Positive Technologies Upgrades Network Attack Discovery Solution
December 2021 by Marc Jacob
Positive Technologies released version 10.2 of its PT Network Attack Discovery (PT NAD) traffic analysis system, which detects attacks on the perimeter and inside corporate networks, makes hidden threats visible, identifies suspicious activity even in encrypted traffic, and helps investigate incidents. Deep analytics modules in PT NAD 10.2 can detect 37 different types of suspicious activities, a ninefold increase over previous versions, all displayed in a single feed to help organizations and end users respond to threats faster.
The results of PT NAD pilot projects in 41 large companies have shown that, regardless of the sector, there are violations of information security regulations in 100% of corporate networks, suspicious traffic in 90%, and malware activity in 68% of them. PT NAD automatically detects attacker attempts to penetrate the network and identifies hacker presence on infrastructure based on a wide range of indicators, including use of hacker tools and transmission of data to attacker servers. The system identifies over 86 protocols and parses the 30 most common ones up to and including the L7 level, providing organizations with a full picture of what’s going on in the infrastructure to help them identify security flaws that enable attacks. It also provides security operations centers (SOCs) with full network visibility, enabling them to know whether an attack was successful, reconstruct the kill chain, and gather evidence. PT NAD analyzes both North/South and East/West traffic and detects lateral movement, attempts to exploit vulnerabilities, and attacks against end users on the domain and internal services.
With the latest upgrade, PT NAD users will now learn faster when:
• Credentials are transmitted over the network in clear text (which enables exploitation by attackers)
• Active VPN and proxy servers are observed (for example, if internal nodes access external OpenVPN or SOCKS5 proxy servers)
• Software for remote control is used (TeamViewer, AeroAdmin, RMS, etc.), or remote commands are executed using PsExec and PowerShell
• There is malware activity in the network.
In addition, the activity feed continues to display user notifications, alerts about indicators of compromise being triggered during the retrospective analysis, use of dictionary passwords, and information about unknown Dynamic Host Configuration Protocol (DHCP) servers, which automatically assign IP addresses and other communication parameters to devices connected to the network.
PT NAD activity feed includes 37 types of threats that require a response
PT NAD 10.2 features a built-in mechanism for detecting network scanning, flooding, and DDoS attacks. During such events, multiple sessions are created on the company’s network. However, instead of storing information about each connection separately, PT NAD now creates one session record and one attack record in the activity feed, offering aggregated data about the entire attack session. This combination makes it easier on the system by protecting it from database overflow and increasing the stability of the sensor.
Network Node Management: Roles and Types
In order for information security specialists to have complete information about which nodes are involved in the network interaction and how the network works as a whole, PT NAD now automatically determines the types and roles of nodes. The type indicates whether a particular node is a server, printer, mobile device, or workstation; The role refers to the function that a device performs. Version 10.2 distinguishes 15 roles—including DNS server, VPN, domain controller, proxy server, and monitoring system—and users can manually reassign the device type and role.
With the help of the updated filter, users can find nodes by IP address, type, role, group, and other parameters
Starting with this version, PT NAD captures traffic in Linux using the DPDK engine (the Intel library that offers the most efficient way to capture traffic in Linux, among other mechanisms). This processes traffic without loss at a rate of tens of gigabits per second.
For greater transparency of internal traffic, PT NAD 10.2 has an expanded list of identified and parsed protocols. The updated system now parses all existing SQL data transfer protocols: MySQL, PostgreSQL, Transparent Network Substrate from Oracle, and Tabular Data Stream (the ability to detect it was added in the previous version). PT NAD also detects the protocols of the Elasticsearch system and PostScript printing, which printers in the corporate network use to communicate. The total number of detected protocols has reached 86.
Other UX Improvements
Some changes in PT NAD 10.2 are designed to enhance user friendliness. Users can now learn the current status and validity of the license, and add or change it themselves in the product interface. They can also copy the link to the card of a specific session or attack in order to quickly exchange information with other users.
PT NAD 10.2 is available now.