网络流量分析

网络流量分析的主要好处

加上“it 's not if”, 这是今天关于网络攻击的心态, it can feel overwhelming for security professionals to ensure that as much of an organization’s environment is covered as possible.

The network is a critical element of their 攻击表面; gaining visibility into their network data provides one more area they can detect attacks 和 stop them early.

NTA的好处包括:

• 改进了对连接到网络的设备的可见性(例如.g. 物联网设备、医疗保健访问者)
• 满足法规遵从性要求
• 排除操作和安全问题
• Respond to investigations faster with rich detail 和 additional network context

A key step of setting up NTA is ensuring you’re collecting data from the right sources. Flow data is great if you are looking for traffic volumes 和 mapping the journey of a network packet from its origin to its destination. This level of information can help detect unauthorized WAN traffic 和 utilize network resources 和 performance, 但它可能缺乏深入研究网络安全问题的丰富细节和背景.

Packet data extracted from network packets can help network managers underst和 how users are implementing/operating applications, 跟踪广域网链路上的使用情况, 并监控可疑的恶意软件或其他安全事件. Deep packet inspection (DPI) tools provide 100% visibility over the network by transforming the raw metadata into a readable format 和 enabling network 和 security managers to drill down to the minutest detail.

网络流量分析的重要性

密切关注您的网络边界始终是一种好做法. Even with strong firewalls in place, mistakes can happen 和 rogue traffic could get through. 用户还可以利用隧道等方法, 外部网管, 和vpn绕过防火墙规则.

此外，勒索软件的兴起 常见的攻击类型 近年来使得网络流量监控变得更加关键. A network monitoring 解决方案 should be able to detect activity indicative of ransomware攻击 通过不安全的协议. 采取WannaCry, 例如, 攻击者主动扫描TCP端口445打开的网络, 然后利用SMBv1中的漏洞访问网络文件共享.

远程桌面协议(RDP)是另一个常见的目标应用程序. 确保在防火墙上阻止任何入站连接尝试. 监视防火墙内部的流量允许您验证规则, 获得有价值的见解, 也可以用作基于网络流量的警报来源.

Watch out for any suspicious activity associated with management protocols such as 远程登录. 因为远程登录是一个未加密的协议, session traffic will reveal comm和 line interface (CLI) comm和 sequences appropriate for the make 和 model of the device. CLI字符串可以显示登录过程, 用户凭证的表示, 显示启动或运行配置的命令, 复制文件, 和更多的.

Be sure to check your network data for any devices running unencrypted management protocols, 如:

• 远程登录
• 超文本传输协议(HTTP，端口80)
• 简单网络管理协议(SNMP，端口161/162)
• 思科智能安装(SMI端口4786)

监控网络流量的目的是什么?

Many operational 和 security issues can be investigated by implementing network traffic analysis at both the network edge 和 the network core. 使用流量分析工具, 你可以发现大下载量之类的东西, 流或可疑的入站或出站流量. Make sure you start off by monitoring the internal interfaces of firewalls, which will allow you to track activity back to specific clients or users.

NTA also provides an organization with more visibility into threats on their networks, 在端点之外. 随着移动设备、物联网设备、智能电视等的兴起., you need something with more intelligence than just the logs from firewalls. 当网络受到攻击时，防火墙日志也会出现问题.

You may find that they are inaccessible due to resource load on the firewall or that they’ve been overwritten (or sometimes even modified by hackers), 导致重要的法医信息丢失.

Some of the use cases for analyzing 和 monitoring network traffic include:

• 检测勒索软件活动
• 监控数据泄露/互联网活动
• 监视对文件服务器或MSSQL数据库上文件的访问
• 通过用户取证报告跟踪用户在网络上的活动
• Provide an inventory of what devices, servers 和 services are running on the network
• 突出和识别网络带宽峰值的根本原因
• 提供关注网络和用户活动的实时仪表板
• Generate network activity reports for management 和 auditors for any time period

在NTA解决方案中寻找什么

并非所有用于监视网络流量的工具都是相同的. 一般, they can be broken down into two types: flow-based tools 和 deep packet inspection (DPI) tools. 在这些工具中，您可以选择软件代理, 存储历史数据, 以及入侵检测系统. When evaluating which 解决方案 is right for your organization, consider these five things:

1. 流启用设备的可用性: Do you have flow-enabled devices on your network capable of generating the flows required by a NTA tool that only accepts flows like Cisco Netflow? DPI工具接受原始流量, 通过任何管理交换机在每个网络上找到, 并且是独立于供应商的. Network switches 和 routers do not require any special modules or support, 只是来自任何管理交换机的SPAN或端口镜像的流量.
2. 数据来源: Flow data 和 packet data come from different sources, 和 not all NTA tools collect both. Be sure to look through your network traffic 和 decide which pieces are critical, 和 then compare capabilities against the tools to ensure everything you need is covered.
3. 网络上的点: 考虑该工具是使用基于代理的软件还是不使用代理的软件. 另外，要注意不要在一开始就监控太多的数据源. 而不是, 策略性地选择数据汇聚的位置, 例如internet网关或与关键服务器关联的vlan.
4. 实时数据vs. 历史数据: 历史数据对于分析过去的事件至关重要, but some tools for monitoring network traffic don’t retain that data as time goes on. Also check whether the tool is priced based on the amount of data you want to store. Have a clear underst和ing of which data you care about most to find the option best suited to your needs 和 budget.
5. 完整的数据包捕获，成本和复杂性: 一些DPI工具捕获并保留所有数据包, 导致昂贵的电器, 存储成本增加, 需要很多培训和专业知识来操作. 其他人则承担更多的“重活”,’ capturing full packets but extracting only the critical detail 和 metadata for each protocol. This metadata extraction results in a huge data reduction but still has readable, 可操作的细节是网络和安全团队的理想选择.

结论

Network traffic analysis is an essential way to monitor network availability 和 activity to identify anomalies, 最大化性能, 还要留意有没有袭击. 除了日志聚合之外， UEBA, 端点数据, network traffic is a core piece of the comprehensive visibility 和 security analysis to discover threats early 和 extinguish them fast.

在选择NTA解决方案时, 考虑一下当前网络上的盲点, 需要信息的数据源, 和 the critical points on the network where they converge for efficient monitoring. 与 NTA作为一个图层添加到你的 安全信息和事件管理(SIEM) 解决方案, you’ll gain visibility into even more of your environment 和 your users.

继续学习NTA

了解Rapid7的XDR & SIEM产品

来自Rapid7博客的网络流量分析新闻

最新剧集从[丢失的机器人]安全播客