Case 3:17-cv-05659-WHA Document 480-8 Filed 05/16/19 Page 1 of 57
`Case 3:17-cv-05659-WHA Document 480-8 Filed 05/16/19 Page 1 of 57
`
`
`
`
`
`EXHIBIT 7
`EXHIBIT 7
`
`
`
`
`
`
`
`
`
`
`
`
`
`

`

`Case 3:17-cv-05659-WHA Document 480-8 Filed 05/16/19 Page 2 of 57
`
`Sky Advanced Threat Prevention Guide
`
`Modified: 2016- 08- 02
`
`FINJAN-JN 044744
`
`

`

`Case 3:17-cv-05659-WHA Document 480-8 Filed 05/16/19 Page 3 of 57
`
`Juniper Networks, Inc.
`ll331nnovation Way
`Sunnyvale, California 94089
`USA
`408- 745-2000
`www.juniper.net
`
`Copyright © 2016, Juniper Networks, Inc. All rights reserved.
`
`Juniper Networks, Junos, Steel- Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United
`States and other countries. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc. All other
`trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners.
`
`Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify,
`transfer, or otherwise revise this publication without notice.
`
`Sky Advanced Threat Prevention Guide
`Copyright © 2016, Juniper Networks, Inc.
`All rights reserved.
`
`The information in this document is current as of the date on the title page.
`
`YEAR 2000 NOTICE
`
`Juniper Networks hardware and software products are Year 2000 compliant. Junos OS has no known time-related limitations through the
`year 2038. However, the NTP application is known to have some difficulty in the year 2036.
`
`END USER LICENSE AGREEMENT
`
`The Juniper Networks product that is the subject of this technical documentation consists of (or is intended for use with) Juniper Networks
`software. Use of such software is subject to the terms and conditions of the End User License Agreement ("EULA") posted at
`http://www.juniper.net/support/eula.html. By downloading, installing or using such software, you agree to the terms and conditions of
`that EULA.
`
`FINJAN-JN 044745
`
`

`

`Case 3:17-cv-05659-WHA Document 480-8 Filed 05/16/19 Page 4 of 57
`
`Table of Contents
`
`Chapterl
`
`About the Documentation . . . . . . . ......... .... . . . . ......... . . .. . . . .... ix
`Documentation and Release Notes . .... ......... .. . ......... ........ ix
`Document ation Conventions . . ........ ..... . . . . ................ .... ix
`Documentat ion Feedback . . . . ........ . .. .. . . . . ............ . . . . . . . . xi
`Requesting Technical Support . . .... . . . . . . . .............. . . . . . . . ... xii
`Self-Help Online Tools and Resources . . . . . . . .......... . . ........ xii
`Opening a Case with JTAC . .. . ......... . ........ . . . ..... . . . . ... xii
`Overview ....................... . . . ......... . ..................... 15
`
`Sky Advanced Threat Prevention Overview ...... .................... ..... 16
`Sky Advanced Threat Prevention Features .. . . . ... . ............. .... .. 17
`Sky Advanced Threat Prevention Components ... ................. .... 18
`Remediation and Malware Detection Overview . ..... ................. . . . . 19
`How Malware Is Analyzed and Detected ............ . . . .. . . . .. . ...... 19
`Cache Lookup . . ......... ...... . . . . . . .... .. . . .. . . ..... ...... 20
`Antivirus Scan . . ......... .. . ....... . . . .... . . . ......... . . . . .. 20
`Static Analysis .... . ............... ............ ........ . ..... 20
`Dynamic Analysis ......... ... . . . . .................. . . . ...... 20
`Machine Learning Algori thm . ........... . .... . . . . . . . ........ . .. 21
`Sky ATP Licensed Features and File Scanning Limits ..... . . . . ... ........ ... 21
`File Scanning Limits ... ......... ... . . . . .......... . . . . . . .... . . . .. . 22
`
`Chapter2
`
`Dashboard . . . ..................... ..... ............ ... ........... 25
`
`Dashboard Overview ......... . . . ...... . . . ........................... 25
`
`Chapter3
`
`Monitor .......... . ............................................... 27
`
`Hosts Overview ............ . ... .... ............. . . ..... ............ . 27
`Host Details . . . ... . .............. . . .. ........... . . . . .... ........... 28
`Command and Control Servers Overview ..... . . . .................. .. . . . . 29
`File Scanning Overview ......... . ........ .................. . . . .... ... 30
`File Scanning Details ... . ... .............. . . ... . . .. . . . ......... . . .... . 31
`File Summary .................... . . .. . .......... ............ . ... 31
`Hosts That have Downloaded the File . . .. . . ...... . . .. . . . . . . ......... 31
`Malware Behavior Summary ....... . ... . . . . . ............ . . . .. . . . .. 32
`File Scanning Limits . . . . . .. . . ............. . . . . . ............ . . . .. . .... 32
`Manual Scanning Overview . . .............. . . . . . . . .............. . . .. . . 33
`
`Chapter4
`
`Devices ....... .. ..................... .. ............. .... ......... 35
`
`Enrolled Devices ................... . .... . . . ................. . ....... 35
`Enrolling and Disenrolling Devices ........•.•.... . ............. . . ...... 36
`Device Lookup Overview .......... . .. . . . .. . . . ......... . . . . .... ....... 38
`Device Information . ................. . . .. . ... ......... . ... .... ....... 38
`
`iii
`
`FINJAN-JN 044746
`
`

`

`Case 3:17-cv-05659-WHA Document 480-8 Filed 05/16/19 Page 5 of 57
`
`Sky Advanced Threat Prevention Guide
`
`Chapter 5
`
`Chapter 6
`
`Chapter7
`
`ChapterS
`
`Configure ......................................................... 41
`Custom Whitelist and Blacklist Overview . . ........ . .. . . ...... ...... ... . . 41
`Creating Whitelists and Blacklists ...................................... 42
`Device Profiles Overview ................ .. ........................... 43
`Creating Device Profiles .... . . .... . ... .... . .. .......... ............... 44
`Administration .................................................... 47
`Modifying My Profile ................................................. 47
`User Profiles Overview ............................................... 48
`Creating and Editing User Profiles ...................................... 48
`Global Configuration Overview ... . ........................ . ........... 49
`Creating and Edi ting Global Configurations .. . ... ........................ 49
`More information .................................................. 51
`Links to Documentation on Juniper.net ..... ................. . . ... . .. .... 51
`
`Index ............................................................ 53
`Index . . . . . ... . . . ...... . . . . . . . .............. . . ..... ............ 55
`
`iv
`
`FINJAN-JN 044747
`
`

`

`Case 3:17-cv-05659-WHA Document 480-8 Filed 05/16/19 Page 6 of 57
`
`List of Figures
`
`Chapterl
`
`Overview 0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0 15
`
`0
`
`0
`
`•
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`•
`
`0
`
`•
`
`Figure 1: Sky Advanced Threat Prevention Overview 0
`0 • • • • • • • • • • • • • 16
`Figure 2: Example Sky Advanced Threat Prevention Pipeline Approach for
`Analyzing Malware ................. 0
`0 • • • • • • • • • • • • • • • • • 19
`
`•
`
`0
`
`•
`
`0
`
`0
`
`0
`
`0
`
`0
`
`Chapter3
`
`Monitor 0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0 27
`
`Figure 3: Screen Capture: Malicious Behavior Summary .................... 32
`
`v
`
`FINJAN-JN 044748
`
`

`

`Case 3:17-cv-05659-WHA Document 480-8 Filed 05/16/19 Page 7 of 57
`
`Sky Advanced Threat Prevention Guide
`
`vi
`
`FINJAN-JN 044749
`
`

`

`Case 3:17-cv-05659-WHA Document 480-8 Filed 05/16/19 Page 8 of 57
`
`List of Tables
`
`About the Documentation .......................................... ix
`
`Table 1: Notice Icons .................................................. x
`Table 2: Text and Syntax Conventions ........... ... .. . ...... ............ . x
`
`Chapter1
`
`Overview ......................................................... 15
`
`Table 3: Tabs and What Their Workspaces Access ......................... 17
`Table 4: Sky Advanced Threat Prevention Components ..................... 18
`Table 5: Comparing the Sky Advanced Threat Prevention Free Model and
`Premium Model ............................... . . . . . ............. 22
`Table 6: File Scanning Limits .......................................... 23
`
`Chapter2
`
`Dashboard ....................................................... 25
`
`Table 7: Sky ATP Dashboard Widgets ............ .... . . . . .............. . 25
`
`Chapter3
`
`Monitor .......................................................... 27
`
`Table 8: Threat Level Definitions ....................................... 28
`Table 9: Command & Control Server Data Fields .......................... 29
`Table 10: File Scanning Data Fields ..................................... 30
`Table 11: File Summary Fields .... ................... ... ........ ........ 31
`Table 12: File Scanning Limits .......................................... 32
`Table 13: File Scanning Data Fields ..... • . • ............................. 33
`
`Chapter4
`
`Devices .......................................................... 35
`
`Table 14: Button Actions . . . . . ............ ........... . ............ . . . . 35
`Table 15: Device Information Fields ........ . . . .......................... 39
`
`Chapter 5
`
`Configure ......................................................... 41
`
`Table 16: Whitelist and Blacklist: Domain,IP, and URL Required Information and
`Syntax . . . . .......... .. ................. . ... ..... ............ . . 42
`Table 17: File Category Contents ....................................... 43
`Table 18: Device Profile Settings .. ... .. ..... ............ ....... ........ 45
`
`Chapter 6
`
`Administration .................................................... 47
`
`Table 19: My Profile Fields ............ . ................... .... ........ 48
`Table 20: User Fields ......... .......... ... .. ...•.•.................. 49
`Table 21: Global Configuration Fields ... .... ...................... . . .... 50
`
`vii
`
`FINJAN-JN 044750
`
`

`

`Case 3:17-cv-05659-WHA Document 480-8 Filed 05/16/19 Page 9 of 57
`
`Sky Advanced Threat Prevention Guide
`
`vi ii
`
`FINJAN-JN 044751
`
`

`

`Case 3:17-cv-05659-WHA Document 480-8 Filed 05/16/19 Page 10 of 57
`
`About the Documentation
`
`Documentation and Release Notes on page ix
`
`Documentation Conventions on page ix
`
`Documentation Feedback on page xi
`
`Requesting Technical Support on page xii
`
`Documentation and Release Notes
`
`To obtain the most current version of all Juniper Networks® techni cal documentation.
`see the product documentation page on the Juniper Networks website at
`http://www.juniper.net/techpubs/.
`
`If the information in the latest release notes differs f rom the information in the
`documentation, follow the product Release Notes.
`
`Juniper Networks Books publishes books by Juniper Networks engineers and subject
`matter experts. These books go beyond the technical documentation to explore the
`nuances of network architecture, deployment, and administration. The current list can
`be viewed at http://www.juniper.net/books.
`
`Documentation Conventions
`
`Table 1 on page x defines notice icons used in t his guide.
`
`ix
`
`FINJAN-JN 044752
`
`

`

`Case 3:17-cv-05659-WHA Document 480-8 Filed 05/16/19 Page 11 of 57
`
`Sky Advanced Threat Prevention Guide
`
`Table 1: Notice Icons
`
`Icon
`
`Mean1ng
`
`Description
`
`Informational note
`
`Indicates important features or instructions.
`
`0
`
`Caution
`
`Indicates a situation that might result in loss of data or hardware damage.
`
`Warning
`
`Alerts you to the risk of personal injury or death.
`
`Laser warning
`
`Alerts you to the risk of personal injury from a laser.
`
`Ti p
`
`Indicates helpful information.
`
`Best practice
`
`Alerts you to a recommended use or implementation.
`
`Table 2 on page x defines the text and syn tax conven t ions used in t his guide.
`
`Table 2: Text and Syntax Conventions
`
`Convent1on
`
`Descnption
`
`Examples
`
`Bold text like this
`
`Represents text that you type.
`
`To enter configuration mode, type the
`configure command:
`
`user@host> configure
`
`Fixed-width text like this
`
`Represents output that appears on the
`terminal screen.
`
`use r@host> show chassis alarms
`
`No alarms currently active
`
`Introduces or emphasizes important
`new terms.
`Identifies guide names.
`Identifies RFC and Internet draft titles.
`
`A policy term is a named structure
`that defines match conditions and
`actions.
`lunas OS CLI User Guide
`RFC 1997, BGP Communities Attribute
`
`Represents variables (options for which Configure the machine's domain name:
`you substitute a value) in commands or
`configuration statements.
`
`[edit]
`root@# set system domain-name
`domain-name
`
`Italic text like this
`
`Italic text like this
`
`X
`
`FINJAN-JN 044753
`
`

`

`Case 3:17-cv-05659-WHA Document 480-8 Filed 05/16/19 Page 12 of 57
`
`About the Documentation
`
`Table 2: Text and Syntax Conventions (continued)
`
`Convention
`
`Text like this
`
`Descnption
`
`Examples
`
`Represents names of configuration
`statements, commands, files, and
`directories; configuration hierarchy levels;
`or labels on routing platform
`components.
`
`To configure a stub area, include the
`stub statement at the [edit protocols
`ospf area area-id] hierarchy level.
`The console port is labeled CONSOLE.
`
`< > (angle brackets)
`
`Encloses optional keywords or variables.
`
`stub <default-metric metric>;
`
`I (pipe symbol)
`
`#(pound sign)
`
`Indicates a choice between the mutually
`exclusive keywords or variables on either
`side of the symbol. The set of choices is
`often enclosed in parentheses for clarity.
`
`broadcast I multicast
`
`(string/ I string21 string3)
`
`Indicates a comment specif ied on the
`same line as the configuration statement
`to which it applies.
`
`rsvp { #Required for dynamic MPLS only
`
`[ ] (square brackets)
`
`Encloses a variable for which you can
`substitute one or more values.
`
`community name members [
`community-ids ]
`
`Indention and braces ( ! } )
`
`; (semicolon)
`
`Identifies a level in the configuration
`hierarchy.
`
`Identifies a leaf statement at a
`configuration hierarchy level.
`
`[edit]
`routing-options {
`static {
`route default {
`next hop address;
`retain;
`
`}
`
`}
`
`GUl Conventions
`
`Bold text like this
`
`Represents graphical user interface (GUI)
`items you click or select.
`
`In the Logical Interfaces box, select
`All Interfaces.
`To cancel the configuration, click
`Cancel.
`
`> (bold right angle bracket)
`
`Separates levels in a hierarchy of menu
`selections.
`
`In the configuration editor hierarchy,
`select Protocols >Ospf.
`
`Documentation Feedback
`
`We encourage you to prov ide feedback, commen ts, and suggestions so that we can
`improve t he documentation. You can provide feedback by using either of the following
`methods:
`
`Online feedb ack rati ng system - On any page of t he Juniper Networks Techlibrary site
`at http://www.juniper.net/techpubs/ index.html, simply c lick t he stars to rate t he content.
`a nd use the pop-up form to provide us with information about your experience.
`A lternate ly, you ca n use t he online feed b ack form at
`http://www.j uniper.net/ techpubs/ feedbackl.
`
`xi
`
`FINJAN-JN 044754
`
`

`

`Case 3:17-cv-05659-WHA Document 480-8 Filed 05/16/19 Page 13 of 57
`
`Sky Advanced Threat Prevention Guide
`
`E-mail-Send your comments to techpubs-comments@juniper.net.lnclude the document
`or topic name, URL or page number, and software version (if applicable) .
`
`Requesting Technical Support
`
`Technical product support is available t hrough the Juniper Networks Technical Assistance
`Center (JTAC). If you are a customer w it h an active J-Care or Partner Support Service
`support contract, or are covered under warranty, and need post-sales technical support,
`you can access our tools and resources online or open a case w it h JTAC.
`
`JTAC policies-For a complete understanding of our JTAC proced ures and policies,
`review the JTAC User Guide located at
`http://www.juniper.net/us/ en/ local/ pdf/ resource-guides/ 7100059-en.pdf.
`
`Product warranties-For product warranty information, visit
`http://www.j uniper.net/ support/warranty/ .
`
`JTAC hours of operation-The JTAC centers have resources available 24 hours a day,
`7 days a week, 365 days a year.
`
`Self-Help Online Tools and Resources
`
`For quick and easy problem resolut ion, Juniper Networks has designed an online
`self -service portal called t he Customer Support Center (CSC) t hat provides you w ith the
`following features:
`
`Find CSC offerings: http://www.juniper.net/customers/ support/
`
`Search for known bugs: http://www2.juniper.net/kb/
`
`Find product documentation: http://www.juniper.net/techpubs/
`
`Find solut ions and answer questions usi ng our Knowledge Base: http://kb.juniper.net/
`
`Download t he latest versions of software and review release notes:
`http://www.j uniper.net/customers/ csc/ software/
`
`Search technical bulletins for relevant hardware and software notifications:
`http://kb.juniper.net/lnfoCenter/
`
`Join and part icipate in the Juniper Networks Community Forum:
`http://www.juniper.net/ company/ communities/
`
`Open a case online in the esc Case Management tool: http://www.juniper.net/cm/
`
`To verify service ent it lement by product serial number, use our Serial Number Entit lement
`(SNE) Tool: https:l/tools.juniper.net/SerialNumberEntitlementSearch/
`
`Opening a Case with JTAC
`
`You can open a case with JTAC on the Web or by telephone.
`
`Use the Case Management tool in the CSC at http://www.juniper.net/cm/ .
`
`Calll-8 88-314-JTAC (l-888-314-5822 toll-f ree in the USA, Canada, and Mexico).
`
`xi i
`
`FINJAN-JN 044755
`
`

`

`Case 3:17-cv-05659-WHA Document 480-8 Filed 05/16/19 Page 14 of 57
`
`About the Documentation
`
`For intern ational or direct-dial options in countri es without toll-free numbers, see
`http://www.juniper.net/support/requesting-support.html.
`
`xi ii
`
`FINJAN-JN 044756
`
`

`

`Case 3:17-cv-05659-WHA Document 480-8 Filed 05/16/19 Page 15 of 57
`
`Sky Advanced Threat Prevention Guide
`
`xiv
`
`FINJAN-JN 044757
`
`

`

`Case 3:17-cv-05659-WHA Document 480-8 Filed 05/16/19 Page 16 of 57
`
`CHAPTERl
`
`Overview
`
`Sky Advanced Threat Prevention Overview on page 16
`
`Remediation and Mal ware Detection Overview on page 19
`
`Sky ATP Licensed Features and File Scanning Limits on page 21
`
`15
`
`FINJAN-JN 044758
`
`

`

`Case 3:17-cv-05659-WHA Document 480-8 Filed 05/16/19 Page 17 of 57
`
`Sky Advanced Threat Prevention Guide
`
`Sky Advanced Threat Prevention Overview
`
`Juniper Networks Sky Advanced Threat Prevention is a security framework that protects
`all hosts in your network against evolving security threats by employing cloud-based
`threat detection software with a next-generation firewall system.
`
`Figure 1: Sky Advanced Threat Prevention Overview
`
`· Advanced Threat Prevention
`~-t':!!~-----1 • Sandbox w ith Deception
`• Static Analysis
`
`Sky Advanced
`Threat Prevention Cloud
`
`SRXSeries
`
`Customer
`
`Sky Advanced Threat Prevention protects your network by performing the follow ing
`tasks:
`
`The SRX Series device extracts potentially malicious objects and fi les and sends them
`to the cloud for analysis.
`
`Known malicious files are qui ckly identif ied and dropped before they can infect a host.
`
`Multiple techniques identify new mal ware, adding it to the known list of mal ware.
`
`Correlation between new ly identified mal ware and known Command and Control
`(C&C) sites aids analysis.
`
`The SRX Series device blocks known malicious file downloads and outbound C&C
`traffic.
`
`The Web Ul is hosted by Juniper Networks in the cloud. The tabs across the top of the
`web Ul provide workspaces in w hi ch an administrator can perform specific tasks. Table
`1 shows the names of the tabs along w ith brief descriptions of w hat is accessible in that
`workspace.
`
`16
`
`FINJAN-JN 044759
`
`

`

`Case 3:17-cv-05659-WHA Document 480-8 Filed 05/16/19 Page 18 of 57
`
`Chapter 1: Overview
`
`Table 3: Tabs and What Their Workspaces Access
`
`Tab Name
`
`Accesses
`
`Dashboard
`
`Provides graphical widgets that can be added, removed, and rearranged on a per-user basis. These
`widgets offer each user a customized view of malware detection categorized in a variety of ways.
`
`Monitor
`
`Provides information on the following:
`
`Mal ware detection status for registered hosts
`C&C servers that have attempted to contact and compromise hosts on your network.
`Files downloaded by hosts that are suspicious
`
`Devices
`
`Lists all devices that have been registered with Sky ATP. From here you can:
`
`Enroll new devices
`Disenroll devices
`Search for devices in the list by their serial number
`
`Configure
`
`Configure the following:
`
`Whitelists-Add your own trusted IP addresses, URLs, and domains to the global items in the whitelist.
`Blacklists-Add your own untrusted IP addresses, URLs, and domains to the global items in the
`blacklist.
`Devices profiles-Group types of files to be scanned together under a common name.
`
`Administration
`
`Edit your user profile and create new user profiles. You can also:
`
`Change user passwords
`Set a global alert threshold level, which when reached, triggers an alert to all listed e-mail addresses
`
`Sky Advanced Threat Prevention Features
`
`Sky Advanced Threat Prevention is a cloud-based solution. Cloud environments are
`flexible and scalable, and a shared environment ensures that everyone benefits from
`new threat intelligence in near real-time. Your sensi tive data is secured even though it is
`in a cloud shared environment. Security analysts can update their defense w hen new
`attack techniques are discovered and distribute the threat intelligence w ith very little
`delay.
`
`In addition, Sky Advanced Threat Prevention offers the following features:
`
`Integrated with the SRX Series device to simplify deployment and enhance the
`anti -threat capabili ties of the firewall.
`
`Delivers protection against "zero-day" threats using a combination of tools to provide
`robust coverage against sophisticated, evasive threats.
`
`Checks inbound and outbound traffic with policy enhancements that allow users to
`stop mal ware, quarantine compromised systems, prevent data exfiltration, and disrupt
`lateral movement. High availabili ty provides uninterrupted service.
`
`17
`
`FINJAN-JN 044760
`
`

`

`Case 3:17-cv-05659-WHA Document 480-8 Filed 05/16/19 Page 19 of 57
`
`Sky Advanced Threat Prevention Guide
`
`Scalable to handle increasing loads that require more computing resources. increased
`network bandw idt h to receive more customer submissions. and a large storage for
`malware.
`
`Provides deep inspection, actionable report ing, and inline mal ware blocking
`
`Sky Advanced Threat Prevention Components
`
`The following table describes how the components of the Sky Advanced Threat Prevention
`solution work together.
`
`Table 4: Sky Advanced Threat Prevention Components
`
`Component
`
`Descnpt1on
`
`Security intelligence cloud
`feeds
`
`A feed distribution point that delivers feeds to the SRX Series device. These include:
`
`C&C
`Compromised hosts
`GeoiP
`Whitelists and blacklists
`
`C&C feeds are essentially a list of servers that are known Command and Control servers for
`botnets. The list also includes servers that are known sources for mal ware downloads.
`
`Compromised hosts, or infected hosts, indicate local devices that are potentially compromised
`because they appear to be part of a C&C network or exhibit other symptoms.
`
`GeoiP feeds is an up-to-date mapping of IP addresses to geographical regions. This gives you
`the ability to filter traffic to and from specific geographies in the world.
`
`A whitelist is a list of known IP addresses that you trust, and a blacklist is a list that you do not
`trust .
`
`NOTE: C&C and Geol P filtering feeds are only available with a Premium license. For information
`on licensed features, see Sky ATP Licensing.
`
`SRX Series device
`
`Submits extracted file content for analysis and detected C&C hits inside the customer network.
`
`Performs inline blocking based on verdicts f rom the analysis cluster.
`
`Malware inspection pipeline
`
`Performs malware analysis and threat detection.
`
`Internal compromise
`detection
`
`Inspects files,metadata, and ot her informat ion.
`
`Service portal (Web Ul)
`
`Graphics interface displaying information about detected threats inside the customer network.
`
`Configuration management tool where customers can fine-tune which fi le categories can be
`submitted into the cloud for processing.
`
`Related
`Documentation
`
`Dashboard Overview on page 25
`
`Sky Advanced Threat Prevention Licenses
`
`Hosts Overview on page 27
`
`18
`
`FINJAN-JN 044761
`
`

`

`Case 3:17-cv-05659-WHA Document 480-8 Filed 05/16/19 Page 20 of 57
`
`Chapter 1: Overview
`
`File Scanning Overview on page 30
`
`Command and Control Servers Overview on page 29
`
`Remediation and Malware Detection Overview
`
`The SRX Series devices use intelligence provided by Sky Advanced Threat Prevention to
`remediate malicious content t hrough t he use of securi ty policies. If conf igured, securi ty
`policies block t hat content before it is delivered to the destination address.
`
`For inbound traffic, securi ty policies on the SRX Series device look for specif ic types of
`files. like .exe files. to inspect. W hen one is encountered, the security policy sends the fi le
`to the Sky Advanced Threat Prevention cloud for inspection. The SRX Series device holds
`the last few kilobytes of t he f ile from the destination client until Sky Advanced Threat
`Prevent ion provides a verdict. If Sky Advanced Threat Prevention re turns a bad verdict,
`the SRX Series device drops t he connection and t he file is blocked.
`
`For outbound traffic, the SRX Series device monitors t raffic that matches the C&C feeds
`it receives. blocks these C&C requests, and reports them to Sky Advanced Threat
`Prevention. A list of compromised hosts is available so that the SRX Series device can
`block inbound and outbound traffic.
`
`How Malware Is Analyzed and Detected
`
`Sky Advanced Threat Prevention uses a pipeline approach to analyzing and detecting
`mal ware. If an analysis reveals t hat the f ile is absolutely mal ware, it is not necessary to
`continue t he pipeline to furt her examine t he mal ware.
`
`Figure 2: Example Sky Advanced Threat Prevention Pipeline Approach
`for Analyzing Malware
`
`pdf exe
`
`0 Cache Lookup
`
`Have we seen this file before, and do we already know if it 's bad?
`
`• Antivirus Scanning
`• Static Analysis
`
`What do a few popular antivirus scanners say about the file?
`
`Does the file contain suspicious signs, like unusual instructions or structure?
`
`0 Dynamic Ana lysis
`
`What happens when we execute the file In a real environment?
`
`~ co
`~ 0
`
`OD
`
`Each analysis t echnique creates a verdict number, w hi ch is combined to create a final
`verdict number from 1 through 10. A verdict number is a score or threat level. The higher
`the number, t he hi gher the mal ware threat. The SRX Series device compares t his verdict
`
`19
`
`FINJAN-JN 044762
`
`

`

`Case 3:17-cv-05659-WHA Document 480-8 Filed 05/16/19 Page 21 of 57
`
`Sky Advanced Threat Prevention Guide
`
`number to the policy settings and either permits or denies the session. If the session is
`denied, a reset packet is sent to the client and the packets are dropped from the server.
`
`Cache Lookup
`
`When a file is analyzed, a file hash is generated, and the resul ts of the analysis are stored
`in a database. When a file is uploaded to the Sky Advanced Threat Prevention cloud, the
`first step is to check w hether this file has been looked at before.lf it has, the stored verdict
`is returned to the SRX Series device and there is no need to re-analyze the file. In addition
`to files scanned by Sky Advanced Threat Prevention, informati on about common mal ware
`files is also stored to provide faster response.
`
`Cache lookup is perfor med in real time. All other techniques are done offline. This means
`that if the cache lookup does not return a verdict, the file is sent to the client system w hile
`the Sky Advanced Threat Prevention cloud continues to examine the f ile using the
`remaining pipeline techniques. If a later analysis returns a mal ware verdi ct, then the file
`and host are f lagged.
`
`Antivirus Scan
`
`The advantage of antivirus software is its protection against a large number of potential
`threats, such as viruses, trojans, worm s, spyware, and rootkits. The disadvantage of
`antivirus software is that it is always behind t he mal ware. The virus comes first and the
`patch to the virus comes second. Antivirus is better at defending familiar threats and
`known mal ware than zero-day threats.
`
`Sky Advanced Threat Prevention utilizes multiple antivirus software packages, not just
`one, to analyze a file. The results are then fed into the machine learning algorithm to
`overcome false positives and false negatives.
`
`Static Analysis
`
`Static analysis examines f iles w ithou t actually running them. Basic static analysis is
`straightforward and fast, typically around 30 seconds. The following are examples of
`areas that static analysis inspects:
`
`Metadata information-N ame of the file, the vendor or creator of this file, and the
`original data on w hi ch the f ile was compiled.
`
`Categories of instructions used-Is the file modifying the Windows registry? Is it touching
`disk 1/0 APis?
`
`File entropy-How rand om is the file? A common technique for mal ware is to encrypt
`portions of the code and then decrypt it during run time. A lot of encryption is a strong
`indication that the file is malware.
`
`The output of the static analysis is fed into the machine learning algorithm to improve
`the verdict accuracy.
`
`Dynamic Analysis
`
`The majority of the time spent inspecting a file is in dynamic analysis. With dynamic
`analysis, often called sand boxing, a file is studied as it is executed in a secure environment.
`During this analysis, an operating system environment is set up, typically in a virtual
`
`20
`
`FINJAN-JN 044763
`
`

`

`Case 3:17-cv-05659-WHA Document 480-8 Filed 05/16/19 Page 22 of 57
`
`Chapter 1: Overview
`
`machine, and tools are started to monitor all activity. The file is uploaded to this
`environment and is allowed to run for several minutes. Once the allotted time has passed,
`the record of activity is downloaded and passed to the machine learning algorithm to
`generate a verdict.
`
`Sophisticated mal ware can detect a sandbox environment due to its lack of human
`interaction, such as mouse movement. Sky Advanced Threat Prevention uses a number
`of deception techniques to trick the mal ware into determining this is a real user
`environment. For example, Sky Advanced Threat Prevention can:
`
`Generate a realistic pattern of user interaction such as mouse movement, simulating
`keystrokes, and installing and launching common software packages.
`
`Create fake high-value targets in the client, such as stored credentials, user files, and
`a realistic network with Internet access.
`
`Create vulnerable areas in the operating system.
`
`Deception techniques by themselves greatly boost the detection rate while reducing
`false positives. They also boost the detection rate of the sandbox the file is running in
`because they get the malware to perform more activity. The more the file runs, the more
`data is obtained to detect whether the file is malware.
`
`Machine Learning Algorithm
`
`Sky Advanced Threat Prevention uses its own proprietary implementation of machine
`learning to assist in analysis. Machine learning recognizes patterns and correlates
`information for improved file analysis. The machine learning algorithm is programmed
`with features from thousands ofmalware samples and thousands of goodware samples.
`It learns what mal ware looks like, and is regularly reprogrammed to get smarter as threats
`evolve.
`
`Related
`Documentation
`
`Sky Advanced Threat Prevention Overview on page 16
`
`Dashboard Overview on page 25
`
`Sky ATP Licensed Features and File Scanning Limits
`
`Sky ATP has two service levels:
`
`Free
`
`Premium
`
`The free model solution is available to all SRX Series customers that have a valid support
`contract, but it only scans executable file types. Based on this result, the SRX Series
`device can allow the traffic or perform in line blocking.
`
`The premium model is available with additional licensing and provides deeper a