Positive Technologies has released a new version of its traffic behavior analysis system that detects attacks both on the perimeter and within the network: PT Network Attack Discovery (PT NAD). PT NAD 11.1 gets statistical and behavioral modules that help to detect previously unknown ICMP tunnels¹, SMB traffic anomalies², traces of Cobalt Strike and Brute Ratel С4 activity, and a module that verifies successful exploitation of vulnerabilities on hosts.

Accurate attack detection with the help of traffic behavior analysis

"Besides signature-based methods, the new release provides new ways of detecting threats with the help of complex algorithms based on profiling of each device on the network, data collection, and deviation search. The PT NAD development team has transformed the unique expertise on threat hunting in network traffic into automated detects," says Aleksey Lednev, who leads the attack detection team at the Positive Technologies Expert Security Center (PT ESC). "We systematically expand the options for adjusting the product to a specific infrastructure, so that each company can more accurately detect anomalies and unique detections that pose a threat to its security."

Malicious actors establish covert data channels, ICMP tunnels, to maintain communication with the compromised infrastructure. Detection systems, particularly firewalls, tend to miss this kind of activity. By analyzing ICMP packet statistics, PT NAD 11.1 detects both known and new utilities that attackers use to hide their presence on the network.

To stay undetected, cybercriminals encrypt SMB traffic, and use malware and post-exploitation tools, which communicate with their agents over SMB named pipes. The new PT NAD behavioral modules detect the encrypted SMB protocol and new SMB pipes in traffic.

PT NAD 11.1 detects running Cobalt Strike and Brute Ratel C4 frameworks, which are frequently used in targeted attacks. These allow attackers to interact with compromised hosts, run commands, and move laterally across the infrastructure. To detect malicious activity, Positive Technologies developers have created statistical modules that detect communications between these post-exploitation framework agents with unknown configurations and the command-and-control server.

Starting with this version, the product has a new module for detecting successful exploitation attempts. The experience of the Positive Technologies Expert Security Center, which specializes in complex incidents, indicates that exploitation of vulnerabilities is one of the top three most common vectors used in attacks on corporate networks. The new behavior analysis module automatically extracts indicators of compromise from network requests and checks references to these following the successful vulnerability exploitation on the host.

Twice as fast to set up

The setup wizard available in the new version makes setting up the key PT NAD parameters, such as network interfaces, traffic capture settings, PCAP/ES storage time, and others, twice as fast. The wizard simplifies deployment as well.

Other changes

We have improved hiding from the activity stream: the operator can now remove detections that are typical for their infrastructure with a click after opening the card. The new functionality helps to reduce the number of false positive detections in each secured infrastructure. Other new features include the ability to create new shared team filters, traffic capture and processing validation, and under-the-hood and UX improvements.

PT NAD 11.1 is already available to users. You can request a free pilot here. Existing users can get an update by reaching out to our technical support or a Positive Technologies partner.

1. A covert data channel between two hosts that uses IP packets over the ICMP protocol.
2. A network protocol for remote access to files, printers, and other resources.