The content of the article
PT NAD can be used not only to detect attacks on the perimeter, but also already inside the corporate network – according to research Positive Technologies, crackers manage to overcome the network perimeter in just one step in every second company. Wherein in 97% of networks there is suspicious traffic, which may be a sign of compromise.
Let's see how traffic analysis systems work using the example of PT NAD. According to the OSI model, this system works from the L2 link layer to the L7 application layer. A mirrored copy of the traffic is sufficient for the system to function, therefore network performance does not suffer during analysis. Moreover, if you use traffic from both the external and internal networks, then you can detect the activity of cybercriminals at different stages of the attack.
Architecturally, the product consists of a core and sensors. Sensors are needed for protocol analysis (SMB, DCE / RPC, Kerberos, LDAP), direct traffic analysis according to the given rules (there are more than 5000 of them). They also store the so-called raw traffic (PCAP files).
Already parsed traffic from the sensors enters the kernel. There, an analysis is carried out using machine learning, a retrospective analysis and indicators of compromise. The kernel also stores metadata for network sessions.
How to use NTA systems: four scenarios
SOC teams and internal information security services of companies usually use NTA-systems to solve four practical problems. Let's talk about them in more detail.
1. Detection of attacks within the infrastructure and on the perimeter of the network
With the help of machine learning, in-depth analysis of package contents, retrospective analysis, proprietary detection rules and compromise indicators, NTA systems can detect cyber attacks that are happening right now. For example, PT NAD detects horizontal movement of an attacker inside the perimeter, malware activity, attempts to hide the performed actions from protection tools, exploitation of vulnerabilities, connections to automatically generated domains and the use of hacker tools.
Attacks are automatically assigned a level of danger (low to high) and class. The danger level can be changed in the rules settings depending on the information security policies of the company and the importance of the event for the network.
The system collects data on a specific attack in a special card. It contains information about the nodes involved, the time of the event, the session, the tactics and techniques used by MITER ATT & CK matrix. An analysis of this information helps to understand at what stage the attackers are and what needs to be done to reflect the actions of cybercriminals.
The more attacks on the organization’s infrastructure are carried out using a separate tactic, the brighter the color of its filling on the heat map of attacks. The heatmap allows you to see how far the attackers have come in the way of their goals.
2. Investigation of attacks
NTA class tools are useful for investigation of attacks. For example, PT NAD stores data about network interactions – this is useful when it is important to understand what preceded a suspicious event. By filtering this information, you can gradually unwind the attack chain in order to understand the chronology of its development, localize the threat and take compensatory measures. You can filter sessions by any of 1200 parameters – this allows you to greatly narrow your search.
A simple example of finding and filtering information in PT NAD. PT NAD reported an unsuccessful attempt to log in to the domain controller with an account with insufficient rights.
By filtering the session by the address of the network node, the user saw that earlier he had several attempts to connect to other hosts outside of working hours. This is an occasion to block the account and start a more detailed investigation.
3. Hunting for cyber threats and vulnerabilities (threat hunting)
Networking data is a useful source of information for the threat hunting process. This is a proactive search for threats that are not detected by traditional security tools. Threat hunting allows you to identify compromise, find vulnerabilities in the network before the incident and analyze the weaknesses of the infrastructure.
For example, using PT NAD hypotheses can be tested that a particular server (for example, a database server) was compromised, and crackers managed to steal important data. In this case, the NTA-system will let you know if there were connections from the server under suspicion to external nodes on the Internet. It is likely that these are command servers for managing malicious software.
This example shows that there is some kind of HTTP connection in the list that leads to
some-trusted-host.com – some kind of trusted external website. For a console database server without a graphical interface, this is suspicious – no one will browse sites from it. Moreover, the obvious advantage of the volume of downloaded content over the received one is noticeable, which indicates the downloading of information from the server.
Also, during further study, it becomes clear that during the session a large number of POST requests were sent aimed at downloading the content. PT NAD here will show not only the requests themselves, but also the transferred content: large CSV files were downloaded (each size from 163 to 233 MB).
These files can be downloaded, and if their contents look something like this.
Obviously, someone uploaded the personal data of the company's customers from the server. So, the initial hypothesis was confirmed – the server was compromised. Further steps are clear: block access to the site
online-store.com and eliminate the malware that has established communication with the C2 server.
4. Monitoring compliance with IS regulations
NTA systems can work with NetFlow or parse raw traffic. PT NAD defines 73 network protocols and parses 30 of them at OSI levels from 2 to 7. This allows you to detect a number of violations of information security policies. Here are just a few of them:
- clear passwords transfer,
- sending unencrypted mail messages,
- using utilities for remote access,
- Application of broadcast protocols subject to spoofing, for example LLMNR and NetBios,
- network configuration errors,
- the use of Tor, VPN tunnels and other tools to hide activity on the network,
- misuse of IT infrastructure: miners, torrents and online games.
Based on the results of pilot projects in 2019, PT NAD detected violations of IS regulations in 94% of companies.
Consider an example with the identification of passwords transmitted within the network in an open form. Using filters, PT NAD can check all saved sessions and recognize usernames and passwords in them.
In 56% of companies PT NAD detected LDAP credential transfer without encryption. Directory services operate on this protocol. Administrators use them to centrally administer and control access to network resources. If an attacker manages to intercept domain accounts in open LDAP traffic, he will be able to use them for further movement across the network.
To constantly monitor cases of using insecure protocols to transfer important information, there is a special widget on the dashboard. The data in the widget is interactive: if you click on the username or password, a filter with this attribute will be added to the search bar, and then, by going to the Sessions tab, you can examine all communication sessions in which this username or password was transmitted.
NTA-class systems can be extremely useful for solving a number of information security tasks: from monitoring compliance with regulations to conducting incident investigations. The list of pluses (using PT NAD as an example) looks like this:
- the ability to detect the actions of intruders within the network;
- identification of violations of IS regulations: the use of illegitimate and open protocols, the transfer of credentials in an open form;
- the conclusion of descriptions and recommendations for responding to attacks determines the techniques and tactics of attackers using the MITRE ATT & CK matrix;
- FSTEC certification for the intrusion detection profile of the fourth-class network level;
- providing protection in the framework of meeting the security requirements of the critical information infrastructure of the Russian Federation;
- the ability to integrate with external security systems and other Positive Technologies solutions: with PT MultiScanner for anti-virus scanning of files sent over the network, with MaxPatrol SIEM for transmitting events, data on the network configuration of IT assets.
Of course, there are limitations:
- To use NTA solutions, appropriate qualifications and serious knowledge in the field of information security are required;
- To increase the efficiency, it is necessary to build bundles with third-party solutions (for example, for anti-virus scanning of files transmitted over a network).
Of course, not every company has specialists with knowledge in the field of network security and forensics, so the development team now faces the task of simplifying the product. To this end, in particular, recommendations and descriptions have appeared. For current users of the product, two-day training and regular master classes are held. If questions arise, the PT NAD team promptly answers in open Telegram chat, including questions of free system testing.