网络流量分析(NTA)是一种监控网络可用性和活动以识别异常的方法, including security and operational issues. Common use cases for NTA include:
Implementing a solution that can continuously monitor network traffic 为您提供优化网络性能所需的洞察力,最大限度地减少您的 attack surface, enhance security, and improve the management of your resources.
However, knowing how to monitor network traffic is not enough. It’s important to also consider the data sources for your network monitoring tool; two of the most common are flow data (acquired from devices like routers) and packet data (from SPAN, mirror ports, and network TAPs).
With the “it’s not if, it’s when” mindset regarding cyber attacks today, 对于安全专业人员来说,确保尽可能多地覆盖组织的环境可能会让他们感到难以承受.
The network is a critical element of their attack surface; gaining visibility into their network data provides one more area they can detect attacks and stop them early.
设置NTA的关键步骤是确保从正确的来源收集数据. 如果您正在寻找流量并映射网络数据包从起点到目的地的旅程,流量数据是非常有用的. 这种级别的信息可以帮助检测未经授权的WAN通信,并利用网络资源和性能, but it can lack rich detail and context to dig into cybersecurity issues.
从网络数据包中提取的数据包数据可以帮助网络管理员了解用户是如何实现/操作应用程序的, track usage on WAN links, and monitor for suspicious malware or other security incidents. 深度数据包检测(DPI)工具通过将原始元数据转换为可读格式,并使网络和安全管理人员能够深入到最细微的细节,从而提供100%的网络可见性.
Keeping a close eye on your network perimeter is always good practice. 即使有强大的防火墙,错误也可能发生,恶意流量也可能通过. Users could also leverage methods such as tunneling, external anonymizers, and VPNs to get around firewall rules.
Additionally, the rise of ransomware as a common attack type in recent years makes network traffic monitoring even more critical. 网络监控解决方案应该能够检测到指示的活动 ransomware attacks via insecure protocols. Take WannaCry, for example, where attackers actively scanned for networks with TCP port 445 open, and then used a vulnerability in SMBv1 to access network file shares.
Remote Desktop Protocol (RDP) is another commonly targeted application. Make sure you block any inbound connection attempts on your firewall. Monitoring traffic inside your firewalls allows you to validate rules, gain valuable insight, and can also be used as a source of network traffic-based alerts.
注意与管理协议(如Telnet)相关的任何可疑活动. Because Telnet is an unencrypted protocol, 会话流量将显示适合设备品牌和型号的命令行接口(CLI)命令序列. CLI strings may reveal login procedures, presentation of user credentials, commands to display boot or running configuration, copying files, and more.
请确保检查网络数据中是否有运行未加密管理协议的设备, such as:
通过在网络边缘和网络核心实现网络流量分析,可以调查许多操作和安全问题. With the traffic analysis tool, you can spot things like large downloads, streaming or suspicious inbound or outbound traffic. 确保从监视防火墙的内部接口开始, 这将允许您跟踪活动回到特定的客户或用户.
NTA还为组织提供了对其网络威胁的更多可见性, beyond the endpoint. With the rise in mobile devices, IoT devices, smart TV’s, etc.,您需要比防火墙日志更智能的东西. Firewall logs are also problematic when a network is under attack.
您可能会发现,由于防火墙上的资源负载或它们已被覆盖(有时甚至被黑客修改),它们无法访问。, resulting in the loss of vital forensic information.
分析和监控网络流量的一些用例包括:
Not all tools for monitoring network traffic are the same. Generally, 它们可以分为两种类型:基于流量的工具和深度数据包检测(DPI)工具. Within these tools you’ll have options for software agents, storing historical data, and intrusion detection systems. 在评估哪个解决方案适合您的组织时,请考虑以下五件事:
网络流量分析是监控网络可用性和活动以识别异常的重要方法, maximize performance, and keep an eye out for attacks. Alongside log aggregation, UEBA, and endpoint data, 网络流量是全面可见性和安全性分析的核心部分,可以及早发现威胁并快速消除威胁.
When choosing a NTA solution, consider the current blind spots on your network, the data sources you need information from, 以及它们在网络上的关键点,以便进行有效的监控. With NTA added as a layer to your security information and event management (SIEM) solution,您将获得对环境和用户的更多了解.
Learn About Rapid7's XDR & SIEM Product