Network Traffic Analysis and Monitoring

The importance of network traffic analysis and monitoring in your cybersecurity program

What is Network Traffic Analysis (NTA)?

Network traffic analysis (NTA) is a method of monitoring network availability and activity to identify anomalies, including security and operational issues. Common use cases for NTA include:

  • Collecting a real-time and historical record of what’s happening on your network
  • Detecting malware such as ransomware activity
  • Detecting the use of vulnerable protocols and ciphers
  • Troubleshooting a slow network
  • Improving internal visibility and eliminating blind spots

Implementing a solution that can continuously monitor network traffic gives you the insight you need to optimize network performance, minimize your attack surface, enhance security, and improve the management of your resources. However, knowing how to monitor network traffic is not enough. It’s important to also consider the data sources for your network monitoring tool; two of the most common are flow data (acquired from devices like routers) and packet data (from SPAN, mirror ports, and network TAPs).

The key benefits of network traffic analysis

With the “it’s not if, it’s when” mindset regarding cyber attacks today, it can feel overwhelming for security professionals to ensure that as much of an organization’s environment is covered as possible. The network is a critical element of their attack surface; gaining visibility into their network data provides one more area they can detect attacks and stop them early. Benefits of NTA include:

  • Improved visibility into devices connecting to your network (e.g. IoT devices, healthcare visitors)
  • Meet compliance requirements
  • Troubleshoot operational and security issues
  • Respond to investigations faster with rich detail and additional network context

A key step of setting up NTA is ensuring you’re collecting data from the right sources. Flow data is great if you are looking for traffic volumes and mapping the journey of a network packet from its origin to its destination. This level of information can help detect unauthorized WAN traffic and utilize network resources and performance, but it can lack rich detail and context to dig into cybersecurity issues.

Packet data extracted from network packets can help network managers understand how users are implementing/operating applications, track usage on WAN links, and monitor for suspicious malware or other security incidents. Deep packet inspection (DPI) tools provide 100% visibility over the network by transforming the raw metadata into a readable format and enabling network and security managers to drill down to the minutest detail.

The importance of network traffic analysis

Keeping a close eye on your network perimeter is always good practice. Even with strong firewalls in place, mistakes can happen and rogue traffic could get through. Users could also leverage methods such as tunneling, external anonymizers, and VPNs to get around firewall rules.

Additionally, the rise of ransomware as a common attack type in recent years makes network traffic monitoring even more critical. A network monitoring solution should be able to detect activity indicative of ransomware attacks via insecure protocols. Take WannaCry, for example, where attackers actively scanned for networks with TCP port 445 open, and then used a vulnerability in SMBv1 to access network file shares.

Remote Desktop Protocol (RDP) is another commonly targeted application. Make sure you block any inbound connection attempts on your firewall. Monitoring traffic inside your firewalls allows you to validate rules, gain valuable insight, and can also be used as a source of network traffic-based alerts.

Watch out for any suspicious activity associated with management protocols such as Telnet. Because Telnet is an unencrypted protocol, session traffic will reveal command line interface (CLI) command sequences appropriate for the make and model of the device. CLI strings may reveal login procedures, presentation of user credentials, commands to display boot or running configuration, copying files, and more. Be sure to check your network data for any devices running unencrypted management protocols, such as:

  • Telnet
  • Hypertext Transport Protocol (HTTP, port 80)
  • Simple Network Management Protocol (SNMP, ports 161/162)
  • Cisco Smart Install (SMI port 4786)

What is the purpose of analyzing and monitoring network traffic?

Many operational and security issues can be investigated by implementing network traffic analysis at both the network edge and the network core. With the traffic analysis tool, you can spot things like large downloads, streaming or suspicious inbound or outbound traffic. Make sure you start off by monitoring the internal interfaces of firewalls, which will allow you to track activity back to specific clients or users.

NTA also provides an organization with more visibility into threats on their networks, beyond the endpoint. With the rise in mobile devices, IoT devices, smart TV’s, etc., you need something with more intelligence than just the logs from firewalls. Firewall logs are also problematic when a network is under attack. You may find that they are inaccessible due to resource load on the firewall or that they’ve been overwritten (or sometimes even modified by hackers), resulting in the loss of vital forensic information.

Some of the use cases for analyzing and monitoring network traffic include:

  • Detection of ransomware activity
  • Monitoring data exfiltration/internet activity
  • Monitor access to files on file servers or MSSQL databases
  • Track a user’s activity on the network, though User Forensics reporting
  • Provide an inventory of what devices, servers and services are running on the network
  • Highlight and identity root cause of bandwidth peaks on the network
  • Provide real-time dashboards focusing on network and user activity
  • Generate network activity reports for management and auditors for any time period

What to look for in a network traffic analysis and monitoring solution

Not all tools for monitoring network traffic are the same. Generally, they can be broken down into two types: flow-based tools and deep packet inspection (DPI) tools. Within these tools you’ll have options for software agents, storing historical data, and intrusion detection systems. When evaluating which solution is right for your organization, consider these five things:

  1. Availability of flow-enabled devices: Do you have flow-enabled devices on your network capable of generating the flows required by a NTA tool that only accepts flows like Cisco Netflow? DPI tools accept raw traffic, found on every network via any managed switch, and are vendor independent. Network switches and routers do not require any special modules or support, just traffic from a SPAN or port mirror from any managed switch.
  2. The data source: Flow data and packet data come from different sources, and not all NTA tools collect both. Be sure to look through your network traffic and decide which pieces are critical, and then compare capabilities against the tools to ensure everything you need is covered.
  3. The points on the network: Consider whether the tool uses agent-based software or agent-free. Also be careful not to monitor too many data sources right out the gate. Instead, be strategic in picking locations where data converges, such as internet gateways or VLANs associated with critical servers.
  4. Real-time data vs. historical data: Historical data is critical to analyzing past events, but some tools for monitoring network traffic don’t retain that data as time goes on. Also check whether the tool is priced based on the amount of data you want to store. Have a clear understanding of which data you care about most to find the option best suited to your needs and budget.
  5. Full packet capture, cost and complexity: Some DPI tools capture and retain all packets, resulting in expensive appliances, increased storage costs, and much training/expertise to operate. Others do more of the 'heavy lifting,’ capturing full packets but extracting only the critical detail and metadata for each protocol. This metadata extraction results in a huge data reduction but still has readable, actionable detail that’s ideal for both network and security teams.

Conclusion

Network traffic analysis is an essential way to monitor network availability and activity to identify anomalies, maximize performance, and keep an eye out for attacks. Alongside log aggregation, UEBA, and endpoint data, network traffic is a core piece of the comprehensive visibility and security analysis to discover threats early and extinguish them fast. When choosing a NTA solution, consider the current blind spots on your network, the data sources you need information from, and the critical points on the network where they converge for efficient monitoring. With NTA added as a layer to your security information and event management (SIEM) solution, you’ll gain visibility into even more of your environment and your users.