NetMon: Deep Network Traffic Analysis for Threat Detection

In the face of increasing complexity and volume of network traffic, ensuring perimeter security and timely threat detection are becoming critical. NetMon, a solution from Exabeam, offers detailed analysis of network traffic, enabling organizations to identify and investigate suspicious activity. This article provides a technical overview of NetMon’s functionality and its application for enhancing network visibility.

Network Traffic Collection

NetMon is capable of collecting network traffic from various sources, providing comprehensive network monitoring. These sources include:

• SPAN/Mirror Ports: NetMon can analyze traffic copied from switch ports, allowing it to track data passing through specific network segments.
• Network TAPs (Test Access Points): TAPs provide a non-invasive method of capturing traffic, enabling NetMon to access data without impacting network performance.
• NetFlow/sFlow: NetMon supports the collection of network flow data provided by routers and switches, allowing for the analysis of overall trends and the identification of anomalies.
• Cloud Platforms: NetMon integrates with cloud platforms (AWS, Azure, GCP) to monitor traffic in cloud infrastructure.

After collection, the data undergoes processing and normalization to ensure a uniform format for subsequent analysis. NetMon supports a wide range of network protocols, including:

• HTTP/HTTPS: Analysis of web traffic, including URLs, headers, and content.
• DNS: Monitoring DNS queries to identify malicious domains and DNS tunneling attacks.
• SMTP: Analysis of email traffic to detect phishing attacks and data leaks.
• SMB: Monitoring file sharing to detect malware and unauthorized data access.
• TLS/SSL: Decryption and analysis of encrypted traffic (if corresponding keys are available).

Scalability

For effective processing of large data volumes, NetMon utilizes a scalable architecture. This allows the system to handle the growing needs of organizations without performance degradation. Horizontal scaling is achieved by distributing the load across multiple servers, ensuring high availability and fault tolerance. Data processing and normalization are performed in real-time, enabling rapid threat detection.

Network Traffic Analysis

NetMon uses advanced analysis techniques to identify suspicious activity in network traffic.

Deep Packet Inspection (DPI)

DPI allows NetMon to extract metadata and analyze packet content. This process includes:

• Metadata Extraction: NetMon extracts information from packet headers, such as IP addresses, ports, protocols, and timestamps.
• Content Analysis: NetMon analyzes packet payloads to identify malicious code, suspicious strings, and other indicators of compromise.
• Application Recognition: NetMon identifies which applications are generating traffic, allowing for the identification of unauthorized application usage and suspicious network activity.

Behavioral Analysis

NetMon uses behavioral analysis to identify anomalies in network traffic. This process includes:

• Baseline Profile Creation: NetMon creates profiles of normal behavior for users, devices, and applications.
• Anomaly Detection: NetMon identifies deviations from normal behavior, such as unusual traffic volumes, communication with suspicious IP addresses, and atypical protocols.
• Alert Prioritization: NetMon prioritizes alerts based on the degree of deviation from normal behavior, allowing analysts to focus on the most critical incidents.

Examples of Anomalies

NetMon can detect a wide range of anomalies, including:

• Unusual Traffic Volumes: A sudden increase or decrease in traffic may indicate a DDoS attack or data leak.
• Communication with Suspicious IP Addresses: Communication with known malicious servers or botnets.
• Atypical Protocols: The use of protocols that are not typically used on the network may indicate malicious activity.
• Unauthorized Data Access: Attempts to access sensitive data from unauthorized devices or accounts.

Machine Learning

NetMon uses machine learning to adapt to normal network behavior and improve the accuracy of threat detection. Machine learning algorithms allow NetMon to:

• Automatically Update Baseline Profiles: NetMon automatically adapts to changes in the network environment, reducing the number of false positives.
• Identify Complex Attacks: NetMon can detect complex attacks that are difficult to detect using traditional detection methods.
• Improve Detection Accuracy: Machine learning allows NetMon to improve the accuracy of threat detection, reducing the number of false positives and false negatives.

Threat Detection and Response

NetMon not only detects suspicious activity but also provides tools for responding to threats.

Data Correlation

NetMon correlates traffic analysis data with other security data sources, such as SIEM (Security Information and Event Management) and EDR (Endpoint Detection and Response), to improve the accuracy of threat detection. Data correlation allows NetMon to:

• Combine Information from Various Sources: NetMon combines data from various sources to gain a more complete picture of the incident.
• Prioritize Incidents: NetMon prioritizes incidents based on their severity and potential impact.
• Automate Incident Response: NetMon can automatically trigger incident response actions, such as blocking suspicious IP addresses or isolating infected devices.

Alerts and Incidents

When suspicious activity is detected, NetMon generates alerts and incidents. Alerts provide information about specific events that may indicate a threat, while incidents represent a broader view of a potential attack.

Example Use Cases

NetMon can be used to detect various types of threats, including:

• Malware: Detecting malware attempting to contact command-and-control servers or propagate across the network.
• Man-in-the-Middle Attacks: Identifying attempts to intercept and modify network traffic.
• Data Leaks: Detecting unauthorized transfers of sensitive data outside the network.
• Denial-of-Service (DDoS) Attacks: Identifying and mitigating DDoS attacks.

Integration with Other Security Systems

NetMon integrates with other security systems, such as firewalls, intrusion detection systems (IDS), and intrusion prevention systems (IPS), to automate threat response. Integration allows NetMon to:

• Automatically Block Suspicious IP Addresses: NetMon can automatically block suspicious IP addresses on firewalls.
• Trigger Vulnerability Scans: NetMon can trigger vulnerability scans on infected devices.
• Isolate Infected Devices: NetMon can isolate infected devices from the rest of the network.

Network Forensics and Incident Investigation

NetMon provides tools for investigating complex security incidents.

Detailed Network Traffic Information

NetMon provides detailed information about network traffic, including:

• Full Network Traffic History: NetMon stores a full history of network traffic, allowing analysts to go back in time and analyze events that occurred before the incident was detected.
• Detailed Packet Information: NetMon provides detailed information about each packet, including headers, payload, and timestamps.
• Network Connection Information: NetMon provides information about network connections, including IP addresses, ports, and protocols used in the connection.

Network Session Reconstruction

NetMon allows for the reconstruction of network sessions and analysis of packets to identify the root causes of incidents. This allows analysts to:

• Determine How an Attacker Gained Access to the Network: NetMon can help determine how an attacker gained access to the network by analyzing network traffic that preceded the intrusion.
• Determine What Data Was Compromised: NetMon can help determine what data was compromised by analyzing network traffic that was generated by the attacker.
• Determine Which Systems Were Affected: NetMon can help determine which systems were affected by analyzing network traffic that was generated by the attacker.

Data Visualization and Reporting

NetMon provides data visualization and reporting capabilities to facilitate investigation. Data visualization allows analysts to quickly identify trends and anomalies in network traffic, while reports provide detailed information about incidents and recommendations for remediation.

Network Telemetry

NetMon provides network telemetry, providing information about network performance and security. Network telemetry allows organizations to:

• Monitor Network Performance: NetMon can help organizations monitor network performance, identifying bottlenecks and other issues.
• Optimize Network Performance: NetMon can help organizations optimize network performance by identifying and resolving issues.
• Improve Network Security: NetMon can help organizations improve network security by identifying and remediating vulnerabilities.

Conclusion

NetMon is a powerful solution for network traffic analysis and threat detection. It provides organizations with the network visibility needed to protect against cyber threats. By integrating with other security systems and providing detailed information about network traffic, NetMon helps organizations detect, investigate, and respond to security incidents. Using NetMon is an important component of a comprehensive security strategy, increasing the level of protection and ensuring resilience against modern cyber threats.