Adaptive Threat Profiling Overview
Overview
Juniper ATP Cloud Adaptive Threat Profiling allows SRX Series devices to generate, propagate, and consume threat feeds based on their own advanced detection and policy-match events.
This feature allows you to configure security or IDP policies that, when matched, inject the source IP address, destination IP address, source identity, or destination identity into a threat feed, which can be leveraged by other devices as a dynamic-address-group (DAG). While this feature is focused on tracking and mitigating threat actors within a network, you can also use it for non-threat related activities, such as device classification.
With adaptive threat profiling, the Juniper ATP Cloud service acts as a feed-aggregator and consolidates feeds from SRX across your enterprise and shares the deduplicated results back to all SRX series devices in the realm at regular intervals. SRX Series devices can then use these feeds to perform further actions against the traffic.
This feature requires a SecIntel License (Premium model) to function. Additional detection capabilities might require AppID, IDP, and Enhanced Web Filtering licenses to be added to your device if not already present. For information on other licensed features, see Juniper Advanced Threat Prevention Cloud License Types.
Benefits of adaptive threat profiling
Enables new deployment architectures, whereby low cost SRX Series devices can be deployed as sensors throughout the network on Tap ports, identifying and sharing intelligence to in-line devices for real-time enforcement.
Allows administrators near-infinite adaptability to changing threats and network conditions. Security policies can be staged with adaptive threat profiling feeds, which automatically populate with entries in the event of an intrusion or a malware outbreak.
Provides the ability to perform endpoint classification. You can classify endpoints based on network behavior and/or deep packet inspection (DPI) results. For example, you can leverage AppID, Web-Filtering, or IDP to place hosts that communicate with Ubuntu’s update servers into a dynamic-address-group that can be used to control Ubuntu-Server behavior on your network.
Access this page from Configure > Adaptive Threat Profiling.
Field |
Guideline |
|---|---|
Feed Name |
Name of the adaptive threat profiling feed. |
Items |
Number of entries in the feed. |
Feed Type |
Content type of the feed. The following options are supported:
|
Added to Infected Hosts |
Displays whether the feed content (for example, source or destination IP address) is added to the Infected host feed.
Note:
Currently you can add only IP address feed type to the Infected host feed. |
Time to Live (days) |
Defines how long an entry will “live” inside the feed. Once the TTL is reached, the entry is removed automatically. |
The feeds can only be used as dynamic-address groups (DAG) /IP filter.
You can perform the following tasks from this page:
Add a new feed—See Create an Adaptive Threat Profiling Feed.
Modify a feed—Select a feed and click the edit icon (pencil). The Edit <feed-name> page appears, displaying the same fields that were presented when you create a feed. Modify the fields as needed. Click OK to save your changes.
Note:You cannot edit the feed name and feed type.
Delete a feed—Select a feed and click the delete icon in the title bar. A pop-up requesting confirmation for the deletion appears. Click Yes to confirm that you want to delete the feed.
Filter or Search for a feed—Click the filter icon. Enter partial text or full text of the keyword in the search bar and click the search button or press Enter. The search results are displayed. You can also filter by feed type and Time to Live (days).
View detailed information about a feed—Click on a feed name to view the following information:
Feed Items—Lists all the IP addresses or User IDs that are associated with the feed. To exclude an IP address or User ID from the feed, select the IP address or User ID and click Add to Excluded Items.
Excluded Items—Lists all the IP addresses or User IDs that are excluded from the feed. To remove an IP address or User ID for the excluded items list, select the IP address or User ID and click the Delete icon.
To manually exclude an IP address or User ID from the feed:
Click the plus (+) icon in the Excluded Items tab.
The Add to Excluded List page appears.
Enter the IP address or User ID that you want to exclude from the feed.
Click OK.
The IP address or User ID is listed in the Excluded items page.
Configure Adaptive Threat Profiling
An SRX Series device that has already been enrolled with Juniper ATP Cloud should include all the necessary configuration to begin leveraging adaptive threat profiling.
To begin, validate that the device already contains a URL for security-intelligence.
Check the URL for the feed server.
Your output should look similar to the following:
show services security-intelligence url https://cloudfeeds.sky.junipersecurity.net/api/manifest.xml
Note:If the URL is not present in the configuration, try re-enrolling the device in Juniper ATP Cloud. See Enroll an SRX Series Device using Juniper ATP Cloud Web Portal.
Create an adaptive threat profiling feed in Juniper ATP Cloud. Log into Juniper ATP Cloud UI, select Configure > Adaptive Threat Profiling. The Adaptive Threat Profiling page appears as shown in Figure 1. In this example, we will use the feed name High_Risk_Users with a time-to-live (TTL) of seven days.
Figure 1: Add New Feed
Click OK to save changes. For more information, see Create an Adaptive Threat Profiling Feed.
-
Ensure that the feed has been downloaded by your SRX Series device. This is done automatically at regular intervals but can take a few seconds.
A manual download of the security-intelligence database can speed up this process, if necessary.
> request services security-intelligence download > request services security-intelligence download status |match High_Risk_Users Feed High_Risk_Users (20200615.1) root-logical-system of category SecProfiling download succeeded.
Deploy Adaptive Threat Profiling
You can deploy adaptive threat profiling on the SRX Series devices in the following ways:
As a detection solution
As an enforcement solution
As both detection and enforcement solution
To use adaptive threat profiling to detect threats, you can define adaptive threat profiling actions in the following locations:
Within the security policy on deny, reject, and permit rules, where you can add the source and/or destination address of the flow to a feed of your choice.
[edit security policies global policy Threat_Profiling] admin@vSRX# set then permit application-services security-intelligence ? Possible completions: > add-destination-identity-to-feed Add Destination Identity to Feed > add-destination-ip-to-feed Add Destination IP to Feed > add-source-identity-to-feed Add Source Identity to Feed > add-source-ip-to-feed Add Source IP to Feed
Within an IDP Policy as an application-service that adds the origin of the exploit (the attacker) or the target of the exploit to a feed of your choice.
[edit security idp idp-policy Threat_Profiling rulebase-ips rule Scanners] admin@vSRX# set then application-services security-intelligence ? Possible completions: add-attacker-ip-to-feed Specify the desired feed-name add-target-ip-to-feed Specify the desired feed-name
To take effect, you must apply the IDP policy to a traditional policy or unified policy.
[edit security policies global policy Threat_Profiling] admin@vSRX# set then permit application-services idp-policy Threat_? Possible completions: <idp-policy> Specify idp policy name Threat_Profiling [security idp idp-policy]
Once the feed is created, it can then be referenced as a dynamic address group within a security policy as the source-address or destination-address match criteria.
In the following example, we have created a rule which allows authenticated users access to the Enterprise’s Crown Jewels, but are excluding any source-addresses that are part of the High_Risk_Users dynamic address group (sourced from the threat feed of the same name).
[edit security policies global policy Access_To_Crown_Jewels]
admin@vSRX# show
match {
source-address High_Risk_Users;
destination-address Crown_Jewels;
source-address-excluded;
source-identity authenticated-user;
dynamic-application any;
}
then {
permit;
log {
session-close;
}
}
Use the following command to view the feed summary and status:
show services security-intelligence sec-profiling-feed status
show services security-intelligence sec-profiling-feed status Category name :SecProfiling Feed name :High_Risk_Users Feed type :IP Last post time :2020-02-06 10:54:10 PST Last post status code:200 Last post status :succeeded
show security dynamic-address category-name SecProfiling
show security dynamic-address category-name SecProfiling No. IP-start IP-end Feed Address 1 10.1.1.100 10.1.1.100 High_Risk_Users High_Risk_Users 2 192.168.0.10 192.168.0.10 High_Risk_Users High_Risk_Users 3 192.168.0.88 192.168.0.88 High_Risk_Users High_Risk_Users
Dynamic-address entries will only be displayed by this command if the feed name being referenced (High_Risk_Users in the example), has been used as a source or destination address in a security policy.
Feed contents can always be viewed in the Juniper ATP Cloud portal, regardless of their state on the SRX Series devices.
Use Case Examples
Threat Detection Use Case
In this example, we will continue with the definition of the High_Risk_Users use case, with the goal of identifying any unusual activity which might suggest an endpoint has been compromised.
-
Create a policy that detects the usage of The Onion Router (TOR), Peer-to-Peer (P2P), and Anonymizers / Proxies and add the source IP address of these to the High_Risk_Users feed.
[edit security policies global policy Unwanted_Applications] admin@vSRX# show match { source-address any; destination-address any; application junos-defaults; dynamic-application [ junos:p2p junos:web:proxy junos:TOR junos:TOR2WEB ]; } then { deny { application-services { security-intelligence { add-source-ip-to-feed { High_Risk_Users; } } } } log { session-close; -
Create a second policy that looks for communication with known malicious sites and malware Command-and-Control (C2) infrastructure as well as newly registered domains and adds it to High_Risk_Users feed.
[edit security policies global policy URL-C2-Detection] admin@vSRX# show match { source-address any; destination-address any; application [ junos-http junos-https ]; dynamic-application any; url-category [ Enhanced_Compromised_Websites Enhanced_Emerging_Exploits Enhanced_Keyloggers Enhanced_Malicious_Embedded_Link Enhanced_Malicious_Embedded_iFrame Enhanced_Malicious_Web_Sites Enhanced_Newly_Registered_Websites ]; } then { deny { application-services { security-intelligence { add-source-ip-to-feed { High_Risk_Users; } } } } log { session-close; } } } } -
Create an IDP policy that identifies unusual scanning activity and brute-force attempts.
[edit security idp idp-policy Threat_Profiling rulebase-ips rule Scanners] admin@vSRX# show match { attacks { predefined-attacks [ SCAN:NMAP:FINGERPRINT SCAN:METASPLOIT:SMB-ACTIVE SCAN:METASPLOIT:LSASS SMB:AUDIT:BRUTE-LOGIN APP:RDP-BRUTE-FORCE FTP:PASSWORD:BRUTE-FORCE LDAP:FAILED:BRUTE-FORCE SSH:BRUTE-LOGIN ]; } } then { action { drop-connection; } notification { log-attacks; packet-log; } application-services { security-intelligence { add-attacker-ip-to-feed High_Risk_Users; } } }Note:This is an example of a safe policy to deploy on a Tap-based SRX sensor. The example does not make sense to deploy on an in-line device due to the permissive nature of the rule. In production, we recommend being more restrictive.
-
Apply the IDP rulebase to a security policy to take effect.
[edit security policies global policy IDP_Threat_Profiling] admin@vSRX# show match { source-address any; destination-address any; application any; dynamic-application any; } then { permit { application-services { idp-policy Threat_Profiling; } } log { session-close; } } -
Create a simple rule at the top of the rule-base which drops any traffic from hosts within the High_Risk_Users threat feed.
[edit security policies global policy Drop_Risky_Users] admin@vSRX# show match { source-address High_Risk_Users; destination-address any; application any; } then { deny; log { session-close; } }
Asset Classification Use Case
In this example, we will leverage AppID to identify Ubuntu and RedHat servers in an environment and add them to feed for use by other devices.
As many legacy devices lack the compute power required to enable Deep-Packet Inspection (DPI), adaptive threat profiling can provide you a flexible way in which you can share DPI classification results between newer and older platforms in your environment.
Create a security policy that identifies Advanced Packaging Tool (APT) and Yellowdog Updater, Modified (YUM) communication with Ubuntu and RedHat Update servers:
[edit security policies global policy Linux_Servers]
admin@vSRX# show
match {
source-address any;
destination-address any;
application junos-defaults;
dynamic-application [ junos:UBUNTU junos:REDHAT-UPDATE ];
}
then {
permit {
application-services {
security-intelligence {
add-source-ip-to-feed {
Linux_Servers;
}
}
}
}
}
Compromised Application Use Case
In this example, the user who is using a compromised application is added to the infected-hosts feed.
We will continue with the definition of the High_Risk_Users use case, with the goal of identifying any unusual activity which might suggest an endpoint has been compromised. We create a policy that detects the The Onion Router (TOR) usage and adds the source identity to the High_Risk_Users feed.
[edit security policies global policy Compromised_Applications]
admin@vSRX# show
match {
source-address any;
destination-address any;
source-identity authenticated-user;
dynamic-application junos:TOR;
}
then {
deny {
application-services {
security-intelligence {
add-source-identity-to-feed High_Risk_Users;
}
}
}
}