Network Traffic Analysis

Key Benefits of Network Traffic Analysis

With the “it’s not if, it’s when” mindset regarding cyber attacks today, 对于安全专业人员来说，确保尽可能多地覆盖组织的环境可能会让他们感到难以承受.

The network is a critical element of their attack surface; gaining visibility into their network data provides one more area they can detect attacks and stop them early.

Benefits of NTA include:

• Improved visibility into devices connecting to your network (e.g. IoT devices, healthcare visitors)
• Meet compliance requirements
• Troubleshoot operational and security issues
• 通过丰富的细节和额外的网络背景，更快地响应调查

设置NTA的关键步骤是确保从正确的来源收集数据. 如果您正在寻找流量并映射网络数据包从起点到目的地的旅程，流量数据是非常有用的. 这种级别的信息可以帮助检测未经授权的WAN通信，并利用网络资源和性能, but it can lack rich detail and context to dig into cybersecurity issues.

从网络数据包中提取的数据包数据可以帮助网络管理员了解用户是如何实现/操作应用程序的, track usage on WAN links, and monitor for suspicious malware or other security incidents. 深度数据包检测(DPI)工具通过将原始元数据转换为可读格式，并使网络和安全管理人员能够深入到最细微的细节，从而提供100%的网络可见性.

Importance of Network Traffic Analysis

Keeping a close eye on your network perimeter is always good practice. 即使有强大的防火墙，错误也可能发生，恶意流量也可能通过. Users could also leverage methods such as tunneling, external anonymizers, and VPNs to get around firewall rules.

Additionally, the rise of ransomware as a common attack type in recent years makes network traffic monitoring even more critical. 网络监控解决方案应该能够检测到指示的活动 ransomware attacks via insecure protocols. Take WannaCry, for example, where attackers actively scanned for networks with TCP port 445 open, and then used a vulnerability in SMBv1 to access network file shares.

Remote Desktop Protocol (RDP) is another commonly targeted application. Make sure you block any inbound connection attempts on your firewall. Monitoring traffic inside your firewalls allows you to validate rules, gain valuable insight, and can also be used as a source of network traffic-based alerts.

注意与管理协议(如Telnet)相关的任何可疑活动. Because Telnet is an unencrypted protocol, 会话流量将显示适合设备品牌和型号的命令行接口(CLI)命令序列. CLI strings may reveal login procedures, presentation of user credentials, commands to display boot or running configuration, copying files, and more.

请确保检查网络数据中是否有运行未加密管理协议的设备, such as:

• Telnet
• Hypertext Transport Protocol (HTTP, port 80)
• Simple Network Management Protocol (SNMP, ports 161/162)
• Cisco Smart Install (SMI port 4786)

What is the Purpose of Monitoring Network Traffic?

通过在网络边缘和网络核心实现网络流量分析，可以调查许多操作和安全问题. With the traffic analysis tool, you can spot things like large downloads, streaming or suspicious inbound or outbound traffic. 确保从监视防火墙的内部接口开始, 这将允许您跟踪活动回到特定的客户或用户.

NTA还为组织提供了对其网络威胁的更多可见性, beyond the endpoint. With the rise in mobile devices, IoT devices, smart TV’s, etc.，您需要比防火墙日志更智能的东西. Firewall logs are also problematic when a network is under attack.

您可能会发现，由于防火墙上的资源负载或它们已被覆盖(有时甚至被黑客修改)，它们无法访问。, resulting in the loss of vital forensic information.

分析和监控网络流量的一些用例包括:

• Detection of ransomware activity
• Monitoring data exfiltration/internet activity
• Monitor access to files on file servers or MSSQL databases
• Track a user’s activity on the network, though User Forensics reporting
• 提供在网络上运行的设备、服务器和服务的清单
• Highlight and identity root cause of bandwidth peaks on the network
• Provide real-time dashboards focusing on network and user activity
• 为管理层和审核员生成任何时间段的网络活动报告

What to Look for in an NTA Solution

Not all tools for monitoring network traffic are the same. Generally, 它们可以分为两种类型:基于流量的工具和深度数据包检测(DPI)工具. Within these tools you’ll have options for software agents, storing historical data, and intrusion detection systems. 在评估哪个解决方案适合您的组织时，请考虑以下五件事:

1. Availability of flow-enabled devices: 您的网络中是否有支持流的设备，能够生成只接受Cisco Netflow等流的NTA工具所需的流? DPI tools accept raw traffic, found on every network via any managed switch, and are vendor independent. 网络交换机和路由器不需要任何特殊模块或支持, just traffic from a SPAN or port mirror from any managed switch.
2. The data source: 流数据和包数据来自不同的来源，并不是所有的NTA工具都收集这两种数据. 一定要查看您的网络流量，并确定哪些部分是关键的, 然后将功能与工具进行比较，以确保涵盖了您需要的所有内容.
3. The points on the network: Consider whether the tool uses agent-based software or agent-free. Also be careful not to monitor too many data sources right out the gate. Instead, be strategic in picking locations where data converges, such as internet gateways or VLANs associated with critical servers.
4. Real-time data vs. historical data: Historical data is critical to analyzing past events, 但随着时间的推移，一些监控网络流量的工具不会保留这些数据. 还要检查该工具是否根据您想要存储的数据量定价. 清楚地了解您最关心的数据，以便找到最适合您的需求和预算的选项.
5. Full packet capture, cost and complexity: Some DPI tools capture and retain all packets, resulting in expensive appliances, increased storage costs, and much training/expertise to operate. Others do more of the 'heavy lifting,捕获完整的数据包，但只提取每个协议的关键细节和元数据. 这种元数据提取导致大量数据减少，但仍然具有可读性, actionable detail that’s ideal for both network and security teams.

Conclusion

网络流量分析是监控网络可用性和活动以识别异常的重要方法, maximize performance, and keep an eye out for attacks. Alongside log aggregation, UEBA, and endpoint data, 网络流量是全面可见性和安全性分析的核心部分，可以及早发现威胁并快速消除威胁.

When choosing a NTA solution, consider the current blind spots on your network, the data sources you need information from, 以及它们在网络上的关键点，以便进行有效的监控. With NTA added as a layer to your security information and event management (SIEM) solution，您将获得对环境和用户的更多了解.

Keep Learning About NTA

Learn About Rapid7's XDR & SIEM Product

Network Traffic Analysis News from the Rapid7 Blog

Latest Episodes from [THE LOST BOTS] Security Podcast