Network traffic analysis: what is it, and why do we need NTA systems?

NTA systems detect information security threats by analyzing events at the level of the network. They allow security specialists to detect attacks at an early stage, effectively isolate threats, and ensure that security guidelines are met.

One out of every two companies have infrastructure that can be breached by an attacker in a single step. Once a hacker breaks into an internal network, his or her actions will go unnoticed by perimeter defenses and the hacker is able to remain unnoticed within the network for a great length of time. Our specialists identified one case in which a hacker remained unnoticed within infrastructure for eight years.

It is essential to monitor network security in order to prevent hackers from conducting an attack inside a network. This is where NTA systems come into play.

There are three key differences between NTA systems and other traffic-related solutions:

  1. NTA systems analyze both north/south and east/west traffic. Other systems, like IDS/IPS and firewalls, generally only monitor network perimeters. With these other systems, an attacker's actions will go unnoticed if they successfully breach a network perimeter without detection.
  2. NTA systems detect attacks using a combination of tools, which include machine learning, behavior analysis, indicators of compromise, and retrospective analysis. With these tools, attacks can be prevented both at network perimeters and in cases when an attacker has already gained access to network infrastructure.
  3. NTAs can assist in the investigation of past incidents, and in threat hunting. Threat hunting helps security teams to detect threats that would go unnoticed by traditional security features. NTA systems save network connections data, and some systems record raw traffic data. These data can be an invaluable resource for detecting and isolating attacks, and for verifying threat hunting hypotheses.

NTA in SOCs

Soon after information security operations centers (SOCs) began to appear, it became clear that data were insufficient for effective threat monitoring and detection. SIEM systems that collect log data from a wide variety of sources find themselves ill-equipped for detecting attacks, antivirus systems are easily tricked, and endpoint detection and response (EDR) systems are difficult to apply across an entire infrastructure—they inevitably are left with blind spots. However, NTA can compensate for these shortcomings.

Gartner analytics and research agency included NTA in the SOC Visibility Triad, along with SIEM and EDR systems. These systems work together to significantly decrease the chance of successful infrastructural attacks. If an intruder manages to remain undetected by EDR and SIEM systems, his activity will nonetheless be visible to NTA systems as soon as he connects to an internal network system.

Research and client reviews testify to the effectiveness of NTA systems. Many Gartner clients have reported that NTA tools have detected suspicious network traffic that other perimeter security tools had missed. The SANS Institute identified NTA solutions as one of the premier technologies for threat detection, stressing that SOCs around the world have been satisfied with the results of NTA systems.

Uses of NTA systems

Attack detection is not the only benefit of NTA systems. They can also be used to retrospectively trace the development of attacks and lay out the chronology of their progression, as well as to isolate threats and compensate for vulnerabilities. For example, after detecting a suspicious attempt to connect to a domain controller from an unauthorized node, it is possible to view the history of network activity from that node and ensure that it has not been the source of any other similar connection attempts. Other connection attempts are a likely indication of an organized and premeditated attack. Positive Technologies' NTA system, PT Network Attack Discovery (PT NAD), records raw traffic data and tracks 1,200 session parameters, allowing for highly specific filter requests and timely identification of suspicious sessions.

 In the context of threat hunting, NTA tools can be used to verify and deny network intrusion hypotheses. Take the following example: a security analyst hypothesizes that an attacker has compromised system infrastructure. To confirm this hypothesis, the security analyst analyzes all domain network activity, since an attacker will be forced to conduct reconnaissance in Active Directory in order to carry out an attack. If any suspicious requests are discovered (for instance, requests using LDAP (lightweight directory access protocol)), the analyst's suspicions will be confirmed and a more detailed investigation can be conducted.

NTA solutions can also be used to ensure that information security guidelines are being met. While investigating incidents and analyzing traffic data, we often discover misconfigurations and infractions of corporate security guidelines. Across the board, 81 percent of organizations communicate passwords openly, 67 percent use remote access tools, and in 44 percent of organizations employees use peer-to-peer data transfers, for instance to download torrents. All of these actions significantly increase the chance that an attacker will successfully compromise a network and conduct an attack.

PT NAD identifies over 50 protocols and parses the 30 most common ones up to and including the L7 level. This provides system operators with a detailed understanding of what is happening in their network and allows them to see all data that are communicated openly on the network. With the help of a filter, a widget can be configured to display all open accounts (see the figure below). Sessions in which data was openly transferred can be viewed, as well as the addresses of origin nodes and terminal nodes. This gives security engineers all the tools they need to improve the situation.

PT NAD widget displaying user accounts
PT NAD widget displaying user accounts

NTA systems can be used in a much wider set of contexts than other systems that analyze traffic. Using NTA, information security specialists can detect attacks within networks as well as on network perimeters, can control network compliance, investigate security incidents, and eliminate potential threats. This is possible thanks to the following features:

  • Traffic monitoring both between corporate networks and the Internet as well as within organization networks
  • Threat detection technology designed specifically for detection of threats within network perimeters
  • Useful metadata storage.

What threats can be hidden in your network?

Check your network traffic—request a free trial.

Get free trial