Case 3:17-cv-05659-WHA Document 353-4 Filed 01/10/19 Page 1 of 57
`Case 3:17-cv-05659-WHA Document 353-4 Filed 01/10/19 Page 1 of 57
`
`
`
`
`
`EXHIBIT 2
`EXHIBIT 2
`
`
`
`
`
`
`
`
`
`
`
`
`
`

`

`Case 3:17-cv-05659-WHA Document 353-4 Filed 01/10/19 Page 2 of 57
`Case 3:17-cv-05659-WHA Document 353-4 Filed 01/10/19 Page 2 of 57
`
`JUNIPeLNETWORKS
`
`Sky Advanced Threat Prevention Guide
`
`
`
`NORTHERN DISTRICT OF CALIFORNIA
`
`Trial Exhibit 78
`Case No. 17-CV-05659-WHA
`
`Modified: 2016-08-02 UNITED STATES DISTRICT COURT
`
` Entered:
`
`By:
`
`Deputy Clerk
`
`FINJAN-JN 044744
`
`

`

`Case 3:17-cv-05659-WHA Document 353-4 Filed 01/10/19 Page 3 of 57
`Case 3:17-cv-05659-WHA Document 353-4 Filed 01/10/19 Page 3 of 57
`
`Juniper Networks,Inc.
`1133 Innovation Way
`Sunnyvale, California 94089
`USA
`408-745-2000
`wwwjuniper.net
`Copyright © 2016, Juniper Networks,Inc. All rights reserved.
`
`Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOSare registered trademarks of Juniper Networks,Inc. in the United
`States and other countries. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks,Inc. All other
`trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners.
`
`Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify,
`transfer, or otherwise revise this publication without notice.
`
`Sky Advanced Threat Prevention Guide
`Copyright © 2016, Juniper Networks,Inc.
`All rights reserved.
`
`The information in this documentis current as of the date on the title page.
`
`YEAR 2000 NOTICE
`
`Juniper Networks hardware and software products are Year 2000 compliant. Junos OS has no known time-related limitations through the
`year 2038. However, the NTP application is known to have somedifficulty in the year 2036.
`
`END USER LICENSE AGREEMENT
`
`The Juniper Networks product that is the subject of this technical documentation consists of (or is intended for use with) Juniper Networks
`software. Use of such softwareis subject to the terms and conditions of the End User License Agreement (“EULA”) posted at
`http:/Avww.juniper.net/support/eula.html. By downloading,installing or using such software, you agree to the terms and conditionsof
`that EULA.
`
`FINJAN-JN 044745
`
`

`

`Case 3:17-cv-05659-WHA Document 353-4 Filed 01/10/19 Page 4 of 57
`Case 3:17-cv-05659-WHA Document 353-4 Filed 01/10/19 Page 4 of 57
`
`Table of Contents
`
`ADGUE the DOCUMENTEHOMN: siscscssie- stein aren mwieceie siete F.6 HRe Fel we eM ew wie ve ix
`Documentation and Release Notes... 0... cece ee een eter eer eneeeraee ix
`DOCUMENtATEN CORVEREOMS 3 s:cissece wcvinzece ncevernie: ental sl eie ee elec erenets esos ix
`DGCUMENEStION FESADAGK: ccaiecceces excuse axseraice: sisreiecereretere areierer ienetonets cannes xi
`
`iwiaim acetate anetata.ce) earetere) 6 xii
`REQUaSTINE: TECHNICAL: SUBDOFE siesccscice cree -aiemiiersin jane
`Self-Help Online Tools and Resources .........0 0c e cere eee ees xii
`Opening a Case WH ITAC so acca sooseiecsierssaneerasaratasaerarwrararecenetereresceratacarn xii
`
`Chapter 1
`
`Coeee Se eee ae eee 15
`
`Sky Advanced Threat Prevention Overview. .... 0.0... c eee eee eee enna 16
`Sky Advanced Threat Prevention Features... .. 2... cee ees 7
`Sky Advanced Threat Prevention Components .........00e ee ee ee eee eee 18
`Remediation and Malware Detection Overview ...........602 06. e eee ee 19
`How Malware Is Analyzed and Detected... ..... cece cece cree eer eeees 19
`Gai LOI ice ese nscasece co emrmcetn eerensrece rere eccererepecnietn|MeN area we acta 20
`PUTakece: |ee ee re 20
`
`Chapter 2
`
`Chapter 3
`
`erevarcacce cae econecer am rie rene daiar arene Tere merece cic) erlaee 20
`See PAIS so sscce
`YMA ANALVSIS co ete crea acenvermerenramronnrermmann erie avian aseracaG 20
`Machine Learminee: AlBOrtHIN siicca cx sccsicescarraarearaatee ctearene ieee en 21
`Sky ATP Licensed Features and File Scanning Limits...................000- 21
`FILS SCA: IMS ese
`ssc aces
`srsectar nieve arnt ace
`a ateiatels ateraelwinea ea aire aNReTEUEeRE 22
`
`BSSABOEIG asics ccs naranonnmae ame wayecmerERUAT ER ARRAERORe met 25
`BDaSNBOSrE OVEIMEW. onic eee eececece) ian ae eH LeSLE ESN TERRES Romie eS 25
`
`isnenmin stone seneszensienenmiese ienerecn cormee?-aumiecetecnniecaiecererenne 27
`DAGON cree siewercarniesey wie tesekone se
`Hosts OVErvieW 2... cc ee te ee eet e ene ee eee enna beeen eweee 27
`Host DetallS 2.0... 0... cc ccc eee eet eee eee ee nee eeeennee 28
`Command and Control Servers Overview... 0... cee eee eee eens 29
`
`File Scanning Overview 2.0... cc eee ne eee eee eee eee 30
`File Scanning Details... 6... cc nen teen nee tent eneneene 3]
`File SUMIMAPY . 0. ee ee ee ee eee eee eee eee 3]
`Hosts That have Downloaded the File... 2... ce eee 3]
`
`Malware: Bahavier Suimmiaty ss icecacscewisrcmuseenusae ware eearnainamermnn 32
`FUR Seat AHN INS a wor cacsurttn de ore vere
`ce Wess eels ahecarer Serer w Hayesarm azenenessantine 32
`Manual Scanning OVernl@w sees se ae ccecee ae enw a sierra eee Bon epara ree 33
`
`Chapter 4
`
`DOVICES 2c eee eect en eee eee been e eee ee eee 35
`Enrolled Devices... eee eee eee ee eee ee eee ao
`
`Enrolling and Disenrolling Devices 20... 0. ce en ee teen eee 36
`Device Lookup Overview . 0... cee eee eee eee eee e eee e nae 38
`Device Information. 2... eee eee e eee eee ene eens 38
`
`iii
`
`FINJAN-JN 044746
`
`

`

`Case 3:17-cv-05659-WHA Document 353-4 Filed 01/10/19 Page 5 of 57
`Case 3:17-cv-05659-WHA Document 353-4 Filed 01/10/19 Page 5 of 57
`
`Sky Advanced Threat Prevention Guide
`
`Chapter 5
`
`CONFIBUre 2. cee eee eee eee e eee eee ee eeeee 4]
`Custom Whitelist and Blacklist Overview... 20.0.0... ee eee 4]
`
`Chapter 6
`
`Chapter 7
`
`Chapter 8
`
`Creating Whitelists and BlacklistS... 2.0... . 0. ccc eee ee eee eee eee eee ee 42
`Device Profiles Overview . 2.0... eee eee eee eee eee 43
`
`Creating Device Profiles... 2... 0. cece ce teen tee eee eee 44
`Administration 0.0... 00. cee cee te eee eee eee e ene eeeneee 47
`
`Meciiving Vy POs was sc ener Onrra Sing earths neasenesaharts 47
`User Profiles Overview... 6. oc ee ee eee teen tenn eee n eee 48
`
`Creating and Editing User Profiles. .........00ec cece cece reer ererenee 48
`Global Configuration Overview... 0... eee ce een eens 49
`Creating and Editing Global Configurations... 0.0.0... 00.00 eee eects 49
`More InfOririattloni:s = s0a.6 co ciacaena eats OU ew OTR e eee ROR ERO a SENDS |
`
`Links to Documentation on Junipernet.........0..6 0c cece ee ee ee eens 5)
`
`WAGON: cna eaanica i siewa Rais SANS WEE ENE SSeS RRS 53
`
`ING@N: sano cantatas nara ee Serene oe ir ei ee 55
`
`FINJAN-JN 044747
`
`

`

`Case 3:17-cv-05659-WHA Document 353-4 Filed 01/10/19 Page 6 of 57
`Case 3:17-cv-05659-WHA Document 353-4 Filed 01/10/19 Page 6 of 57
`
`List of Figures
`
`Chapter 1
`
`OVErVIEW 20. cc cece ee eee rene eee teen eee neee ener peneeeeenes 15
`
`Figure 1: Sky Advanced Threat Prevention Overview .... 2.00.00 cece eee eee 16
`Figure 2: Example Sky Advanced Threat Prevention Pipeline Approach for
`Amalyzing MalWare. oo. ee eee eee eee 19
`
`Chapter 3
`
`Monitor ......... ccc cece eee eee eee e teen eee e ee eeeetenneeees 27
`
`Figure 3: Screen Capture: Malicious Behavior Summary... ... 0.0.60. ce eee 32
`
`Vv
`
`FINJAN-JN 044748
`
`

`

`Case 3:17-cv-05659-WHA Document 353-4 Filed 01/10/19 Page 7 of 57
`Case 3:17-cv-05659-WHA Document 353-4 Filed 01/10/19 Page 7 of 57
`
`Sky Advanced Threat Prevention Guide
`
`vi
`
`FINJAN-JN 044749
`
`

`

`Case 3:17-cv-05659-WHA Document 353-4 Filed 01/10/19 Page 8 of 57
`Case 3:17-cv-05659-WHA Document 353-4 Filed 01/10/19 Page 8 of 57
`
`List of Tables
`
`About the Documentation ......... 0. cc cee cee cee eee eee ee eneeenees ix
`
`Table 1: Notic@ ICONS 2. eee nee ete en bees etn ee ee enee x
`
`Table 2: Text and Syntax Conventions... 0.0.6. eee eee eee ee x
`
`Chapter 1
`
`OVErPVIEW 20. een eee ee ence een eee e eee ee eens 15
`
`Table 3: Tabs and What Their Workspaces Acce@SS..........0000e cree eeceee 17
`Table 4: Sky Advanced Threat Prevention Components...........0.0.00000s 18
`Table 5: Comparing the Sky Advanced Threat Prevention Free Model and
`Premium Model... 0... ee ee eee eee eee 22
`
`Table 6: File Scanning Limits ......... 6. cece ee en eee eee eee 23
`
`Chapter 2
`
`BSSHGOa seals rics nasacieusetpasammasapin era tn ena ch eesnesen eases eee 25
`
`Chapter 3
`
`Chapter 4
`
`Table 7: Sky ATP Dashboard Widgets... 0... 0.0.0. cece cece eee eee eee u eee 25
`
`Monte: ovis aceesicmce SMES ESSN Oe Wie aaa ERE sles ovine DISS ieee
`Table: 8: Threat Level: Dehnittions is crsiieisterseaeyeis eitines avers nies ataveeuiedananaenaansiy 28
`Table 9: Command & Control Server Data Fields.........0...2.0.0022 000205. 29
`
`Table. 10; Fle Scanniite Data Feldsiccicceariaaerawre se ee Walia Nea 30
`Tablée:1|:- Fite Summary Fields sc sascSceseSenk SRR WS BURSA EUR SES 3]
`Table 12: File Scanning Limits... 6.6.6 cee ec cee ener ns ence re eneneneeneee 32
`Table 13: File Scanning Data Flelds 2... 0... eek eee ene tre eeereswenees 33
`
`ie ea iS SSeS TS aS BRO EN Soa ie RRS 35
`DVDS 5 asa ee iSsa
`Table: We: Bustin etre aia tance atarwiay ccutata tegen acavangtatal ejiaiel anatharane ea aie eile 35
`Table 15: Device Information Fields s.¢ 02005 eeawre a ets ees eres 39
`
`Chapter 5
`
`CONTSUNG: cccosiecawac mis san wie eeisired sia SESSA EE Sal SN SO RE 4)
`
`Table 16: Whitelist and Blacklist: Domain, IP, and URL Required Information and
`SWIM snacniwitidaaw ne ae Ga aeaiviee RAIS Aa wanes 42
`Table: 17: Flle:Gategory Contentscsccssccican seer nceca needs ceieisewieeas 43
`Table: 1a: Bavice Protle Setungs os wacconueaarin nse nent wean 45
`
`Chapter 6
`
`PAPA SEC sata: essneiiasacsecec vin sas ace wits
`
`sw rer lacatare vain ww wate ecw aNaiw ate Wwiear wal Nawre wb 47
`
`Table: 19: My Protile Fields iessccccisie sceaiscs erie sae eo Hee ea eas eee a wiea en 48
`Table 20: Wiser AGS ee cceccuacenry-asience scents war EaRS ETA Ne Ie a ee ei eR 49
`
`Table 21: Global: Corifiguratlon: Fils ia. cicero emanate neal 50
`
`vil
`
`FINJAN-JN 044750
`
`

`

`Case 3:17-cv-05659-WHA Document 353-4 Filed 01/10/19 Page 9 of 57
`Case 3:17-cv-05659-WHA Document 353-4 Filed 01/10/19 Page 9 of 57
`
`Sky Advanced Threat Prevention Guide
`
`vill
`
`FINJAN-JN 044751
`
`

`

`Case 3:17-cv-05659-WHA Document 353-4 Filed 01/10/19 Page 10 of 57
`Case 3:17-cv-05659-WHA Document 353-4 Filed 01/10/19 Page 10 of 57
`
`About the Documentation
`
`+ Documentation and Release Notes on pageIx
`
`« Documentation Conventions on pageix
`
`« Documentation Feedback on pagexi
`
`+ Requesting Technical Support on pagexii
`
`Documentation and Release Notes
`
`To obtain the most current version ofall Juniper Networks” technical documentation,
`see the product documentation page on the Juniper Networks website at
`http://www,juniper.net/techpubs/.
`
`If the information in the latest release notes differs from the informationin the
`
`documentation, follow the product Release Notes.
`
`Juniper Networks Books publishes books by Juniper Networks engineers and subject
`matter experts. These books go beyond the technical documentation to explore the
`nuancesof network architecture, deployment, and administration. The current list can
`be viewed at http://www.juniper.net/books.
`
`Documentation Conventions
`
`Table | on page x defines notice icons usedin this guide.
`
`FINJAN-JN 044752
`
`

`

`Case 3:17-cv-05659-WHA Document 353-4 Filed 01/10/19 Page 11 of 57
`Case 3:17-cv-05659-WHA Document 353-4 Filed 01/10/19 Page 11 of 57
`
`Sky Advanced Threat Prevention Guide
`
`Table1: Notice Icons
`
`fete)a)
`
`| Meaning
`
`Description
`
`Informational note
`
`Indicates important features or instructions.
`
`Caution
`
`Indicates a situation that might result in loss of data or hardware damage.
`
`
`
`
`
`Alertsyoutotheriskofpersonalinjuryordeath.
`
`y
`
`Warning
`
`Laser warning
`
`Alerts you to the risk of personalinjury from a laser.
`
`
`
`Tip
`
`Indicates helpful information.
`
`
`
`© Best practice
`
`Alerts you to a recommended use or implementation.
`
`Table 2 on page x defines the text and syntax conventions used in this guide.
`
`Table 2: Text and Syntax Conventions
`
`Convention
`
`Description
`
`Examples
`
`Bold text like this
`
`Represents text that you type.
`
`To enter configuration mode, type the
`configure command:
`
`user@host> configure
`
`
`Fixed-width text like this
`
`Represents output that appears on the
`terminal screen.
`No alarms currently active
`
`user@host> show chassis alarms
`
`Italic text like this
`
`italic text like this
`
`+
`
`+
`+
`
`Introduces or emphasizes important
`new terms.
`
`Identifies guide names.
`|dentifies RFC and Internetdraft titles.
`
`+ Apolicy termis anamed structure
`that defines match conditions and
`actions.
`« Junos OS CLI! User Guide
`
`Represents variables (options for which
`you substitute a value) in commands or
`configuration statements.
`
`« RFC1997, 8GP Communities Attribute
`
`Configure the machine's domain name:
`
`[edit]
`root@# set system domain-name
`domain-name
`
`FINJAN-JN 044753
`
`

`

`Case 3:17-cv-05659-WHA Document 353-4 Filed 01/10/19 Page 12 of 57
`Case 3:17-cv-05659-WHA Document 353-4 Filed 01/10/19 Page 12 of 57
`
`About the Documentation
`
`Table 2: Text and Syntax Conventions (continued)
`
`Convention
`
`[Bi=ttelg|e}tle)a)
`
`Examples
`
`Textlike this
`
`+ Toconfigure a stub area, include the
`Represents names of configuration
`statements, commands,files, and
`stub statement at the [edit protocols
`ospf area area-id] hierarchy level.
`directories; configuration hierarchy levels;
`or labels on routing platform
`+ Theconsole port is labeled CONSOLE.
`components.
`
`
`stub <default-metric metric>;
`< > (angle brackets)
`Encloses optional keywordsor variables,
`
`
`| (pipe symbol)
`
`Indicates a choice between the mutually
`exclusive keywordsorvariables on either
`side of the symbol. The set of choicesis_(string? | string2 | string3)
`often enclosed in parenthesesforclarity.
`
`
`broadcast | multicast
`
`# (pound sign)
`
`Indicates a comment specified on the
`sameline as the configuration statement
`to which it applies.
`
`rsvp { # Required for dynamic MPLSonly
`
`[ ] (square brackets)
`
`community name members[
`Encloses a variable for which you can
`substitute one or more values.
`community-ids ]
`
`
`Identifies a level in the configuration
`Indention and braces( { })
`hierarchy.
`
`
`: (semicolon)
`
`Identifies aleaf statement at a
`configuration hierarchylevel.
`
`[edit]
`routing-options {
`static {
`route default {
`nexthop adaress;
`retain;
`
`}
`
`q
`
`}
`
`GUI Conventions_
`Bold text like this
`
`Represents graphicaluser interface (GUI)
`items youclick or select.
`
`«
`
`Inthe Logical Interfaces box, select
`All Interfaces,
`
`+ Tocancel the configuration,click
`Cancel.
`
`
`> (bold right angle bracket)
`
`Separates levels in a hierarchy of menu
`selections.
`
`In the configuration editor hierarchy,
`select Protocols>Ospf.
`
`
`Documentation Feedback
`
`Weencourageyou to provide feedback, comments, and suggestions so that we can
`improve the documentation. You can provide feedback by using either of the following
`methods:
`
`+ Online feedback rating system—On any page of the Juniper Networks TechLibrary site
`at http://wwwjuniper.net/techpubs/index.html, simply click the stars torate the content,
`and use the pop-up form to provide us with information about your experience.
`Alternately, you can use the online feedback form at
`http://www,juniper.net/techpubs/feedback/.
`
`xi
`
`FINJAN-JN 044754
`
`

`

`Case 3:17-cv-05659-WHA Document 353-4 Filed 01/10/19 Page 13 of 57
`Case 3:17-cv-05659-WHA Document 353-4 Filed 01/10/19 Page 13 of 57
`
`Sky Advanced Threat Prevention Guide
`
`E-mail—Send your comments to techpubs-comments@juniper.net.Include the document
`or topic name, URL or page number, and softwareversion (if applicable).
`
`Requesting Technical Support
`
`Technical product supportis available through the Juniper Networks Technical Assistance
`Center (JTAC). If you are a customer with an active J-Care or Partner Support Service
`support contract, or are covered under warranty, and need post-sales technical support,
`you can access our tools and resources online or open a case with JTAC.
`
`JTAC policies—For a complete understanding of our JTAC procedures and policies,
`review the JTAC User Guide located at
`http://www.juniper.net/us/en/local/pdf/resource-guides/7100059-en. pdf.
`
`Product warranties—For product warranty information, visit
`http://www.juniper.net/support/warranty/.
`
`JTAC hours of operation—The JTAC centers have resources available 24 hours a day,
`7 days a week, 365 days a year.
`
`Self-Help Online Tools and Resources
`
`For quick and easy problem resolution, Juniper Networks has designed an online
`self-service portal called the Customer Support Center (CSC) that provides you with the
`following features:
`
`Find CSCofferings: http://www.juniper.net/customers/support/
`
`Search for known bugs: htto://www2.juniper.net/kb/
`
`Find product documentation: http://www.juniper.net/techpubs/
`
`Find solutions and answer questions using our Knowledge Base: http://kb.juniper.net/
`
`Download thelatest versions of software and review release notes:
`http://www,juniper.net/custom ers/csc/softtware/
`
`Search technical bulletins for relevant hardware and software notifications:
`http://kbjuniper.net/InfoCenter/
`
`Join and participate in the Juniper Networks Community Forum:
`http://wwwjuniper.net/company/communities/
`
`Open a case online in the CSC Case Managementtool: http://www.juniper.net/em/
`
`To verify service entitlement by product serial number, use our Serial Number Entitlement
`(SNE) Tool: https://tools.juniper.net/SerialNumberEntitlementSearch/
`
`Opening a Case with JTAC
`
`You can open a case with JTAC on the Weborby telephone.
`
`Use the Case Management tool in the CSC at http://www.juniper.net/cm/.
`
`Call 1-888-314-JTAC (1-888-314-5822 toll-free in the USA, Canada, and Mexico).
`
`xii
`
`FINJAN-JN 044755
`
`

`

`Case 3:17-cv-05659-WHA Document 353-4 Filed 01/10/19 Page 14 of 57
`Case 3:17-cv-05659-WHA Document 353-4 Filed 01/10/19 Page 14 of 57
`
`About the Documentation
`
`For international or direct-dial options in countries without toll-free numbers, see
`http:/Avwww.,juniper.net/support/requesting-support.html.
`
`xiii
`
`FINJAN-JN 044756
`
`

`

`Case 3:17-cv-05659-WHA Document 353-4 Filed 01/10/19 Page 15 of 57
`Case 3:17-cv-05659-WHA Document 353-4 Filed 01/10/19 Page 15 of 57
`
`Sky Advanced Threat Prevention Guide
`
`xiv
`
`FINJAN-JN 044757
`
`

`

`Case 3:17-cv-05659-WHA Document 353-4 Filed 01/10/19 Page 16 of 57
`Case 3:17-cv-05659-WHA Document 353-4 Filed 01/10/19 Page 16 of 57
`
`CHAPTER 1
`
`Overview
`
`« Sky Advanced Threat Prevention Overview on page 16
`
`« Remediation and Malware Detection Overview on page 19
`
`« Sky ATP Licensed Features and File Scanning Limits on page 21
`
`FINJAN-JN 044758
`
`

`

`Case 3:17-cv-05659-WHA Document 353-4 Filed 01/10/19 Page 17 of 57
`Case 3:17-cv-05659-WHA Document 353-4 Filed 01/10/19 Page 17 of 57
`
`Sky Advanced Threat Prevention Guide
`
`Sky Advanced Threat Prevention Overview
`
`Juniper Networks Sky Advanced Threat Prevention is a security framework that protects
`all hosts In your network against evolving security threats by employing cloud-based
`threat detection software with a next-generationfirewall system.
`
`Figure 1: Sky Advanced Threat Prevention Overview
`
`
`» Advanced Threat Prevention
`
`
`» Sandbox with Deception
`«Static Analysis
`ry
`
`
`Sky Advanced
`Threat Prevention Cloud
`
`SRX Series
`
`Customer
`
`2042982
`
`Sky Advanced Threat Prevention protects your network by performing the following
`tasks:
`
`+ The SRX Series device extracts potentially malicious objects and files and sends them
`to the cloud for analysis.
`
`» Known maliciousfiles are quickly identified and dropped before they can infect a host.
`
`+ Multiple techniques identify new malware, addingit to the knownlist of malware.
`
`+ Correlation between newly identified malware and known Command and Control
`(C&C) sites aids analysis.
`
`- The SRX Series device blocks known malicious file downloads and outbound C&C
`traffic.
`
`The Web Ul is hosted by Juniper Networks in the cloud. The tabs across the top of the
`web Ul provide workspacesin which an administrator can perform specific tasks. Table
`]shows the namesof the tabs along with brief descriptions of whatis accessible in that
`workspace.
`
`FINJAN-JN 044759
`
`

`

`Case 3:17-cv-05659-WHA Document 353-4 Filed 01/10/19 Page 18 of 57
`Case 3:17-cv-05659-WHA Document 353-4 Filed 01/10/19 Page 18 of 57
`
`Chapter1: Overview
`
`Table 3: Tabs and What Their Workspaces Access
`
`Tab Name
`
`| Accesses
`
`Dashboard
`
`Provides graphical widgets that can be added, removed, and rearranged on a per-userbasis. These
`widgets offer each user a customized view of malware detection categorized in a variety of ways.
`
`
`Monitor
`
`Provides information on the following:
`
`+ Malware detection status for registered hosts
`« C&C servers that have attempted to contact and compromise hosts on your network.
`+ Files downloaded by hosts that are suspicious
`
`Devices
`
`Lists all devices that have been registered with Sky ATP. From here you can:
`
`+ Enroll new devices
`+ Disenroll devices
`+ Search for devices in the list by their serial number
`
`Configure
`
`Configure the following:
`
`+ Whitelists—Add your own trusted IP addresses, URLs, and domainsto the globalitemsin the whitelist.
`+ Blacklists—Add your own untrusted IP addresses, URLs, and domains to the global itemsin the
`blacklist.
`
`+ Devices profiles—Grouptypes offiles to be scanned together under a common name.
`
`Administration
`
`Edit your userprofile and create new userprofiles. You can also:
`
`+ Change user passwords
`+ Set aglobal alert threshold level, which when reached,triggers an alert to all listed e-mail addresses
`
`Sky Advanced Threat Prevention Features
`
`Sky Advanced Threat Prevention is a cloud-based solution. Cloud environments are
`flexible and scalable, and a shared environment ensures that everyone benefits from
`new threatintelligence in near real-time. Your sensitive data is secured even thoughit is
`ina cloud shared environment. Security analysts can update their defense when new
`attack techniques are discovered anddistribute the threatintelligence with very little
`delay.
`
`In addition, Sky Advanced Threat Prevention offers the following features:
`
`+
`
`Integrated with the SRX Series device to simplify deployment and enhance the
`anti-threat capabilities of the firewall.
`
`: Delivers protection against “zero-day” threats using a combination of tools to provide
`robust coverage against sophisticated, evasive threats.
`
`» Checks inbound and outbound traffic with policy enhancements that allow users to
`stop malware, quarantine compromised systems, prevent data exfiltration, and disrupt
`lateral movement. High availability provides uninterrupted service.
`
`FINJAN-JN 044760
`
`

`

`Case 3:17-cv-05659-WHA Document 353-4 Filed 01/10/19 Page 19 of 57
`Case 3:17-cv-05659-WHA Document 353-4 Filed 01/10/19 Page 19 of 57
`
`Sky Advanced Threat Prevention Guide
`
`+ Scalable to handle increasing loads that require more computing resources,increased
`network bandwidth to receive more customer submissions, and a large storage for
`malware.
`
`- Provides deep inspection, actionable reporting, and inline malware blocking
`
`Sky Advanced Threat Prevention Components
`
`The following table describes how the components of the Sky Advanced Threat Prevention
`solution work together.
`
`Table 4: Sky Advanced Threat Prevention Components
`
`Component
`
`Description
`
`Security intelligence cloud
`feeds
`
`A feed distribution point that delivers feeds to the SRX Series device. These include:
`
`« C&C
`
`+ Compromised hosts
`+ GeolP
`+ Whitelists and blacklists
`
`C&C feeds are essentially a list of servers that are known Command and Control servers for
`botnets. The list also includes servers that are known sources for malware downloads.
`
`Compromised hosts,or infected hosts, indicate local devices that are potentially compromised
`because they appearto be part of a C&C network or exhibit other symptoms.
`
`GeolP feeds is an up-to-date mapping of IP addresses to geographical regions. This gives you
`the ability to filter traffic to and from specific geographies in the world.
`
`A whitelist is a list of known IP addresses that you trust, and a blacklistis a list that you do not
`trust.
`
`NOTE: C&C and GeolPfiltering feeds are only available with a Premium license. For information
`on licensed features, see Sky ATP Licensing.
`
`SRX Series device
`
`Submits extracted file content for analysis and detected C&C hits inside the customer network,
`
`Performsinline blocking based on verdicts from the analysis cluster.
`
`Performs malware analysis and threat detection.
`Malware inspection pipeline
`
`Inspectsfiles,metadata, and other information.
`Internal compromise
`detection
`
`
`Service portal (Web Ul)
`
`Graphics Interface displaying information about detected threats inside the customer network.
`
`Configuration managementtool where customers can fine-tune whichfile categories can be
`submitted into the cloud for processing.
`
`Related
`Documentation
`
`+ Dashboard Overview on page 25
`
`» Sky Advanced Threat Prevention Licenses
`
`« Hosts Overview on page 27
`
`FINJAN-JN 044761
`
`

`

`Case 3:17-cv-05659-WHA Document 353-4 Filed 01/10/19 Page 20 of 57
`Case 3:17-cv-05659-WHA Document 353-4 Filed 01/10/19 Page 20 of 57
`
`Chapter1: Overview
`
`« File Scanning Overview on page 30
`
`« Command and Control Servers Overview on page 29
`
`Remediation and Malware Detection Overview
`
`The SRX Series devices use intelligence provided by Sky Advanced Threat Prevention to
`remediate malicious content through the use of security policies. If configured, security
`policies block that content before it is delivered to the destination address.
`
`For inbound traffic, security policies on the SRX Series device look for specific types of
`files,like .exe files, to inspect. When one is encountered, the security policy sends the file
`to the Sky Advanced Threat Prevention cloud for inspection. The SRX Series device halds
`the last few kilobytes of the file from the destination client until Sky Advanced Threat
`Prevention provides a verdict. If Sky Advanced Threat Prevention returns a bad verdict,
`the SRX Series device drops the connection and the file is blocked.
`
`For outbound traffic, the SRX Series device monitorstraffic that matches the C&C feeds
`it receives, blocks these C&C requests, and reports them to Sky Advanced Threat
`Prevention. A list of compromised hostsis available so that the SRX Series device can
`block inbound and outbound traffic.
`
`How MalwareIs Analyzed and Detected
`
`Sky Advanced Threat Prevention uses a pipeline approach to analyzing and detecting
`malware.If an analysis reveals that the file is absolutely malware,it is not necessary to
`continue the pipeline to further examine the malware.
`
`Figure 2: Example Sky Advanced Threat Prevention Pipeline Approach
`for Analyzing Malware
`
`pdf
`
`exe
`
`@ Cache Lookup
`Have we seenthis file before, and do we already know ifit's bad?
`
`& Antivirus Scanning
`
`What do a few popular antivirus scanners say aboutthefile?
`
`@® Static Analysis
`
`Doesthe file contain suspicious signs,like unusualinstructions or structure?
`
`€& Dynamic Analysis
`
`What happens when we executethe file in a real environment?
`
`g0429B4
`
`Each analysis technique creates a verdict number, which is combined to create a final
`verdict number from 1 through 10. A verdict numberis a score or threat level. The higher
`the number, the higher the malware threat. The SRX Series device comparesthis verdict
`
`FINJAN-JN 044762
`
`

`

`Case 3:17-cv-05659-WHA Document 353-4 Filed 01/10/19 Page 21 of 57
`Case 3:17-cv-05659-WHA Document 353-4 Filed 01/10/19 Page 21 of 57
`
`Sky Advanced Threat Prevention Guide
`
`numberto the policy settings and either permits or denies the session. If the session is
`denied, a reset packet is sent to the client and the packets are dropped from the server.
`
`Cache Lookup
`
`When a file is analyzed,a file hash is generated, and the results of the analysis are stored
`in a database. Whena file is uploaded to the Sky Advanced Threat Prevention cloud, the
`first step is to check whether this file has been looked at before. Ifit has, the stored verdict
`is returned to the SRX Series device and there is noneed to re-analyzethe file. In addition
`to files scanned by Sky Advanced Threat Prevention, information about common malware
`files is also stored to provide faster response.
`
`Cache lookup is performedin real time. All other techniques are doneoffline. This means
`that if the cache lookup does not return a verdict, the fileis sent to the client system while
`the Sky Advanced Threat Prevention cloud continues to examinethe file using the
`remaining pipeline techniques.If a later analysis returns a malware verdict, then the file
`and host are flagged.
`
`Antivirus Scan
`
`The advantageof antivirus softwareis its protection against a large number of potential
`threats, such as viruses, trojans, worms, spyware, and rootkits. The disadvantage of
`antivirus software is that it is always behind the malware. The virus comesfirst and the
`patch to the virus comes second. Antivirus is better at defending familiar threats and
`known malware than zero-day threats.
`
`Sky Advanced Threat Prevention utilizes multiple antivirus software packages, not just
`one, to analyze a file. The results are then fed into the machine learning algorithm to
`overcome false positives and false negatives.
`
`Static Analysis
`
`Static analysis examinesfiles without actually running them. Basic static analysis is
`straightforward and fast, typically around 30 seconds. The following are examples of
`areas that static analysis inspects:
`
`- Metadata information—Name ofthe file, the vendoror creator of this file, and the
`original data on whichthe file was compiled.
`
`+ Categories of instructions used—ls thefile modifying the Windowsregistry? Is it touching
`disk |/O APIs?
`
`+ File entropy—How random is the file? A common technique for malwareis to encrypt
`portions of the code and then decryptit during runtime. A lot of encryptionis a strong
`indication that the file is malware.
`
`The output of the static analysis is fed into the machine learning algorithm to improve
`the verdict accuracy.
`
`
`Dynamic Analysis
`
`The majority of the time spent inspectinga file is in dynamic analysis. With dynamic
`analysis, often called sandboxing,a file is studied as itis executed in asecure environment.
`During this analysis, an operating system environment is set up, typically in a virtual
`
`FINJAN-JN 044763
`
`

`

`Case 3:17-cv-05659-WHA Document 353-4 Filed 01/10/19 Page 22 of 57
`Case 3:17-cv-05659-WHA Document 353-4 Filed 01/10/19 Page 22 of 57
`
`Chapter1: Overview
`
`machine, and tools are started to monitor all activity. The file is uploaded to this
`environment andis allowed torun for several minutes. Oncethe allotted time has passed,
`the record of activity is downloaded and passed to the machine learning algorithm to
`generate a verdict.
`
`Sophisticated malware can detect a sandbox environment due to its lack of human
`interaction, such as mouse movement. Sky Advanced Threat Prevention uses a number
`of deception techniquesto trick the malware into determiningthis is a real user
`environment. For example, Sky Advanced Threat Prevention can:
`
`+ Generate a realistic pattern of user interaction such as mouse movement, simulating
`keystrokes, and installing and launching commonsoftware packages.
`
`+ Create fake high-value targets in the client, such as stored credentials, userfiles, and
`a realistic network with Internet access.
`
`+ Create vulnerable areas in the operating system.
`
`Deception techniques by themselves greatly boost the detection rate while reducing
`false positives. They also boost the detection rate of the sandbox thefile is running in
`because they get the malwareto perform more activity. The more the file runs, the more
`data is obtained to detect whetherthefile is malware.
`
`Machine Learning Algorithm
`
`Sky Advanced Threat Prevention uses its own proprietary implementation of machine
`learning to assist in analysis. Machine learning recognizes patterns and correlates
`information for improvedfile analysis. The machine learning algorithm is programmed
`with features from thousands of malware samples and thousands of goodware samples.
`It learns what malware looks like, andis regularly reprogrammedto get smarter as threats
`evolve.
`
`Related
`Documentation
`
`«© Sky Advanced Threat Prevention Overview on page 16
`
`« Dashboard Overview on page 25
`
`Sky ATP Licensed Features and File Scanning Limits
`
`Sky ATP has two Service levels:
`
`+ Free
`
`+ Premium
`
`The free model solution is available to all SRX Series customers that have a valid support
`contract, but it only scans executablefile types. Based on this result, the SRX Series
`device can allow the traffic or perform inline blocking.
`
`The premium modelis available with additional licensing and provides deeperanalysis.
`All file types are examined using several analysis techniques to give better coverage.Full
`reporting provides details about th