JN0-636 Exam Dumps - Security, Professional (JNCIP-SEC)

https://forums.juniper.net/t5/Ethernet-Switching/monitor-traffic- interface/td-p/462528

The SRX Series device will continue to send requests to authentication servers 192.168.30.190 and 192.168.30.191. This is because the exhibit shows the output of the show network-access aaa radius-servers command. This command displays the status of the RADIUS servers configured on the device. In the output, we can see that there are three RADIUS servers configured - 192.168.30.190, 192.168.30.191, and 2001:DB8:0:f101::2. However, the status of the third server is shown as “DOWN”. This means that the device is not able to communicate with this server. Therefore, the device will continue to send requests to the other two servers - 192.168.30.190 and 192.168.30.191. References: Juniper Security, Professional (JNCIP-SEC) Reference Materials source and documents: https://www.juniper.net/documentation/en_US/junos/topics/reference/command-summary/show-network-access-aaa-radius-servers.html

The appropriate mitigation actions for the selected incident are to block malware IP addresses (download server or CnC server) and to deploy IVP integration (if configured) to confirm if the endpoint has executed the malware and is infected. This is because the incident shows a progression level of “Download” in the kill chain, which means that the malware has been downloaded and is likely to be executed. Blocking the malware IP addresses can prevent further communication with the malicious server and stop the malware from receiving commands or exfiltrating data. Deploying IVP integration can help verify the infection status of the endpoint and provide additional information about the malware behavior and impact. IVP integration is an optional feature that allows the ATP Appliance to interact with third-party endpoint security solutions such as Carbon Black, Cylance, and CrowdStrike. References:

• Advanced Threat Prevention Appliance Solution Brief
• Advanced Threat Prevention Appliance Datasheet
• [Advanced Threat Prevention Appliance Mitigation Actions]
• [Advanced Threat Prevention Appliance IVP Integration]

https://kb.juniper.net/InfoCenter/index?page=content &id=TN326&cat=&actp=LIST&showDraft=false

According to the Juniper documentation, a custom block list feed is a user-defined list of IP addresses or URLs that are considered malicious or unwanted. A custom block list feed can be configured to override the default Juniper Seclntel block list feed, which is a cloud-based service that provides a list of known malicious IP addresses and URLs. To override the Juniper Seclntel block list feed, the custom block list feed must have a higher priority value than the Juniper Seclntel block list feed. In the exhibit, the custom block list feed has a priority value of 10, which is higher than the default priority value of 5 for the Juniper Seclntel block list feed. Therefore, this custom block list feed will be used instead of the Juniper Seclntel block list feed. References: : [Configuring Custom Block List Feeds]

Referring to the exhibit, the following statements are correct:

• B. All of the entries are command and control entries. Command and control entries are dynamic addresses that represent the IP addresses of servers that are used by malware to communicate with infected hosts. The SRX Series device can block or log the traffic to or from these IP addresses based on the security policies. The exhibit shows that all of the entries have the category DC/1, which stands for command and control1.
• C. All of the entries are Dshield entries. Dshield is a feed source that provides a list of IP addresses that are associated with malicious activities, such as scanning, spamming, or attacking. The SRX Series device can download the Dshield feed and use it to populate the dynamic address entries. The exhibit shows that all of the entries have the feed dshield, which indicates that they are from the Dshield feed source2.

The other statements are incorrect because:

• A. All of the entries are not a threat level 8, but a threat level 10. The threat level is a numeric value that indicates the severity of the threat associated with a dynamic address entry. The higher the threat level, the more dangerous the threat. The SRX Series device can use the threat level to prioritize the actions for the dynamic address entries. The exhibit shows that all of the entries have the cc CN, which stands for country code China. According to the Juniper documentation, the country code China has a threat level of 10, which is the highest.
• D. All of the entries are not a threat level 10, but they are. See the explanation for option A.

References:

• Understanding Dynamic Address Categories
• Understanding Dynamic Address Feed Sources
• [Understanding Dynamic Address Threat Levels]