Adaptive Threat Profiling Use Cases
The following use cases demonstrate how adaptive threat profiling can automate threat detection, asset classification, and response across diverse network environments.
Threat Detection Use Case
In this example, we will continue with the definition of the
High_Risk_Users use case, with the goal of identifying any
unusual activity which might suggest an endpoint has been compromised.
-
Create a policy that detects the usage of The Onion Router (TOR), Peer-to-Peer (P2P), and Anonymizers / Proxies and add the their source IP addresses to the
High_Risk_Usersfeed.[edit security policies global policy Unwanted_Applications] admin@vSRX# show match { source-address any; destination-address any; application junos-defaults; dynamic-application [ junos:p2p junos:web:proxy junos:TOR junos:TOR2WEB ]; } then { deny { application-services { security-intelligence { add-source-ip-to-feed { High_Risk_Users; } } } } log { session-close; -
Create a second policy that looks for communication with known malicious sites and malware Command-and-Control (C&C) infrastructure as well as newly registered domains and adds it to High_Risk_Users feed.
[edit security policies global policy URL-C2-Detection] admin@vSRX# show match { source-address any; destination-address any; application [ junos-http junos-https ]; dynamic-application any; url-category [ Enhanced_Compromised_Websites Enhanced_Emerging_Exploits Enhanced_Keyloggers Enhanced_Malicious_Embedded_Link Enhanced_Malicious_Embedded_iFrame Enhanced_Malicious_Web_Sites Enhanced_Newly_Registered_Websites ]; } then { deny { application-services { security-intelligence { add-source-ip-to-feed { High_Risk_Users; } } } } log { session-close; } } } } -
Create an IDP policy that identifies unusual scanning activity and brute-force attempts.
[edit security idp idp-policy Threat_Profiling rulebase-ips rule Scanners] admin@vSRX# show match { attacks { predefined-attacks [ SCAN:NMAP:FINGERPRINT SCAN:METASPLOIT:SMB-ACTIVE SCAN:METASPLOIT:LSASS SMB:AUDIT:BRUTE-LOGIN APP:RDP-BRUTE-FORCE FTP:PASSWORD:BRUTE-FORCE LDAP:FAILED:BRUTE-FORCE SSH:BRUTE-LOGIN ]; } } then { action { drop-connection; } notification { log-attacks; packet-log; } application-services { security-intelligence { add-attacker-ip-to-feed High_Risk_Users; } } }Note:This example shows a policy to deploy on a Tap-based SRX Series Firewall sensor. The example does not make sense to deploy on an inline device due to the permissive nature of the rule. In production, we recommend being more restrictive.
-
Apply the IDP rulebase to a security policy to take effect.
[edit security policies global policy IDP_Threat_Profiling] admin@vSRX# show match { source-address any; destination-address any; application any; dynamic-application any; } then { permit { application-services { idp-policy Threat_Profiling; } } log { session-close; } } -
Create a simple rule at the top of the rule base which drops any traffic from hosts within the
High_Risk_Usersthreat feed.[edit security policies global policy Drop_Risky_Users] admin@vSRX# show match { source-address High_Risk_Users; destination-address any; application any; } then { deny; log { session-close; } }
Asset Classification Use Case
In this example, we will leverage AppID to identify Ubuntu and RedHat servers in an environment and add the servers to feed for use by other devices.
Many legacy devices lack the compute power for Deep-Packet Inspection (DPI). Adaptive threat profiling allows you to share DPI classification results between newer and older platforms.
Create a security policy that identifies Advanced Packaging Tool (APT) and Yellowdog Updater, Modified (YUM) communication with Ubuntu and RedHat Update servers:
[edit security policies global policy Linux_Servers]
admin@vSRX# show
match {
source-address any;
destination-address any;
application junos-defaults;
dynamic-application [ junos:UBUNTU junos:REDHAT-UPDATE ];
}
then {
permit {
application-services {
security-intelligence {
add-source-ip-to-feed {
Linux_Servers;
}
}
}
}
}
Compromised Application Use Case
In this example, the user who is using a compromised application is added to the infected-hosts feed.
We will continue with the definition of the High_Risk_Users use case, with the goal of identifying any unusual activity which might suggest an endpoint has been compromised. We create a policy that detects the The Onion Router (TOR) usage and adds the source identity to the High_Risk_Users feed.
[edit security policies global policy Compromised_Applications]
admin@vSRX# show
match {
source-address any;
destination-address any;
source-identity authenticated-user;
dynamic-application junos:TOR;
}
then {
deny {
application-services {
security-intelligence {
add-source-identity-to-feed High_Risk_Users;
}
}
}
}