILED:BRUTE-FORCE SSH:BRUTE-LOGIN ]; } } then { action { drop-connection; } notification { log-attacks; packet-log; } application-services { security-intelligence { add-attacker-ip-to-feed High_Risk_Users; } } }
Note:This is an example of a safe policy to deploy on a Tap-based SRX sensor. The example does not make sense to deploy on an in-line device due to the permissive nature of the rule. In production, we recommend being more restrictive.
-
Apply the IDP rulebase to a security policy to take effect.
[edit security policies global policy IDP_Threat_Profiling] admin@vSRX# show match { source-address any; destination-address any; application any; dynamic-application any; } then { permit { application-services { idp-policy Threat_Profiling; } } log { session-close; } }
-
Create a simple rule at the top of the rule-base which drops any traffic from hosts within the High_Risk_Users threat feed.
[edit security policies global policy Drop_Risky_Users] admin@vSRX# show match { source-address High_Risk_Users; destination-address any; application any; } then { deny; log { session-close; } }
Asset Classification Use Case
In this example, we will leverage AppID to identify Ubuntu and RedHat servers in an environment and add them to feed for use by other devices.
As many legacy devices lack the compute power required to enable Deep-Packet Inspection (DPI), adaptive threat profiling can provide you a flexible way in which you can share DPI classification results between newer and older platforms in your environment.
Create a security policy that identifies Advanced Packaging Tool (APT) and Yellowdog Updater, Modified (YUM) communication with Ubuntu and RedHat Update servers:
[edit security policies global policy Linux_Servers] admin@vSRX# show match { source-address any; destination-address any; application junos-defaults; dynamic-application [ junos:UBUNTU junos:REDHAT-UPDATE ]; } then { permit { application-services { security-intelligence { add-source-ip-to-feed { Linux_Servers; } } } } }
Compromised Application Use Case
In this example, the user who is using a compromised application is added to the infected-hosts feed.
We will continue with the definition of the High_Risk_Users use case, with the goal of identifying any unusual activity which might suggest an endpoint has been compromised. We create a policy that detects the The Onion Router (TOR) usage and adds the source identity to the High_Risk_Users feed.
[edit security policies global policy Compromised_Applications] admin@vSRX# show match { source-address any; destination-address any; source-identity authenticated-user; dynamic-application junos:TOR; } then { deny { application-services { security-intelligence { add-source-identity-to-feed High_Risk_Users; } } } }