News
18 April 2022
News
Готово!
Скоро материал придет на указанную электронную почту. Также подписывайте на нас в Facebook
Ok
Detecting Network Attacks: Results of 2021 Pilot Projects
Information security is a never-ending battle between attackers and defenders. With the attacking tools constantly evolving, attackers can send a company into a spiral of unacceptable business risks in a matter of minutes, while finding vulnerabilities and bypassing existing information security systems sometimes is just as quick. Anatoly Peretochkin, Senior System Engineer at ICL System Technologies, tells how to timely detect threats with the help of the PT Network Attack Discovery traffic analysis system.
— Anatoly, tell us why the need to test the PT NAD solution arose?
Hackers can penetrate the perimeter if the software is not updated. Their activity can and should be detected as quickly as possible by the activity in the traffic. The NTA (Network Traffic Analysis) class products can help, and PT NAD belongs to this family. This solution is designed to detect traces of compromise in the network and investigate attacks. PT NAD captures and parses all corporate network traffic, detecting external and internal intruder activity. Using raw traffic and metadata, information security can identify compromised infrastructure, detect traces of a hacker in the network, conduct investigations, and gather evidence.
In the pilot projects, PT NAD detected suspicious network activity, helping evaluate the performance of IT systems at each client.
— What are the advantages of PT NAD?
It is a deep network traffic analysis system that detects attacks both at the perimeter and inside the network. PT NAD defines more than 85 protocols, and 30 of the most common ones are parsed to the L7 level. Protocol parsing makes the network transparent and helps the SOC (Security Operation Center) analysts in identifying IS issues that reduce the effectiveness of the security system and contribute to attacks.
The system detects hidden threats. For instance, it automatically detects the intruder’s attempts to penetrate the network and their presence in the infrastructure by multiple signs. This can be both the detection of hacker tools and the transmission of data to the attackers’ server.
Another advantage of the product is that it increases the efficiency of the SOC. PT NAD gives analysts complete visibility of the network, simplifies hypothesis testing, helps reconstruct the chronology of attacks and gather evidence. Better still, it aids in quickly finding suspicious sessions, exporting and importing traffic.
— What is the working scheme with PT NAD?
PT NAD analyzes network traffic and detects information security events in several phases. In the first phase, the network traffic is gathered and analyzed: the product parses network protocols, identifies signs of attacks and suspicious behavior, generates data for session and attack records. After that, the original copy of the traffic is transferred to the system’s internal storage as pcap files, while the records of sessions and attacks are transferred to the system’s internal database, where they are analyzed for the presence of known indicators of compromise (IoC). The user, in turn, can request stored data from the storage through the web interface.
— What were the overall results? What attacks were identified and what recommendations were made?
On average, the total number of incidents reached 9.6k per organization, of which 3.7k were high-risk attacks and 5.9k — medium-risk attacks.
Among the frequently identified scenarios is the CVE-2021-44228 vulnerability in the Apache Log4j library (Figure 1, Figure 2). It is a Remote Code Execution (RCE) vulnerability. If an attacker manages to exploit it on a vulnerable server, they’ll be able to execute arbitrary code and eventually gain full control over the attacked IT system. To fix this vulnerability, you need to install the latest updates from the manufacturer’s site on time.
Figure 1. Multiple attacks on external company resources were recorded
Figure 2. Multiple attacks on external company resources were recorded
The next scenario is the detection of connections to TOR hosts originating from the internal network (Figure 3). This network activity could be due to malware or malicious activity, and the TOR network itself could be used to transmit sensitive data covertly. To prevent such network connections, it is necessary to check the node to determine the source of this network activity and organize the delimitation of local user rights.
Figure 3. Connecting a node to TOR
Another attack scenario is bypassing firewall (ITU) policies. In particular, we detected outgoing network traffic from port 53, with the data inside the packets not being DNS queries. This technique is often used to bypass traffic restriction policies applied to firewalls. Generally, outbound traffic is limited to a few ports (most often 80, 443, 53), so attackers can use them to pass the ITU inspection. This activity is caused by the antivirus from 360 Total Security, a Chinese company. Presumably, this is how they transmit encrypted telemetry.
Figure 4. Bypassing the ITU policy
Another attack worth talking about is the use of a library to handle the SSH protocol. For instance, we recorded the use of the paramiko library for the Python language. This library automates the use of the SSHv2 protocol, providing both client and server functionality. At the same time, we know that administrators mostly use off-the-shelf utilities for SSH remote administration. In our case, however, it was the work of a script that we detected. It’s impossible to say for sure whether this is a legitimate administration script or part of the intruder’s infrastructure —part of an SSH tunnel, for instance (Figure 5). In such cases, it is necessary to investigate and check this activity for legitimacy on the host itself.
Figure 5. Illegitimate use of the SSH library
— Will this solution work for all companies?
In the last two years, our customers’ interest in NTA class solutions has grown rapidly, as their functionality allows to achieve good results. By virtue of NTA, information security services can detect attacks not only at the perimeter but also inside the network, track errors in the network infrastructure, expose violations of corporate security policies and initiate incident investigations. This is crucially important for any company, no matter what industry it’s in. Therefore, we are ready to show and test PT NAD for the individual request of any customer.
Our experts are ready to advise you promptly on all available solutions. Please contact us at pr@icl-services.com.
Hackers can penetrate the perimeter if the software is not updated. Their activity can and should be detected as quickly as possible by the activity in the traffic. The NTA (Network Traffic Analysis) class products can help, and PT NAD belongs to this family. This solution is designed to detect traces of compromise in the network and investigate attacks. PT NAD captures and parses all corporate network traffic, detecting external and internal intruder activity. Using raw traffic and metadata, information security can identify compromised infrastructure, detect traces of a hacker in the network, conduct investigations, and gather evidence.
In the pilot projects, PT NAD detected suspicious network activity, helping evaluate the performance of IT systems at each client.
— What are the advantages of PT NAD?
It is a deep network traffic analysis system that detects attacks both at the perimeter and inside the network. PT NAD defines more than 85 protocols, and 30 of the most common ones are parsed to the L7 level. Protocol parsing makes the network transparent and helps the SOC (Security Operation Center) analysts in identifying IS issues that reduce the effectiveness of the security system and contribute to attacks.
The system detects hidden threats. For instance, it automatically detects the intruder’s attempts to penetrate the network and their presence in the infrastructure by multiple signs. This can be both the detection of hacker tools and the transmission of data to the attackers’ server.
Another advantage of the product is that it increases the efficiency of the SOC. PT NAD gives analysts complete visibility of the network, simplifies hypothesis testing, helps reconstruct the chronology of attacks and gather evidence. Better still, it aids in quickly finding suspicious sessions, exporting and importing traffic.
— What is the working scheme with PT NAD?
PT NAD analyzes network traffic and detects information security events in several phases. In the first phase, the network traffic is gathered and analyzed: the product parses network protocols, identifies signs of attacks and suspicious behavior, generates data for session and attack records. After that, the original copy of the traffic is transferred to the system’s internal storage as pcap files, while the records of sessions and attacks are transferred to the system’s internal database, where they are analyzed for the presence of known indicators of compromise (IoC). The user, in turn, can request stored data from the storage through the web interface.
— What were the overall results? What attacks were identified and what recommendations were made?
On average, the total number of incidents reached 9.6k per organization, of which 3.7k were high-risk attacks and 5.9k — medium-risk attacks.
Among the frequently identified scenarios is the CVE-2021-44228 vulnerability in the Apache Log4j library (Figure 1, Figure 2). It is a Remote Code Execution (RCE) vulnerability. If an attacker manages to exploit it on a vulnerable server, they’ll be able to execute arbitrary code and eventually gain full control over the attacked IT system. To fix this vulnerability, you need to install the latest updates from the manufacturer’s site on time.
Figure 1. Multiple attacks on external company resources were recorded
Figure 2. Multiple attacks on external company resources were recorded
The next scenario is the detection of connections to TOR hosts originating from the internal network (Figure 3). This network activity could be due to malware or malicious activity, and the TOR network itself could be used to transmit sensitive data covertly. To prevent such network connections, it is necessary to check the node to determine the source of this network activity and organize the delimitation of local user rights.
Figure 3. Connecting a node to TOR
Another attack scenario is bypassing firewall (ITU) policies. In particular, we detected outgoing network traffic from port 53, with the data inside the packets not being DNS queries. This technique is often used to bypass traffic restriction policies applied to firewalls. Generally, outbound traffic is limited to a few ports (most often 80, 443, 53), so attackers can use them to pass the ITU inspection. This activity is caused by the antivirus from 360 Total Security, a Chinese company. Presumably, this is how they transmit encrypted telemetry.
Figure 4. Bypassing the ITU policy
Another attack worth talking about is the use of a library to handle the SSH protocol. For instance, we recorded the use of the paramiko library for the Python language. This library automates the use of the SSHv2 protocol, providing both client and server functionality. At the same time, we know that administrators mostly use off-the-shelf utilities for SSH remote administration. In our case, however, it was the work of a script that we detected. It’s impossible to say for sure whether this is a legitimate administration script or part of the intruder’s infrastructure —part of an SSH tunnel, for instance (Figure 5). In such cases, it is necessary to investigate and check this activity for legitimacy on the host itself.
Figure 5. Illegitimate use of the SSH library
— Will this solution work for all companies?
In the last two years, our customers’ interest in NTA class solutions has grown rapidly, as their functionality allows to achieve good results. By virtue of NTA, information security services can detect attacks not only at the perimeter but also inside the network, track errors in the network infrastructure, expose violations of corporate security policies and initiate incident investigations. This is crucially important for any company, no matter what industry it’s in. Therefore, we are ready to show and test PT NAD for the individual request of any customer.
Our experts are ready to advise you promptly on all available solutions. Please contact us at pr@icl-services.com.
Contact us
Leave information about yourself and your company to get a detailed presentation.