Security Now
Security is top-of-mind everywhere, especially right here where Juniper experts share their thoughts on the latest security breakthroughs and product advancements
Showing results for 
Search instead for 
Do you mean 

Shamoon Returns

by Juniper Employee ‎12-14-2016 08:52 PM - edited ‎12-15-2016 10:47 AM

Over the past month, we've seen the reemergence of the Shamoon malware, primarily affecting businesses in Saudi Arabia. We'll take a look at a recent Shamoon sample to see how it works and how Sky ATP's deep analysis engines catch it.


The Thing is… How do we keep botnets at bay?

by Juniper Employee ‎12-12-2016 03:27 AM - edited ‎12-12-2016 12:18 PM

Here’s my number of the week… Actually, two numbers of the week.


The first is 20 billion. The second is 1.5 million.


The first is an estimate, widely reported in the media, of how many IoT devices are likely to be connected to the internet by 2020(1)… although it could actually be double this.


Journey to Securing Public and Hybrid Cloud Deployments

by Juniper Employee ‎11-29-2016 07:55 AM - edited ‎11-30-2016 08:47 AM

Screen Shot 2016-11-30 at 8.44.39 AM.png


Everyone agrees: IT infrastructure has, for the last several years, been migrating inexorably toward the cloud. When did that long journey start? How far have we come? And how much further do we have to go? Let’s take a look back at the history of the cloud.


BlackNurse in review: Is your NGFW vulnerable?

by Juniper Employee ‎11-28-2016 12:15 PM - edited ‎12-02-2016 06:30 AM

On November 10th, 2016, Danish firm TDC published a report about the effects of a particular ICMP Type+Code combination that triggers resource exhaustion issues within many leading Firewall platforms. The TDC SOC has branded this low-volume attack BlackNurse, details of which can be seen here, and here


"This is the best article and test we have to date on the BlackNurse attack. The article provides some answers which are not covered anywhere else. The structure and documentation of the test is remarkable. It would be nice to see the test performed on other firewalls – good job Craig ” 

Lenny Hansson and Kenneth Bjerregaard Jørgensen, BlackNurse Discoverers


Against the background of a thriving digital economy, it’s evident just how many of the technologies we rely on today are going to be a big part of our interconnected future. Yet, in just a few short years, much of what we now take for granted could change beyond recognition and in ways few of us might have predicted.



Continuing on with our series, this particular post will revolve around "Security Information and Event Management" solutions (SIEM's), their place in the Enterprise, and how you can leverage their exceptional levels of visibility within SkyATP. 


A Walk Through AutoIT Malware

by Juniper Employee ‎11-15-2016 02:08 PM - edited ‎12-15-2016 01:58 PM

In this post, we'll walk through the analysis of a piece of AutoIT malware. AutoIt is a scripting language and interpreter mainly used for Windows administration and task automation. Malware written in AutoIT is not particularly common, though there was a recent Locky clone built using the language. We'll step through three different layers to find the final malicious payload.


While we’ve witnessed a fresh spate of high profile cyber-attacks this year, most have played out as conventional exploits, that is, incidents that however undesirable or damaging follow a well-trodden path.


Until recently.


According to a 2014 report from the ICS-CERT, industrial control systems in the United States were threatened by cyber-attacks at least 245 times over a 12-month period by nation-state hackers, cybercriminals, cyber terrorists and hacktivists. The potential risk to critical infrastructure is real and it’s important that the public and private sector work collectively to protect these critical systems.


Juniper Networks consistently strives to be a thought leader and challenger in the networking industry, which is why we’ve shifted our vision from “digital disruption” to “digital cohesion.” Disruption implies a disturbance or a problem to the norm, and being reactive to things already happening.


Twenty-four hours. That’s all it took for an 18-year-old to exploit two day-zero bugs in iOS 10 and jailbreak an iPhone. As an iPhone user, I’ve always appreciated what Apple does for us – provides a reasonable (and to most imperceptible) decrease in file access between applications, which yields significant benefits in security. However, the recent iOS exploit illustrates that even the “safest” devices are not immune to the hacking culture we live in today. 


Automating Cyber Threat Intelligence with SkyATP: Part One

by Juniper Employee ‎10-17-2016 09:55 AM - edited ‎11-23-2016 08:39 AM

Each year, the economics of "fighting back" against Hacktivism, CyberCrime, and the occasional State-Sponsored attack become more and more untenable for the typical Enterprise. It's nearly impossible for the average Security Team to stay up to date with the latest emerging threats while also being tasked with their regular duties. Given the current economic climate, the luxury of having a dedicated team to perform Cyber Threat Intelligence (CTI) is generally out of reach for all but the largest of Enterprises. While automated identification, curation, and enforcement of CTI cannot truly replace human Security Analysts (yet), it has been shown to go a long way towards increasing the effectiveness and agility of your Security infrastructure. 


The idea of a lone hacker maliciously tapping away in a dark room is an antiquated one. The business of cybercrime is now a multibillion-dollar enterprise with highly organized entities looking to exploit vulnerabilities and scam businesses and consumers in our increasingly networked world. According to a Juniper commissioned report from the RAND Corporation:


The cyber black market has evolved from a varied landscape of discrete, ad hoc individuals into a network of highly organized groups, often connected with traditional crime groups (e.g., drug cartels, mafias, terrorist cells) and nation-states. It does not differ much from a traditional market or other typical criminal enterprises; participants communicate through various channels, place their orders, and get products.


Today, attackers are much more efficient in their efforts than ever before, driven by the ability to work with others in the criminal underground. Left unchecked, I worry that the ability to defend against these organizations will be more challenging.


Traditional cybersecurity approaches involving perimeter-only protection are no longer enough to prevent data breaches and potential data exfiltration. Our cyber adversaries have grown in sophistication with very little training and inexpensive equipment. The standard attack anatomy is changing. Protection against state actors, lone wolf actors, and insider threats is becoming increasingly problematic. The evolution of threats has necessitated a change in the security mindset from high-trust (trust what’s inside) to zero-trust (trust nothing) posture. So, the traditional methods of high-trust security have created a type of architected fragility that is inflexible and unable to adapt quickly or at all to protect against the constant barrage of cyber threats.


In his keynote speech during the RSA conference of 2011, the former director of the NSA, Gen. Keith B. Alexander made an interesting statement: “Securing our nation’s network is a team sport”. It is cleared now than ever, that no-one can fight the cyber war alone, and community efforts sharing cyber threat intelligence could benefit all participants, even in a competitive environment.


When referring to modern cyber threats, the attackers seem to have the upper hand. Regardless of their motivation, their engagement with the target has many asymmetric characteristics which work in their benefit, creating the need for new defense concepts deployed is a seemingly never ending arms race.

One of those new concepts is the sharing of real-time actionable cyber threat intelligence (CTI) - the exchange of dynamic feed of threat or attack related objects utilized for enforcement or analysis at the receiving end. Sharing CTI between different organizations, represents a collaborative effort to improve cyber defense posture by leveraging the capabilities, knowledge, and experience of the broader community. Such deployments may take different technological and structural forms, eventually reducing duplication of effort while enabling one organization’s detection to become another organization’s prevention.


In recent years, a growing number of sharing alliances have emerged, either between individuals using social networks, within the same vertical market, across different sectors in the same geography, between commercial and government bodies, and even among countries. In many cases these sharing initiatives represent a shift in the organization’s legacy IT paradigm, and create a complex, multifaceted challenge to technology, law, organizational culture, privacy and more[1]. These challenges are bigger when the parties are direct competitors or have other conflicts of interests, as demonstrated in my research-in-progress conducted at the Blavatnik Interdisciplinary Cyber Research Center (ICRC). The research analyzes threat intelligence sharing between cybersecurity vendors, with the goal to create visibility and understanding of the formed ecosystem within this industry. Since the shared information is closely related to the core business of the firms, it presents clearly the challenge of combining collaboration with competition named as coopetition.


Security vendors have already embraced CTI as a defense concept providing their customers with a viable solution, but the disaggregation of the solution elements described in  Figure 1, allows them to mutually use feeds from each other, or provide their threat intelligence using another vendor as a sales through channel. These three elements may belong to one or several vendors, and deployed as a single or multiple products either on customer premises or in the cloud. The source point of the information flow is a threat intelligence feed, and the destination is a policy enforcement or decision point. In between, an optional element called Threat Intelligence Platform (TIP) may act as an exchange point tying several sources and destinations together. Integration between all elements is based on either proprietary API’s or evolving standards such as STIX™, TAXII™, and CyBOX™.


Figure 1 – Disaggregated elements of threat intelligence sharingFigure 1 – Disaggregated elements of threat intelligence sharingThe key findings of the research suggest that cooperating with competitors is a winning strategy, showing correlation between market-related success indicators of a vendor, to its number of sharing relationships. Furthermore, the industry as a whole is a coopetition fit environment divided into social network communities, where successful companies attract new relationships more, following the ”rich-gets-richer” phenomenon. In addition, intelligence sharing can result in better security coverage, direct and indirect financial gains, and benefit to the greater good.


Given the possible advantages to companies, and the challenge of fighting the cyber war alone, many organizations are reconsidering their policy on sharing cyber related information with outside parties, literally demonstrating that crowd wisdom is applicable in the cybersecurity domain. For more on the topic from both academic and industry perspectives, join my presentation “101 to Threat intelligence Sharing”, at the (ISC)² Security Congress EMEA in Dublin 18-19 October 2016, or at the CSX 2016 Europe conference in London 31 October-2 November 2016.


[1] Zrahia, A. (2014). A multidisciplinary analysis of cyber information sharing. Military and Strategic Affairs, 6(3), 59-77. E-ISSN 2307-8634. The Institute for National Security Studies (INSS), Tel-Aviv University.

About Security Now

Discussing a wide range of topics impacting enterprises and
data center security.

Subscribe RSS Icon

Our Bloggers

Jennifer Blatnik
Vice President
Enterprise Portfolio Marketing

Profile | Subscribe

Ritesh Agrawal
Software Engineering

Profile | Subscribe

Scott Emo
Product Marketing

Profile | Subscribe

Bill Shelton
Director Field Sales

Profile | Subscribe


Juniper Innovators Circle