Case 3:17-cv-05659-WHA Document 98-14 Filed 06/07/18 Page 1 of 8
`
`Case 3:17-cv-05659-WHA Document 98-14 Filed 06/07/18 Page 1of 8
`
`EXHIBIT 11
`
`

`

`Case 3:17-cv-05659-WHA Document 98-14 Filed 06/07/18 Page 2 of 8
`Case 3:17-cv-05659-WHA Document 98-14 Filed 06/07/18 Page 2 of 8
`
`Sky Advanced Threat Prevention Guide
`
`Sky AdvancedThreat Prevention Overview
`
`Juniper Networks Sky Advanced Threat Prevention is a security framework that protects
`all hosts in your networkagainst evolving security threats by employing cloud-based
`threat detection software with a next-generation firewall system.
`
`Figure 1: Sky Advanced Threat Prevention Overview
`
`/
`
`
`
`ae
`« Advanced Threat Prevention \\
`
`Go :
`poee a =
`« Sandbox with Deception
`
`mn \
`“ty
`- Static Analysis
`ez
`Sky Advanced
`}@.
`
`
`oa
`
`Threat Prevention Cloud
`
`
`
`——
`
`2042982
`
`7
`SRXSeries
`
`Customer
`
`Sky Advanced Threat Prevention protects your network by performing the following
`tasks:
`
`- The SRX Series device extracts potentially malicious objects and files and sends them
`to the cloud for analysis.
`
`* Knownmaliciousfiles are quickly identified and dropped before they can infect a host.
`
`¢ Multiple techniques identify new malware, adding it to the knownlist of malware.
`
`* Correlation between newly identified malware and known Command and Control
`(C&C) sites aids analysis.
`
`- The SRX Series device blocks known malicious file downloads and outbound C&C
`traffic.
`
`The WebUI is hosted by Juniper Networksin the cloud. The tabs across the top of the
`web Ul provide workspaces in which an administrator can perform specific tasks. Table
`1 shows the namesof the tabs along with brief descriptions of whatis accessible in that
`workspace.
`
`FINJAN-JN 044759
`
`

`

`Case 3:17-cv-05659-WHA Document 98-14 Filed 06/07/18 Page 3 of 8
`Case 3:17-cv-05659-WHA Document 98-14 Filed 06/07/18 Page 3 of 8
`
`Chapter 1: Overview
`
`- File Scanning Overview on page 30
`
`« Command and Control Servers Overview on page 29
`
`Remediation and Malware Detection Overview
`
`The SRX Series devices use intelligence provided by Sky Advanced Threat Prevention to
`remediate malicious content through the use of security policies. If configured, security
`policies block that content before it is delivered to the destination address.
`
`For inbound traffic, security policies on the SRX Series device look for specific types of
`files, like .exe files, to inspect. When one is encountered, the security policy sends the file
`to the Sky Advanced Threat Prevention cloud for inspection. The SRX Series device holds
`the last few kilobytes of the file from the destination client until Sky Advanced Threat
`Prevention providesa verdict. If Sky Advanced Threat Prevention returns a bad verdict,
`the SRX Series device drops the connection and the file is blocked.
`
`For outbound traffic, the SRX Series device monitors traffic that matches the C&C feeds
`it receives, blocks these C&C requests, and reports them to Sky Advanced Threat
`Prevention. A list of compromised hostsis available so that the SRX Series device can
`block inbound and outbound traffic.
`
`How MalwareIs Analyzed and Detected
`
`Sky Advanced Threat Prevention uses a pipeline approach to analyzing and detecting
`malware.If an analysis reveals that the file is absolutely malware,it is not necessary to
`continue the pipeline to further examine the malware.
`
`Figure 2: Example Sky Advanced Threat Prevention Pipeline Approach
`for Analyzing Malware
`
`pdf
`
`exe
`
`p> Cache Lookup
`
`Have we seen this file before, and do we already knowifit's bad?
`
`Antivirus Scanning
`What do a few popular antivirus scanners say about thefile?
`
`& Static Analysis
`
`Doesthefile contain suspicious signs,like unusualinstructions or structure?
`
`© Dynamic Analysis
`
`What happens when we execute thefile In a real environment?
`
`g042984
`
`Each analysis technique creates a verdict number, which is combined to create a final
`verdict number from 1 through 10. A verdict numberis a score orthreatlevel. The higher
`the number, the higher the malware threat. The SRX Series device comparesthis verdict
`
`FINJAN-JN 044762
`
`

`

`Case 3:17-cv-05659-WHA Document 98-14 Filed 06/07/18 Page 4 of 8
`Case 3:17-cv-05659-WHA Document 98-14 Filed 06/07/18 Page 4 of 8
`
`Sky Advanced Threat Prevention Guide
`
`numberto the policy settings and either permits or denies the session. If the session is
`denied, a reset packetis sent to the client and the packets are dropped from the server.
`
`Cache Lookup
`
`When a file is analyzed, a file hash is generated, and the results of the analysis are stored
`ina database. When a file is uploaded to the Sky Advanced Threat Prevention cloud, the
`first step is to check whether this file has been looked at before. If it has, the stored verdict
`is returned to the SRX Series device and thereis noneed to re-analyze the file. In addition
`to files scanned by Sky Advanced Threat Prevention, information about common malware
`files is also stored to provide faster response.
`
`Cache lookup is performed in real time. All other techniques are done offline. This means
`that if the cache lookup does not return a verdict, the file is sent to the client system while
`the Sky Advanced Threat Prevention cloud continues to examine the file using the
`remaining pipeline techniques.If a later analysis returns a malware verdict, then the file
`and hostare flagged.
`
`Antivirus Scan
`
`The advantage of antivirus softwareis its protection against a large numberof potential
`threats, such as viruses, trojans, worms, spyware, and rootkits. The disadvantage of
`antivirus softwareis that it is always behind the malware. The virus comesfirst and the
`patch to the virus comes second. Antivirus is better at defending familiar threats and
`known malware than zero-day threats.
`
`Sky Advanced Threat Prevention utilizes multiple antivirus software packages, not just
`one, to analyze a file. The results are then fed into the machine learning algorithm to
`overcome false positives and false negatives.
`
`Static Analysis
`
`Static analysis examinesfiles without actually running them. Basic static analysis is
`straightforward and fast, typically around 30 seconds. The following are examples of
`areas that static analysis inspects:
`
`- Metadata information—Name of the file, the vendor or creatorof this file, and the
`original data on whichthe file was compiled.
`
`« Categories of instructions used—Is the file modifying the Windowsregistry? Isit touching
`disk |/O APIs?
`
`- File entropy—How randomis the file? A common technique for malware is to encrypt
`portions of the code and then decrypt it during runtime. A lot of encryption is a strong
`indication that the file is malware.
`
`The output of the static analysis is fed into the machine learning algorithm to improve
`the verdict accuracy.
`
`Dynamic Analysis
`
`The majority of the time spent inspectinga file is in dynamic analysis. With dynamic
`analysis, often called sandboxing,a file is studied as it is executed in a secure environment.
`During this analysis, an operating system environment is set up, typically in a virtual
`
`20
`
`FINJAN-JN 044763
`
`

`

`Case 3:17-cv-05659-WHA Document 98-14 Filed 06/07/18 Page 5 of 8
`Case 3:17-cv-05659-WHA Document 98-14 Filed 06/07/18 Page 5 of 8
`
`Chapter 1: Overview
`
`machine, and tools are started to monitorall activity. The file is uploaded to this
`environment andis allowed torun for several minutes. Once the allotted time has passed,
`the record of activity is downloaded and passed to the machine learning algorithm to
`generate a verdict.
`
`Sophisticated malware can detect a sandbox environment due to its lack of human
`interaction, such as mouse movement. Sky Advanced Threat Prevention uses a number
`of deception techniquesto trick the malware into determining this is a real user
`environment. For example, Sky Advanced Threat Prevention can:
`
`« Generate a realistic pattern of user interaction such as mouse movement, simulating
`keystrokes, and installing and launching common software packages.
`
`- Create fake high-value targets in the client, such as stored credentials, userfiles, and
`a realistic network with Internet access.
`
`* Create vulnerable areas in the operating system.
`
`Deception techniques by themselvesgreatly boost the detection rate while reducing
`false positives. They also boost the detection rate of the sandboxthe file is running in
`because they get the malwareto perform more activity. The morethe file runs, the more
`data is obtained to detect whetherthe file is malware.
`
`Machine Learning Algorithm
`
`Sky Advanced Threat Prevention uses its own proprietary implementation of machine
`learning to assist in analysis. Machine learning recognizes patterns and correlates
`information for improvedfile analysis. The machine learning algorithm is programmed
`with features from thousands of malware samples and thousands of goodware samples.
`It learns what malwarelookslike, andis regularly reprogrammedto get smarter as threats
`evolve.
`
`Related
`Pecumentaven
`
`~. Sky Advanced Threat Prevention Overview on page 16
`» Dashboard Overview on page 25
`
`Sky ATP Licensed Features and File Scanning Limits
`
`Sky ATP has twoservice levels:
`
`- Free
`
`« Premium
`
`The free modelsolution is available to all SRX Series customers that have a valid support
`contract, but it only scans executablefile types. Based on this result, the SRX Series
`device can allow the traffic or perform inline blocking.
`
`The premium modelis available with additional licensing and provides deeper analysis.
`All file types are examined using several analysis techniques to give better coverage.Full
`reporting provides details about the threats found on your network.
`
`21
`
`FINJAN-JN 044764
`
`

`

`Case 3:17-cv-05659-WHA Document 98-14 Filed 06/07/18 Page 6 of 8
`Case 3:17-cv-05659-WHA Document 98-14 Filed 06/07/18 Page 6 of 8
`
`Sky Advanced Threat Prevention Guide
`
`0 T
`
`NOTE: C&C and GeolP filtering feeds are only available with a Premium
`license. For information on licensed features, see the table below.
`
`he following table shows a comparison betweenthe free model and the premium
`model.
`
`Table 5: Comparing the Sky Advanced Threat Prevention Free Model and Premium Model
`
`Free Model
`
`Premium Model
`
`Managementthrough cloud interface. Zero on-premise footprint beyond
`Managementthrough cloud interface. Zero-on
`the SRX Series device.
`premise footprint beyond the SRX Series device.
`
`
`Inbound protection.
`Inbound protection.
`
`
`Inspects only .exefile types.
`
`No restrictions on objectfile tyoes inspected beyond those imposed by
`the Sky Advanced Threat Prevention service. You can specify whichfile
`types are sent to service for inspection.
`
`
`Executables go through the entire pipeline (cache,
`antivirus, static, and dynamic).
`
`Executables, PDF files, and Microsoft Office files (Word document, Excel,
`and PowerPoint) go through the entire pipeline (cache, antivirus, static,
`and dynamic).
`
`All other file types only go through the cache andantivirus pipeline.
`
`C&C feeds.
`
`
`
`
`Infected host blocking. Infected host blocking.
`
`Geo lP filtering.
`
`Up to 2500 files per day per device submitted to
`cloud for inspection.
`
`
`Up to 10,000 files per day per device submitted to the cloud for inspection.
`
`Outbound protection.
`Outbound protection.
`
`
`C&C protection with event data returned to the Sky Advanced Threat
`Prevention Cloud.
`
`
`Reporting on malware blocked (counts only; no
`detailed behaviors exposed).
`
`
`Reporting with rich detail on malware behaviors.
`
`Compromised endpoint dashboard.
`
`File Scanning Limits
`
`Thereis a limit to the number offiles which can be submitted to the cloud for inspection.
`This limit is dictated by the device and license type.
`
`22
`
`FINJAN-JN 044765
`
`

`

`Case 3:17-cv-05659-WHA Document 98-14 Filed 06/07/18 Page 7 of 8
`Case 3:17-cv-05659-WHA Document 98-14 Filed 06/07/18 Page 7 of 8
`
`Sky Advanced Threat Prevention Guide
`
`Malware Behavior Summary
`
`The information displayed here varies according to the malware type. Here is an example
`of a behavior summaryfor a level 10 threat.
`
`Figure 3: Screen Capture: Malicious Behavior Summary
`Malicious Behavior Summary
`
`=»
`
`
`System Summary
`6
`PEfile has a valid certificate
`PEfile contains a debug data directory
`Binary contains paths to debug symbols
`‘Contains functionality for error logging
`PEfile has an executable .text section and no other executable section
`PEfile contains strange resources
`PEfile contains an invalid checksum
`
`Data Obfuscation
`
`1
`
`’
`
`’
`
`Hooking and other Techniquesfor Hi
`Anti Debugging
`Language, Device and Operating Sys...
`
`Networking
`
`1
`1
`2
`
`1
`
`Extensive use of GetProcAddress (often used to hide APIcalls)
`‘Contains functionality to registerits own exception handler
`‘Contains functionality to query local / system time
`‘Contains functionality to query windows version
`Urls found in memory orbinary data
`
`Related
`Bocumentation
`
`. File Scanning Limits on page 32
`- File Scanning Overview on page 30
`
`« Manual Scanning Overview on page 33
`
`- Hosts Overview on page 27
`
`File Scanning Limits
`
`Thereis a limit to the number offiles which can be submitted to the cloud for inspection.
`This limit is dictated by the device and license type. When the limit is reached,the file
`submission process is paused.
`
`Limit thresholds operate on a sliding scale and are calculated within 24-hour time-frame
`starting "now."
`
`Table 12: File Scanning Limits
`
`Dy-Wilen)
`
`Free License (files per day)
`
`Premium License(files per day)
`
`SRX1500
`2,500
`10,000
`
`
`SRX5400
`5,000
`50,000
`
`
`SRX5600
`5,000
`70,000
`
`
`SRX5800
`
`5,000
`
`100,000
`
`Related
`Pecumentation
`
`. File Scanning Details on page 31
`» Manual Scanning Overview on page 33
`
`32
`
`FINJAN-JN 044775
`
`

`

`Case 3:17-cv-05659-WHA Document 98-14 Filed 06/07/18 Page 8 of 8
`Case 3:17-cv-05659-WHA Document 98-14 Filed 06/07/18 Page 8 of 8
`
`Chapter 5: Configure
`
`Sky ATP periodically polls for new and updated content and automatically downloads
`it to your SRX Series device. There is no need to manually push your whitelist or blacklist
`files.
`
`Related
`Documentation
`
`« Custom Whitelist and Blacklist Overview on page 41
`
`- File Scanning Overview on page 30
`
`« File Scanning Details on page 31
`
`- Hosts Overview on page 27
`
`- Host Details on page 28
`
`Device Profiles Overview
`
`Sky ATP profiles let you define which files to send to the cloud for inspection. You can
`group typesoffiles to be scanned together (suchas .tar, exe, and java) under a common
`name and create multiple profiles based on the content you want scanned. Then enter
`the profile names on eligible SRX Series devices to apply them.
`
`Table 17: File Category Contents
`
`Category
`
`Description
`
`Included File Types
`
`Active media
`Swf, .xap, .xbap
`Flash and Silverlight applications
`
`
`Archive
`
`72, 022, .cab, .gz, .iso, .lz, .zma, .ova,.rar, .S7z, .tar,
`tar.gz, .tar.lzma .tboz, .tgz,.z, .zip, tar.oz2
`
`
`Archivefiles
`
`Code
`Source code
`.C, .CC, cpp, .cxx, .h, .htt, java
`
`
`Config
`Configuration files
`nf, .ini, ink, .reg, .plist
`
`
`Document
`
`.chm, .doc, .docx, .dotx, .Ata, .Atml, .pot, .opa, .ops,
`ppt, .pptsm, .pptx,.ps,.rtf, rtf, txt, xlsx, xml, .xsl,
`xslt
`
`
`All document types except PDFs
`
`Emerging threat
`
`A special category that includes known threat
`sourcefile types
`
`
`Executable
`Executable binaries
`.bin, .com, .dat, .exe, .msi, . msm, .mst
`
`
`Java
`Java applications, archives, andlibraries
`.class, .ear, jar, war
`
`
`Library
`
`Dynamic andstatic libraries and kernel
`modules
`
`
`.a, dll, .kext, .ko, .0, .s0, ocx
`
`Media
`Audio video formats
`.asf, wmv
`
`
`Mobile
`Mobile applications for iOS and Android
`wapk, .ipa
`
`
`
`
`OS-specific update applicationsOS package deb, .dmg, .deb
`
`
`
`43
`
`FINJAN-JN 044786
`
`