Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Adaptive Threat Profiling Overview

Overview

Juniper ATP Cloud Adaptive Threat Profiling allows SRX Series devices to generate, propagate, and consume threat feeds based on their own advanced detection and policy-match events.

This feature allows you to configure security or IDP policies that, when matched, inject the source IP address, destination IP address, source identity, or destination identity into a threat feed, which can be leveraged by other devices as a dynamic-address-group (DAG). While this feature is focused on tracking and mitigating threat actors within a network, you can also use it for non-threat related activities, such as device classification.

With adaptive threat profiling, the Juniper ATP Cloud service acts as a feed-aggregator and consolidates feeds from SRX across your enterprise and shares the deduplicated results back to all SRX series devices in the realm at regular intervals. SRX Series devices can then use these feeds to perform further actions against the traffic.

Note:

This feature requires a SecIntel License (Premium model) to function. Additional detection capabilities might require AppID, IDP, and Enhanced Web Filtering licenses to be added to your device if not already present. For information on other licensed features, see Juniper Advanced Threat Prevention Cloud License Types.

Benefits of adaptive threat profiling

  • Enables new deployment architectures, whereby low cost SRX Series devices can be deployed as sensors throughout the network on Tap ports, identifying and sharing intelligence to in-line devices for real-time enforcement.

  • Allows administrators near-infinite adaptability to changing threats and network conditions. Security policies can be staged with adaptive threat profiling feeds, which automatically populate with entries in the event of an intrusion or a malware outbreak.

  • Provides the ability to perform endpoint classification. You can classify endpoints based on network behavior and/or deep packet inspection (DPI) results. For example, you can leverage AppID, Web-Filtering, or IDP to place hosts that communicate with Ubuntu’s update servers into a dynamic-address-group that can be used to control Ubuntu-Server behavior on your network.

Access this page from Configure > Adaptive Threat Profiling.

Table 1: Adaptive Threat Profiling

Field

Guideline

Feed Name

Name of the adaptive threat profiling feed.

Items

Number of entries in the feed.

Feed Type

Content type of the feed. The following options are supported:

  • IP

  • USER_ID

Added to Infected Hosts

Displays whether the feed content (for example, source or destination IP address) is added to the Infected host feed.

  • True—The feed content is added to the Infected host feed.

  • False—The feed content is not added to the Infected host feed.

Note:

Currently you can add only IP address feed type to the Infected host feed.

Time to Live (days)

Defines how long an entry will “live” inside the feed. Once the TTL is reached, the entry is removed automatically.

Note:
  • The feeds can only be used as dynamic-address groups (DAG) /IP filter.

You can perform the following tasks from this page:

  • Add a new feed—See Create an Adaptive Threat Profiling Feed.

  • Modify a feed—Select a feed and click the edit icon (pencil). The Edit <feed-name> page appears, displaying the same fields that were presented when you create a feed. Modify the fields as needed. Click OK to save your changes.

    Note:

    You cannot edit the feed name and feed type.

  • Delete a feed—Select a feed and click the delete icon in the title bar. A pop-up requesting confirmation for the deletion appears. Click Yes to confirm that you want to delete the feed.

  • Filter or Search for a feed—Click the filter icon. Enter partial text or full text of the keyword in the search bar and click the search button or press Enter. The search results are displayed. You can also filter by feed type and Time to Live (days).

  • View detailed information about a feed—Click on a feed name to view the following information:

    • Feed Items—Lists all the IP addresses or User IDs that are associated with the feed. To exclude an IP address or User ID from the feed, select the IP address or User ID and click Add to Excluded Items.

    • Excluded Items—Lists all the IP addresses or User IDs that are excluded from the feed. To remove an IP address or User ID for the excluded items list, select the IP address or User ID and click the Delete icon.

      To manually exclude an IP address or User ID from the feed:

      1. Click the plus (+) icon in the Excluded Items tab.

        The Add to Excluded List page appears.

      2. Enter the IP address or User ID that you want to exclude from the feed.

      3. Click OK.

        The IP address or User ID is listed in the Excluded items page.

Configure Adaptive Threat Profiling

An SRX Series device that has already been enrolled with Juniper ATP Cloud should include all the necessary configuration to begin leveraging adaptive threat profiling.

To begin, validate that the device already contains a URL for security-intelligence.

  1. Check the URL for the feed server.

    Your output should look similar to the following:

    Note:

    If the URL is not present in the configuration, try re-enrolling the device in Juniper ATP Cloud. See Enrolling an SRX Series Device With Juniper Advanced Threat Prevention Cloud.

  2. Create an adaptive threat profiling feed in Juniper ATP Cloud. Log into Juniper ATP Cloud UI, select Configure > Adaptive Threat Profiling. The Adaptive Threat Profiling page appears as shown in Figure 1. In this example, we will use the feed name High_Risk_Users with a time-to-live (TTL) of seven days.

    Figure 1: Add New FeedAdd New Feed
  3. Click OK to save changes. For more information, see Create an Adaptive Threat Profiling Feed.

  4. Ensure that the feed has been downloaded by your SRX Series device. This is done automatically at regular intervals but can take a few seconds.

    A manual download of the security-intelligence database can speed up this process, if necessary.

Deploy Adaptive Threat Profiling

You can deploy adaptive threat profiling on the SRX Series devices in the following ways:

  • As a detection solution

  • As an enforcement solution

  • As both detection and enforcement solution

To use adaptive threat profiling to detect threats, you can define adaptive threat profiling actions in the following locations:

  1. Within the security policy on deny, reject, and permit rules, where you can add the source and/or destination address of the flow to a feed of your choice.

  2. Within an IDP Policy as an application-service that adds the origin of the exploit (the attacker) or the target of the exploit to a feed of your choice.

    To take effect, you must apply the IDP policy to a traditional policy or unified policy.

Once the feed is created, it can then be referenced as a dynamic address group within a security policy as the source-address or destination-address match criteria.

In the following example, we have created a rule which allows authenticated users access to the Enterprise’s Crown Jewels, but are excluding any source-addresses that are part of the High_Risk_Users dynamic address group (sourced from the threat feed of the same name).

Use the following command to view the feed summary and status:

show services security-intelligence sec-profiling-feed status

show security dynamic-address category-name SecProfiling

Note:

Dynamic-address entries will only be displayed by this command if the feed name being referenced (High_Risk_Users in the example), has been used as a source or destination address in a security policy.

Feed contents can always be viewed in the Juniper ATP Cloud portal, regardless of their state on the SRX Series devices.

Use Case Examples

Threat Detection Use Case

In this example, we will continue with the definition of the High_Risk_Users use case, with the goal of identifying any unusual activity which might suggest an endpoint has been compromised.

  1. Create a policy that detects the usage of The Onion Router (TOR), Peer-to-Peer (P2P), and Anonymizers / Proxies and add the source IP address of these to the High_Risk_Users feed.

  2. Create a second policy that looks for communication with known malicious sites and malware Command-and-Control (C2) infrastructure as well as newly registered domains and adds it to High_Risk_Users feed.

  3. Create an IDP policy that identifies unusual scanning activity and brute-force attempts.

    Note:

    This is an example of a safe policy to deploy on a Tap-based SRX sensor. The example does not make sense to deploy on an in-line device due to the permissive nature of the rule. In production, we recommend being more restrictive.

  4. Apply the IDP rulebase to a security policy to take effect.

  5. Create a simple rule at the top of the rule-base which drops any traffic from hosts within the High_Risk_Users threat feed.

Asset Classification Use Case

In this example, we will leverage AppID to identify Ubuntu and RedHat servers in an environment and add them to feed for use by other devices.

As many legacy devices lack the compute power required to enable Deep-Packet Inspection (DPI), adaptive threat profiling can provide you a flexible way in which you can share DPI classification results between newer and older platforms in your environment.

Create a security policy that identifies Advanced Packaging Tool (APT) and Yellowdog Updater, Modified (YUM) communication with Ubuntu and RedHat Update servers:

Compromised Application Use Case

In this example, the user who is using a compromised application is added to the infected-hosts feed.

We will continue with the definition of the High_Risk_Users use case, with the goal of identifying any unusual activity which might suggest an endpoint has been compromised. We create a policy that detects the The Onion Router (TOR) usage and adds the source identity to the High_Risk_Users feed.