RSS
Логотип
Баннер в шапке 1
Баннер в шапке 2

PT Network Attack Discovery (PT NAD)

Product
Developers: Positive Technologies
Last Release Date: 2024/09/23
Technology: Information Security - Firewalls,  Information Security Information and Event Management (SIEM)

Content

The main articles are:


PT Network Attack Discovery (PT NAD) is a comprehensive network security solution designed to analyze network traffic, identify and investigate incidents.

2024

Zvirt Compatibility

The PT Network Attack Discovery (PT NAD) behavioral traffic analysis system has been successfully tested for compatibility with the platform for secure management of virtualizations zVirt the developer environment. Orion soft System sharing allows full visibility of traffic in virtual. IT infrastructures Orion soft announced this on October 30, 2024. Thanks to this integration , even network interactions between virtual machines are viewed within the same hypervisor - this helps to identify, for example, hacker the technique of lateral movement (horizontal movement), which hackers use to develop their attack deep into the network.

zVirt implements a mechanism for mirroring network traffic. To give the business the opportunity to analyze it and find potential threats, experts from Orion soft and Positive Technologies decided to ensure that the virtualization platform is compatible with the PT NAD NTA system. Using PT NAD and zVirt products in a bundle will help point copy and analyze data flows between virtual machines regardless of the software installed on them.

File:Aquote1.png
PT NAD and zVirt are a bundle of products that can record and analyze horizontal network flows, "said Vladimir Klepche, chief network security architect, Positive Technologies. - At the same time, in almost all attacks, attackers use lateral movement tactics - after entering the infrastructure, they move deep into the network from the entry point to other systems, using different techniques. If you do not stop them in time on the approaches to the target systems, this can lead to the onset of unacceptable business events. Due to the fact that zVirt has a mirroring mechanism, PT NAD sees traffic between virtual machines, which allows you to detect the movement of cybercriminals inside the perimeter, which is difficult to track with other means of protection.
File:Aquote2.png

File:Aquote1.png
Companies are increasingly interested in the functionality to track potential vulnerabilities and attacks implemented in virtualization systems. In particular, it is important for customers to understand what is happening on the network and how dangerous this can be for their business. Therefore, as one of the largest virtualization vendors on the Russian market, as part of a strategic partnership with Positive Technologies, we strive to provide the necessary functionality in terms of information security as soon as possible. Thanks to the integration of zVirt with PT NAD, a solution for virtualization environments has appeared on the market that can detect hidden cyber threats based on traffic analysis, "said Alexander Gavrilenko, Head of Technology Partnerships and Ecosystem Solutions at Orion soft.
File:Aquote2.png

Positive Technologies and Orion soft are also planning a collaboration to automate PT NAD deployment in a zVirt-based virtual environment. Thanks to it, customers will be able to get a single solution without the need to install physical servers for the Positive Technologies system.

Network Attack Discovery 12.1 with Elasticsearch 8.13 support

Positive Technologies released an updated version of the PT Network Attack Discovery (PT NAD) network traffic behavioral analysis system. The main thing in release 12.1 is support for the current version data stores Elasticsearch (8.13) and improvements for the work of PT NAD operators and administrators. In addition, a dark theme appeared in version 12.1, which was a response to user requests. Deployment and basic out-of-the-box configuration of PT NAD takes less than 30 minutes. The developer announced this on September 23, 2024.

The updated PT NAD supports Elasticsearch 8.13 storage. Its application provides resistance to peak loads, reduces hardware requirements, and also speeds up the processing of requests to the database with traffic metadata. Positive Technologies internal tests show that with Elasticsearch 8.13, the processor load is reduced by 2 times, and metadata storage requires 2 times less disk space. In addition, the transition to the new Elasticsearch increases the maximum indexing speed by 3 times.

This version of PT NAD is optimal for large companies that operate with large volumes of incoming traffic. In the future, reducing hardware requirements will reduce the cost of buying equipment: one installation will be able to process more traffic, while the cost of deploying it will remain the same.

File:Aquote1.png
Deep traffic analysis, storage of a huge amount of data, creation of hierarchically distributed installations, as well as the addition of new analytical modules and other functions that facilitate the work of specialists - all this must be supported by hardware resources: processor, memory, disks. In each release, we pay great attention to optimizing performance, and this allows us to expand the capabilities of PT NAD without increasing the requirements for hardware, "said Dmitry Efanov, head of the PT NAD product at Positive Technologies.
File:Aquote2.png

The product interface has also undergone significant changes. In terms of system administration, a number of configurations have been moved from the console to the web interface. In particular, in the interface, you can now manage SSL certificates - add trusted root certificates and change the certificate of the web server, and also add functions to check the correctness of integration settings with external services.

A number of interface changes are aimed at PT NAD operators involved in detecting and investigating attacks. This version has significantly redesigned the session card, which now displays a summary of all recorded compromise indicators. Thus, the operator will be able to quickly respond to the incident and not waste time looking for additional information - everything is reflected in the event card. In addition, the performance of the activity tape is optimized; Improved handling of exceptions to attacks detected by expert modules widgets to be created are now available to all users; now it is possible to adjust the number of rows displayed in widgets. This version also has a visual image of the relationships between the nodes involved in NTLM Relay attacks. The team plans to visualize other complex attacks.

Compatibility with "Garda QUASAR D5000"

Positive Technologies and the Garda group of companies on June 17, 2024 announced the passage of PT NAD and Garda QUASAR products D5000 technological compatibility tests. Read more here.

Inclusion in the register of Russian software

The first traffic analysis system with artificial intelligence appeared in the register of Russian software - PT NAD. Positive Technologies reported this on June 4, 2024.

Thanks to machine learning technologies, PT Network Attack Discovery (PT NAD) allows you to create custom profiling rules and discover applications in encrypted traffic

File:Aquote1.png
Thanks to ML-to algorithms in PT NAD, we easily detect anomalies that help the service information security to eliminate cyber threats in time. Information security specialists have received a mechanism that actually independently learns on the company's network traffic and provides customization opportunities, "said Artem Kitaev, head of network solutions practice at Positive Technologies.
File:Aquote2.png

Operators can create custom profiling rules in PT NAD to detect anomalies of interest to them. You can profile traffic by different metrics, such as the number of connections or the amount of incoming traffic. Using ML technologies, rules are trained on typical traffic, and all the necessary parameters for their operation are determined automatically. Profiling helps to identify the threat even on those nodes that have not previously fallen into the training spectrum of the machine learning model.

With the help of ML algorithms, PT NAD is able to determine even those applications that are used enciphering and well disguised as other protocols. For example, which messenger Telegram attackers can use to conduct. cyber attacks So, in April 2024, the Positive Technologies Security Expert Center (PT ESC) discovered a new cyber group Lazy Koala, which used Telegram to transfer stolen goods. data

2023

PT Network Attack Discovery 12 with support for Debian 11 and Astra Linux 1.7.4 and 1.7.5

Positive Technologies On December 14, 2023, an updated version of the network traffic behavioral analysis system, PT Network Attack Discovery 12, was introduced. The main thing in the product: detection of anomalies using profiling, analysis of encrypted traffic, automatic update of expert modules without a distribution kit, support for OS Debian 11 Astra Linux and 1.7.4 and 1.7.5.

The key capabilities of PT Network Attack Discovery (PT NAD) 12 are related to the introduction of machine learning (ML) technologies to create user rules for profiling and detecting applications in encrypted traffic. Previously, in the PT NAD interface, it was possible to configure notifications by user filters, as well as work with individual modules that detect special cases of anomalies, for example, abnormal LDAP requests, slow scans, successful exploitation of vulnerabilities, kerberoasting. Now the SOC operator will be able to create its own profiling rules, which, using ML algorithms, will learn from typical traffic and will identify anomalies of interest to the operator. You can profile traffic by various metrics (the number of connections, the amount of traffic, and so on) and by arbitrary filters, which makes it possible to customize the product for your tasks.

File:Aquote1.png
We gave SOC analytics a mechanism with which it can build algorithms for detecting anomalies in traffic, "said Kirill Shipulin, head of the network attack detection group, Positive Technologies security expert center. - Now PT NAD detects previously undetectable techniques and tactics of attackers, any narrowly targeted cases from the attackers' tools, for example, exfiltration of data to cloud services such as Dropbox and Yandex.Disk, or a surge in the number of RDP sessions in the server segment.
File:Aquote2.png

PT NAD also learned to use ML algorithms to analyze encrypted connections and determine applications in them. This helps in cases where the classical methods of signature analysis or analysis of protocol fields stop working. For December 2023, this functionality is implemented to detect a protocol that messenger Telegram is known for its methods of bypassing detection, but subsequently a mechanism will be added for the detection of other masked protocols and applications.

{{quote 'RT Network Attack Discovery holds the brand of the visionary product Positive Technologies. In 2015, we began developing a traffic analysis system, a year later we had our first product implementation and only a couple of years later Gartner allocated Network Traffic Analysis to a new class of products, "said Dmitry Efanov, Product Manager of PT Network Attack Discovery. - Now we are changing the market again, improving the analysis of complex, sophisticated anomalies in traffic using ML algorithms that really simplify the work of SOC analysts and reduce the risk of implementing unacceptable events in the company. There are no similar technologies in the products of Russian vendors. }}

Changed in PT NAD 12 and expert module delivery process. Now they will be updated along with the latest rules and indicators of compromise (IoC) from the Positive Technologies security expert center (PT Expert Security Center) - they arrive in the product automatically, without a distribution kit. This means that PT NAD 12 users almost instantly receive updates to complex attack detection algorithms.

Another installer in the form of an installation disk (ISO image) has also appeared in the product, from which you can install PT NAD 12 and Debian 11 OS.

 PT Network Attack Discovery 11.1

Positive Technologies announced on July 4, 2023, the release of an updated version of the behavioral traffic analysis system to identify attacks on the perimeter and within the network - PT Network Attack Discovery (PT NAD). PT NAD 11.1 has statistical and behavioral modules for detecting previously unknown ICMP tunnels, anomalies in SMB traffic, signs of the work of the hacker tools Cobalt Strike and Brute Ratel S4, as well as a module confirming the exploitation of vulnerabilities on nodes.

Illustration: ptsecurity.com

Accurately detect attacks using behavioral traffic analysis

File:Aquote1.png
In this release, in addition to signature methods, there are other ways to detect threats using complex algorithms based on profiling each device on the network, collecting data and finding deviations. The PT NAD development team shifted the expertise on proactive threat hunting in network traffic to automatic detections. We are systematically expanding the ability to customize the product for a specific infrastructure so that each company can more accurately detect anomalies and special alarms that pose a threat to its safety,
 told Alexey Lednev, head of the attack detection department of the Positive Technologies Security Expert Center (PT ESC).
File:Aquote2.png

To support communication with the compromised infrastructure, attackers establish hidden data channels - ICMP tunnels. Detection systems, in particular firewalls, tend to miss such activity. Analyzing the statistics of ICMP packets, PT NAD 11.1 detects known and bad utilities with which attackers hide on the network.

To remain unnoticed, cybercriminals cipher SMB traffic, as well as malware post-exploitation tools, are also used that interact with their agents through named SMB channels (pipes). The wedge modules in PT NAD define the encrypted SMB protocol and the appearance of SMB pipes in traffic.

PT NAD 11.1 detects the operation of the Cobalt Strike and Brute Ratel C4 frameworks, which are actively used in targeted attacks. They allow attackers to interact with compromised nodes, execute commands on them and advance inside the infrastructure. To detect malicious activity, Positive Technologies specialists have developed statistical modules that detect the communication of agents of these post-exploitation frameworks of unknown configurations with the control server.

Starting with this version, the product received an updated module to identify attempts to exploit vulnerabilities. As the experience of the Positive Technologies Security Center (PT Expert Security Center), which specializes in investigating complex incidents, shows, exploitation of vulnerabilities is among the top 3 most common vectors of attacks on the corporate network of companies. The updated behavioral analysis module automatically extracts malicious indicators from network requests and checks for calls to them after exploiting the vulnerability on the node.

Set up twice as fast

The configuration wizard, available to users of the updated version, helps set up the basic parameters of PT NAD (network interfaces, traffic capture parameters, PCAP/ES retention periods, etc.) twice as quickly. It also makes product deployment much easier.

Other changes

The mechanism for excluding from the activity tape has been improved - now the operator can remove the responses that are typical of his infrastructure from cards with one click. The updated functionality reduces the number of false positives in each protected infrastructure. Other innovations include the ability to create common filters and share them with the team, checking the correctness of traffic capture and processing, as well as engineering and UX improvements. PT NAD 11.1 is already available to users. You can leave an application for a free pilot at the link. Current users can update the product through technical support or contact Positive Technologies partners.

2022

PT Network Attack Discovery 11

On October 27, 2022, Positive Technologies introduced PT Network Attack Discovery version 11. The main thing in the release is to identify an even greater (+ 20%) number of current cyber threats using the behavioral traffic analysis module. In particular, the product detects a Kerberoasting attack, DNS tunnels, remote command execution in Windows, as well as brute force and password spraying. PT NAD 11 can now be installed on the Russian operating system Astra Linux and deployed in just 15 minutes.

PT NAD 11
File:Aquote1.png
Classic network protection tools (IPS, NGFW) use mainly signature methods and compromise indicators to detect attacks. They are suitable for protecting the perimeter of the network from known attacks, but are often useless for identifying targeted attacks and attackers already on the company's network. For these purposes, you need to use more complex algorithms based on profiling and behavior analysis.
told Dmitry Efanov, Head of Development, PT Network Attack Discovery, Positive Technologies
File:Aquote2.png

PT NAD 11 identifies the Kerberoasting technique. Work on the analysis of the security of Russian companies, carried out by experts from Positive Technologies, shows that in every second company the use of this technique allows an attacker to develop an attack and get credentials. data The danger of Kerberoasting is that at the first stage of the attack, when attackers request access to various services, the activity is displayed as legitimate, and the second stage - brute force to obtain passwords for the collected access - is carried out locally, on the side of the attackers. Because of this, the likelihood of detecting this attack by signature methods is extremely low.

File:Aquote1.png
PT NAD has become easier to operate. We complement simple detection using compromise rules and indicators with more advanced tools: analytics modules, machine learning tools, statistics collection and product training on its data. All this so that an information security specialist can look into the activity feed without additional research and understand: these are the actions of an attacker or an ordinary user.
told Alexey Lednev, Head of Expert Services and SOC Development at Positive Technologies
File:Aquote2.png

According to the results of penetration tests conducted by Positive Technologies in the second half of 2020 - early 2021, an attacker can overcome the network perimeter of most companies by guessing passwords, including by direct brute force and spraying. Using PT behavior analysis, NAD more effectively detects attempts to hack accounts by selecting a login and password (brute force), including by selecting an account for a weak password (spraying). The updated version of PT NAD also adds a universal module for detecting DNS tunnels of any type, be it a self-written hacker tool or a utility with GitHub. The module helps to quickly identify attackers on the network and stop them in a timely manner on the way to the implementation of unacceptable events that each company determines for itself.

In addition, PT NAD now detects activities such as creating Windows Scheduler services and tasks for tactics to remotely execute commands and move within the perimeter. This analytics module in PT NAD covers cases with open and encrypted traffic. In the case of generating encrypted traffic, the system determines such activity as a deviation from the profile and highlights to the operator a specific computer and the user from whom it originates.

The product has the ability to add exceptions for risk detection modules. Now the operator can configure the detections in more detail and analyze the most relevant responses. This helps to pay attention to current events and not waste time analyzing incidents that do not pose a danger. Activity feed, the task of which is to focus the attention of PT NAD users on important cyber threats and help track response to them.

As of version 11, events from the PT NAD Activity Ribbon can be viewed in the Information Security Event Monitoring SystemMaxPatrol SIEM interface. For companies that use SIEM solutions from other developers, integration mechanisms have been added using syslog, webhook and several others. Thanks to these mechanisms, you can configure the transmission of reputation lists, rules and events from the activity tape to third-party systems. They also allow you to flexibly customize PT NAD, for example, integrating it with Telegram (for this you need to write code).

Another change is the extension of the notification context in the feed. Now the operator receives more data about the activity of interest to him: for example, in the notification, in addition to detecting traffic by a specific filter, the nodes on which this traffic arose, server clients and other necessary context are indicated.

Astra support has been implemented, Linux which is especially important for authorities state corporations, entities CUES and other Russian companies that are reportedly switching to MEDIA this OS within. import substitution In addition, PT NAD installation is now faster: adding an easy-to-use one-server installer to the updated version made it possible to reduce deployment time from two hours to 15 minutes, as well as install without connecting. to the Internet Now you can install and use PT NAD in any company, even where connecting to an external network is prohibited by regulations. Other changes include out-of-the-box monitoring to track PT NAD performance, the ability to assign custom names to nodes instead domain , and updated site summaries.

PT NAD 11 will be available to users starting November 15, 2022.

PT Network Attack Discovery 10.3

Positive Technologies on June 1, 2022 introduced an updated version of the Network Traffic Analysis (NTA) system to identify attacks on the perimeter and inside the PT Network Attack Discovery (PT NAD) 10.3. Among the main differences of the release are the detection of slow network scans, the detection of unauthorized connections and the appearance of a parsing of the VXLAN and Geneve tunneling protocols. All improvements allow you to identify the actions of the attacker in the early stages of the attack.

PT NAD 10.3 implements node detection in the network, which helps to detect threats in the segment of the company's network where they rarely occur.

File:Aquote1.png
The system is self-learning, which allows you to exclude from analysis those network segments where the appearance of hosts is part of the workflow. For example, guest Wi-Fi or a test part of the network. If an unknown PC appears in the accounting department or in the development department, PT NAD will send a notification. Similar incidents occur both in the practice of large companies and are indicated in the MITRE ATT&CK matrix threat list,
noted Dmitry Efanov, head of PT NAD development at Positive Technologies.
File:Aquote2.png

Starting with this version, the product began to detect slow scans that attackers can implement. It is used by attackers to make it difficult to detect network intelligence. In practice, an attacker can analyze the network during the day, sending a minimum number of packets per unit time. Such activity, as a rule, deviates from the attention of monitoring tools, and this functionality of PT NAD allows you to identify scans distributed over time.

Also PT NAD 10.3 now detects NTLM-Relay attacks. These are effective MITM attacks (man in the middle, or "man in the middle" attacks), during which an attacker interferes with the NTLM authentication process between the client (victim) and the server. Successful implementation of the attack allows an attacker to gain access to the server with the privileges of the attacked user. Thus, an attacker can perform a lateral movement and gain access to critical systems, such as a domain controller. Also, the enumeration of user sessions was added to the PT NAD 10.3 activity tape. That is, it has become easier for an information security specialist to identify attacks aimed at obtaining information about users who have been authenticated on the node.

2021

PT Network Attack Discovery 10.2

On October 26, 2021, the company Positive Technologies announced the release of the next version of the PT Network Attack Discovery (PT NAD) 10.2 traffic analysis system, which defines the types and roles network of nodes in automatic mode, detects and attacks scannings flood DDoS processes lossless traffic at speeds up to 10 Gbps.

37 types of threats that require response fall into the PT NAD activity tape

Threat Detection

PT NAD 10.2 has a 9-fold increase in the number of suspected activities detected, with a total of 37 at the end of October 2021. All of them are displayed in a single feed, which helps users respond faster to detected threats. The ribbon collects threats identified by analytics modules (non-signaling method) on a single page and enables them to be managed. Now PT NAD users will know in a timely manner when:

  • the networks accounts are transmitted data in clear text (which can be used by an attacker in time an attack);
  • active VPN and proxy servers are observed (for example, if internal nodes access external proxy servers OpenVPN or SOCKS5);
  • is used by remote management software (TeamViewer, AeroAdmin, RMS, etc.) or remote commands are executed using PsExec and PowerShell;
  • there is malware activity on the network.

In addition, user notifications, messages about the triggering of compromise indicators during retrospective analysis, cases of using dictionary and unknown - continue to be displayed in the activity feed. passwords information DHCPservers

PT NAD 10.2 has a built-in mechanism for detecting network scanning, flood and DDoS attacks. During such attacks, many sessions are created on the company's network. Instead of storing information about each connection individually, PT NAD now creates one session record and one attack record in the Activity Ribbon, which contains aggregated data about the entire attack session. Such a combination "protects" the system: protects against database overflow and increases the stability of the sensor.

Network Node Management: Roles and Types

In order for information security specialists to have complete information about which nodes participate in the network interaction and how the network is arranged as a whole, PT NAD began to automatically determine the types and roles of nodes. The type indicates whether a specific node is a server, printer, mobile device, or workstation. The role denotes the function that the device performs. In version 10.2, 15 roles are defined, including a DNS server, VPN, domain controller, proxy server, monitoring system. The user can manually reassign the device type and role.

Using the updated filter, the user can find the nodes of interest by IP address, type, role, group membership and other parameters
File:Aquote1.png
"Knowledge of what infrastructure a company consists of is necessary to qualitatively to protect identify attacks in it and accurately identify attacks in it. This information in PT NAD gives operators safety an understanding of what devices are in the network and what roles they perform, thus helping to conduct network inventory, "-

comments Dmitry Efanov, Development Manager PT NAD Positive Technologies.
File:Aquote2.png

Traffic Capture and Analysis

Starting with this version, PT NAD captures traffic on Linux using the DPDK engine (the Intel library that provides the most efficient way to capture traffic on Linux, among other mechanisms), which processes it losslessly at tens of gigabits per second.

For greater transparency of internal traffic in PT NAD 10.2, the list of defined and parsed traffic is expanded. protocols The updated system now parses SQL data transfer protocols:,, MySQL PostgreSQL Transparent Network Substrate of the company Oracle and Tabular Data Stream (the ability to detect it was added in a previous release). PT NAD also defines PostScript system Elasticsearch and printing protocols - printers on the corporate network interact with the latter. The total number of detected protocols reached 86.

Other UX changes

A number of changes to PT NAD 10.2 are aimed at improving the convenience of the product. It became possible from the interface to find out about the current state and validity period of the license and add or change it yourself. Added the option of copying a link to a card of a specific session or attack in order to quickly exchange information with other users.

PT Network Attack Discovery 10.1

On March 11, 2021, Positive Technologies announced the release of the next version of the PT Network Attack Discovery deep traffic analysis system (10.1). It allows you to identify attacks using analytics modules, collect up-to-date information about network nodes and centrally learn about detected threats in one tape.

According to the company, so that the user learns in a timely manner about attacks and threats, the "activity tape" section appeared in PT NAD. The tape collects a list of identified threats in one place, combines messages about similar activities into one and makes it possible to manage them. It is possible to note the elimination of the problem or no longer track such activity.

Each activity in the feed shows the date and time of the last detection, hazard level, activity period, brief description

In PT NAD 10.1, messages appear in the feed when:

  • users on the network use dictionary passwords;
  • during retrospective analysis, indicators of compromise worked;
  • an unknown appeared on the network - DHCPserver which can be fake (with its help, attackers can intercept traffic to obtain user credentials);
  • the traffic filtering conditions that the user has set in advance are triggered. Thus, you can receive notifications about any activity of interest in the network, for example, about connections to certain, phishing to domains the transfer big of information from servers, about the databases actions of specific users.

File:Aquote1.png
PT NAD was originally created as a tool for investigative professionals. The Activity Ribbon is another important step towards simplifying the product. It focuses the analyst's attention on important threats and helps track the response to them.

narrated by Dmitry Efanov, Development Manager, PT Network Attack Discovery
File:Aquote2.png

The updated version of PT NAD has added deep traffic analytics modules that allow you to identify complex threats. They take into account many parameters of the behavior of attackers and are not tied to the analysis of individual sessions, unlike attack detection rules. Using the modules, the product automatically detects abnormal LDAP requests. Such requests can be used by attackers during intelligence to collect information about the domain: about users, their groups, network nodes, passwords.

Example of an attack card with an abnormal LDAP request detected

With the help of updated detection mechanisms, the product also detects the use of dictionary passwords and unknown DHCP servers. Information about such events falls into the activity feed.

In the next version of PT NAD, analytics modules will be used to identify 30 more types of threats.

PT NAD users now have up-to-date information about network nodes: IP addresses, domain name, installed operating system, data transfer protocols used, group membership. Changes to nodes are also monitored. The PT NAD user learns if a node has appeared on the network, an open port, application protocol has appeared on the node, or the OS has changed. Such data can also help identify suspicious activity. For example, if the user started using the SSH protocol to remotely control the operating system, although he had not done this before, it is worth investigating.

You can filter node data. The nodes that interacted with the IP address, OS, or domain specified in the filter are displayed.

According to a survey by Positive Technologies, as of March 2021, 72% of information security specialists assess the visibility of external traffic as low or medium, and 68% of respondents also rated the level of transparency of internal traffic. For greater transparency of internal and external traffic, the updated version of PT NAD has expanded the list of defined and parsed protocols. The product detects five more protocols that are found in the networks of Russian companies. The total number of defined protocols has reached 85.

Four more protocols PT NAD parses, collecting additional data about connections that are established by such protocols. Parsing protocols gives an understanding of what is happening on the network, for example, to which Google services users connect, what requests are sent during remote command launch, whether this is legitimate activity or compromise of attackers.

PT NAD 10.1 defines encrypted traffic that is transmitted over non-standard protocols. This is necessary to draw the attention of the system operator to suspicious unknown activity on the network. Perhaps the traffic is encrypted by attackers using their own protocols for this, and thus try to cover their tracks.

It became possible to switch the language of the interface and choose the time zone - the settings are applied to the user's account. Now from the PT NAD interface, you can go to the PT Sandbox in one click and see detailed information about the identified malicious file.

2020

Integration into the existing Solar JSOC incident detection cycle

On October 15, 2020, Rostelecom-Solar announced that it had launched a deep network traffic analysis (NTA) service with Positive Technologies based on the PT Network Attack Discovery (PT NAD) solution. The deep traffic analysis system is integrated into the existing incident detection cycle of the Solar JSOC Cyber Attack Monitoring and Response Center. The service brings to a different level network monitoring and analysis of network activity both on the perimeter and within the infrastructure. This allows not only to detect attempts by an attacker to penetrate the network, but also to detect internal suspicious activity that SIEM systems, antiviruses and endpoint protections do not detect.

The company's corporate infrastructure is becoming more complex. It goes far beyond the office and includes employees' personal devices, and work data is stored both locally and by service providers. At the same time, high-level and state-sponsored groups (the so-called cyber warfare) demonstrate a multi-stage approach to attacks, use legal utilities and skillfully work with logs of defense systems. To counter them, a network traffic mining system is required. Low-skill attackers (cyberhuligans and bots) are also improving their tools. To identify their presence in the infrastructure, closer attention is needed to the internal segments of the network. It is these tasks that are comprehensively solved by the Solar JSOC network traffic analysis service.

Networks of 97% of companies have traces of possible compromise, and most information security threats are detected already inside the perimeter of the organization. In 50% of cases, the external perimeter of the organization is overcome by attackers in one step, after which traditional defenses no longer allow tracking the development of an attack within the network. An attacker can be quietly present on the network for years. PT NAD plays an important role in identifying these types of incidents, as well as investigating them, as it saves a copy of all network traffic - including data that attackers delete to hide their traces. The information that PT NAD handles complements SIEM data from other sources, greatly expanding the knowledge base for forensic medicine.

File:Aquote1.png
The eternal battle of shell and armor in the field of cybersecurity has long gone into a hybrid game of "cat and mouse" within the organization's own infrastructure. For large distributed companies, it becomes vital to have tools to cover the entire infrastructure with comprehensive monitoring. PT NAD with enriched content as part of a service for round-the-clock monitoring and response to cyber incidents solves this problem and allows you to identify the actions of high-level violators before they cause real damage, - said Pavel Goncharov, business development manager at Solar JSOC of Rostelecom-Solar.
File:Aquote2.png

Connecting to the service takes from 2 to 4 weeks: the necessary PT NAD components are installed in the customer's infrastructure, receiving weekly updates to the rules for detecting current hacker activity from the vendor and enriched with unified content from Solar JSOC experts, which allows you to identify attackers with a high level of qualifications. In this case, the system is configured taking into account all the features of the customer.

File:Aquote1.png
In 93% of penetration testing projects, our specialists were able to overcome the network perimeter and gain access to LAN resources, proving their vulnerability to an external attacker attack - says Sergey Osipov, head of business development at Positive Technologies. - By developing their attacks, cybercriminals leave traces in the network traffic of the organization, which can only be identified by careful monitoring of the network. Therefore, we consider our NTA solution to be one of the key solutions for ensuring information security: without it, SOC may miss events at the network level that are "in the blind spot," which means ― attackers will have more opportunities to go unnoticed. The choice of PT NAD as the basis for providing a service for deep traffic analysis speaks of the high level of maturity of the Solar JSOC cyber attack monitoring and response center.
File:Aquote2.png

PT Network Attack Discovery 10: Investigative and threat hunting capabilities

On July 30, 2020, the company Positive Technologies announced the release of the 10th version of the PT Network Attack Discovery (PT NAD) traffic analysis system. The updated system determines domain user accounts on the network, sees more data in - encrypted SSH sessions and conducts an automatic retrospective analysis of all lists of compromise indicators. Such functionality, according to the developer, will be useful to specialists for conducting investigations and proactive threat hunting.

To track the actions of attackers who have compromised the account, PT NAD determines the user credentials when authenticating using the Kerberos protocol. This enables information security professionals to see the domain account that was used in a particular session. Network connections can be filtered by user login and get a list of those in which it was used, emphasized in Positive Technologies.

According to the developer, to detect anomalies in encrypted connections, PT NAD (starting from the tenth version) conducts an extended analysis of encrypted sessions using the SSH protocol. Thanks to this, additional information about SSH connections is available to users:

  • traffic type on the encrypted connection,
  • type and number of failed authentication attempts,
  • interactive data in session, file transfer, and tunnel creation.

Such data give information security specialists the ability to identify, for example, atypical methods of user authentication, brute force attacks, as well as suspicious tunnels, which are among the most frequently detected suspicious network activity in domestic organizations, according to Positive Technologies.

To identify attacks that occurred in the past, PT NAD analyzes saved sessions for all compromise indicators added to the product by the vendor or user. In previous versions, retrospective analysis was available only to those users who connected a separate component for collecting compromise indicators. In the presented version, retrospective analysis is launched automatically, this will quickly detect signs of the hidden presence of an attacker, according to Positive Technologies.

According to the developer, for greater network transparency in the updated version of the product, the set of defined protocols has been expanded: PT NAD detects 7 more protocols that are found in networks of large Russian companies (their total number is 80). The definition of protocols gives an understanding of how much and what kind of network connections are established within the corporate network. For comfortable work with PT NAD, users can enable automatic updating of data on dashboards with a given frequency and go from any section of the system to the help center, which accumulates complete and up-to-date information on working with the product at any time.

PT NAD Help Center

Protection against exploitation of identified zero-day vulnerabilities in Microsoft products

On January 20, 2020, Positive Technologies announced that it was among the participants in the Microsoft Active Protections program.

PT NAD

Users of the Positive Technologies Network Attack Discovery (PT NAD) network traffic analysis system will now be protected from exploiting identified zero-day vulnerabilities in Microsoft products.

Microsoft launched the Microsoft Active Protections Program (MAPP) in 2008. Its main goal is to enable developers of information security solutions to receive information about identified vulnerabilities in Microsoft software as quickly as possible. This allows developers to quickly implement in their products the detection of attempts to exploit vulnerabilities for which there are no official patches yet. As a result, the overall level of protection of millions of users of Microsoft products is increased.

The MAPP program includes world leaders in the development of solutions in the field of information security, for the entire existence of the program 64 companies were accepted into it. Positive Technologies became the second Russian company on the MAPP list.

File:Aquote1.png
We applied to join the MAPP program in 2019. After that, the application was analyzed by Microsoft specialists in Russia and the United States. We needed to demonstrate that PT NAD met the MAPP criteria and that we had a team of experts creating rules for detecting vulnerabilities in network traffic,
tells the head of the department for working with technological partners of Positive Technologies Egor Nazarov
File:Aquote2.png

File:Aquote1.png
To be included in the MAPP program, the company must demonstrate the existence of developed standards for ensuring internal security, as well as the exchange of information with other market participants. Positive Technologies has all this, and therefore we are confident that the company's participation in the MAPP program will increase the level of security for users of Microsoft solutions,
says Artem Sinitsyn, head of Microsoft information security programs in Central and Eastern Europe
File:Aquote2.png

Through a partnership between Microsoft and Positive Technologies, PT NAD users will be protected from attacks using newly identified vulnerabilities in Microsoft products in the earliest stages - even if security updates have not yet been released for them. As part of a bilateral exchange under the MAPP program and as part of the Microsoft Bug Bounty product and technology vulnerability detection program, Positive Technologies will send Microsoft information not only about vulnerabilities found in its products, but also about attempts to exploit them in real attacks.

2018

Commercial Release

Positive Technologies on June 14, 2018 announced the release of a commercial version of a comprehensive network security solution designed to analyze network traffic and investigate PT Network Attack Discovery (PT NAD) incidents. The product has undergone long-term testing in large infrastructure projects, including in the State system of detection, prevention and elimination of consequences of computer attacks system, and is ready for industrial operation.

PT Network Attack Discovery system allows you to capture "raw" traffic at speeds up to 10 Gbps, provides storage of large amounts of data, their processing, indexing and writing to Pcap files. When using external storage, depending on the business task, data can be stored for up to several months (if necessary, up to six months or longer).

Detection of past attacks and time-distributed threats is implemented in PT Network Attack Discovery through a retrospective analysis mechanism. The system allows you to track the chronology and vectors of the development of attacks, as well as conduct retrospective analysis not only on data stored using PT Network Attack Discovery, but also on files with traffic downloaded from external sources.

In the commercial version of the system, it became possible to parse protocols to the L7 level, which allows you to extract and store metadata specific to each network connection on the fly: applications used, protocol field values, reputation lists, IP addresses, ports. The stability and speed of traffic processing was also increased. With a gigabit data stream (1 Gbps) and a two-week storage time, searching for metadata can take less than a minute, Positive Technologies noted.

PT Network Attack Discovery uses its own signature database to detect remote exploitation of vulnerabilities, malware. The list of signatures includes rules for detecting the use of the EternalBlue exploit (remote execution of commands on Windows-based systems), Cobalt Strike modules (remote management of hacked nodes), DCShadow techniques (a type of attacks on Active Directory), vulnerabilities in Cisco SMI and other threats. The signature base is constantly being replenished: as of June, it consists of more than 3 thousand rules developed by Positive Technologies experts.

According to the developers, the PT Network Attack Discovery system is already used in the energy and telecommunications industries, transport, banks, government organizations and the media.

Description of PT Network Attack Discovery. Key and additional features

The system captures, processes and stores large amounts of raw traffic. Parsing protocols to L7 level allows you to extract and store metadata on the fly containing unique parameters of each network connection: IP addresses and protocol field values, reputation of transmitted objects, involved ports, applications. Metadata search and filtering mechanisms allow an information security expert, if necessary, to quickly reconstruct suspicious network connections and form an evidence base on the incident.

PT Network Attack Discovery has a built-in system for passive attack detection using signature methods, machine learning and behavioral analysis. The system also supports downloading traffic files from external sources for retrospective analysis. This combination allows not only to detect the masked network activity of the malicious, ON but also to track the chronology and vectors of the development of the attack.

Tight integration with MaxPatrol SIEM, a security event management and incident detection system, allows PT Network Attack Discovery to calculate the effectiveness of attacks based on node vulnerability data. The information collected by PT Network Attack Discovery about the status of network devices - software versions, ports, protocols - ensures that the list and status of assets in MaxPatrol SIEM is constantly updated.

Key opportunities

  • Storing raw traffic and metadata - guaranteed traffic capture at speeds up to 10 Gbps, indexing and writing to Pcap files.
  • Session reconstruction - detailed analysis of protocols and extraction of metadata about network connection parameters, search and filtering mechanisms for quick navigation in large arrays of stored data.
  • File extraction - automated extraction of objects transmitted through application layer protocols: HTTP, FTP, POP3, SMTP, SMB, NFS, etc.
  • Retrospective analysis - Import Pcap files from external sources for in-depth analysis and detection of undetected attacks.
  • Data visualization - detailed statistics of security events, customizable forms of reports and graphs, a visual map of network interactions.

Additional features

  • Intrusion prevention. Flexible settings of rules for blocking suspicious connections, using signatures and reputation services to protect against current attacks.
  • Detection of hidden threats. Identify network anomalies, hidden presence, activities} of malware using heuristic methods and behavioral analysis.
  • Support for the open. API Integrate with external class solutions, SIEM as well as with the system PT MultiScanner to identify malicious content in extracted files and to MaxPatrol inventory assets and verify the effectiveness of attacks.
  • Transfer of expertise to the product. Its own database of attack signatures aimed at remote exploitation of vulnerabilities is developed taking into account many years of experience in penetration tests and incident investigation.