Positive Technologies has released the next version of PT Network Attack Discovery (10.1), a system for deep traffic analysis. With it, you can detect attacks using new analytics modules, collect up-to-date information about network hosts, and centrally learn about detected threats in a single feed.

Activity feed

To enable users to learn about new attacks and threats in a timely manner, a new section—an activity feed—has been added to PT NAD. The feed collects a list of identified threats in one place, combines messages about similar activities into one, and allows you to manage them. You can mark the issue as resolved or no longer track such activity.

In PT NAD version 10.1, messages appear in the feed when:

• Users use dictionary passwords on the network.
• The indicators of compromise are triggered during the retrospective analysis.
• An unknown DHCP server ¹ appears on the network: the server might be fake, and by using it attackers can intercept traffic and obtain user credentials.
• The traffic filtering conditions that the user has set in advance are triggered. In this way, you can receive notifications about any activity of interest on the network, such as connections to certain phishing domains, transmission of large amounts of information from database servers, and actions of specific users.

Dmitry Efanov, Head of PT Network Attack Discovery Development, comments:
"PT NAD was originally created as a tool for investigation specialists. The activity feed is another important step toward simplifying the product. It helps focus the analyst's attention on important threats and track the response to them."

New mechanisms of attack detection

The new version of PT NAD adds deep traffic analytics modules that enable identification of complex threats. They take into account many parameters of the attacker's behavior and are not tied to the analysis of individual sessions, unlike the rules for attack detection. With the help of the modules, the product automatically detects abnormal LDAP requests. ² Such requests can be used by attackers during reconnaissance to collect information about the domain: about users, their groups, network hosts, and passwords.

With the help of new detection mechanisms, the product also detects the use of dictionary passwords and unknown DHCP servers. Information about such events is included in the activity feed.

In the next version of PT NAD, analytics modules will be used to identify 30 more types of threats.

Monitoring network hosts

PT NAD users now have up-to-date information about network hosts: the domain name, installed operating system, IP addresses, used data transfer protocols, and group membership. Changes in the hosts are also tracked. PT NAD users will know if a new host has appeared on the network, a new open port has appeared on the host, an application protocol has changed, or the OS has changed. Such data can also help identify suspicious activity. For example, if a user started using the SSH protocol to remotely control the operating system, although they did not do it before, it is worth investigating.

Network transparency is now even higher

According to the Positive Technologies survey, "low" or "average" visibility into external traffic is a complaint of 72 percent of respondents; 68 percent have the same opinion regarding the visibility of internal traffic.

For greater transparency of internal and external traffic, the new version of PT NAD has an expanded list of identified and parsed protocols. The product detects five more new protocols that are found on the networks of Russian companies. There are now 85 identified protocols in total.

PT NAD parses four more new protocols, collecting additional data about the connections that are established via such protocols. The analysis of the new protocols gives an understanding of what is happening on the network, for example, which Google services users connect to, what requests are sent during remote command execution, whether this is legitimate activity or compromise by attackers.

PT NAD 10.1 identifies encrypted traffic that is transmitted via nonstandard protocols. This is necessary to draw the attention of the system operator to suspicious unknown activity on the network. It is possible that the attackers encrypt the traffic using their own protocols, and thus try to cover their tracks.

Other improvements

• PT NAD 10.1 is localized into English.
• You can now set the time zone—the settings are applied to the user account.
• From the PT NAD interface, you can go to PT Sandbox in one click and view detailed information about the detected malicious file.

Get free PT NAD’s demo

Check your network and perimeter. Get a free pilot and find hidden threats.

Free pilot

1. The Dynamic Host Configuration Protocol (DHCP) server runs a service that automatically distributes IP addresses between devices connected to the same network within the internal Microsoft Windows Server environment.
2. The Lightweight Directory Access Protocol (LDAP) is a protocol that is commonly used to store and retrieve information about the infrastructure, its assets, users, and user groups.