Positive Technologies today released version 10.2 of its PT Network Attack Discovery (PT NAD) traffic analysis system, which detects attacks on the perimeter and inside corporate networks, makes hidden threats visible, identifies suspicious activity even in encrypted traffic, and helps investigate incidents. Deep analytics modules in PT NAD 10.2 can detect 37 different types of suspicious activities, a ninefold increase over previous versions, all displayed in a single feed to help organizations and end users respond to threats faster.
The results of PT NAD pilot projects in 41 large companies have shown that, regardless of the sector, there are violations of information security regulations in 100% of corporate networks, suspicious traffic in 90%, and malware activity in 68% of them. PT NAD automatically detects attacker attempts to penetrate the network and identifies hacker presence on infrastructure based on a wide range of indicators, including use of hacker tools and transmission of data to attacker servers. The system identifies over 86 protocols and parses the 30 most common ones up to and including the L7 level, providing organizations with a full picture of what’s going on in the infrastructure to help them identify security flaws that enable attacks. It also provides security operations centers (SOCs) with full network visibility, enabling them to know whether an attack was successful, reconstruct the kill chain, and gather evidence. PT NAD analyzes both North/South and East/West traffic and detects lateral movement, attempts to exploit vulnerabilities, and attacks against end users on the domain and internal services.
With the latest upgrade, PT NAD users will now learn faster when:
- Credentials are transmitted over the network in clear text (which enables exploitation by attackers)
- Active VPN and proxy servers are observed (for example, if internal nodes access external OpenVPN or SOCKS5 proxy servers)
- Software for remote control is used (TeamViewer, AeroAdmin, RMS, etc.), or remote commands are executed using PsExec and PowerShell
- There is malware activity in the network.
In addition, the activity feed continues to display user notifications, alerts about indicators of compromise being triggered during the retrospective analysis, use of dictionary passwords, and information about unknown Dynamic Host Configuration Protocol (DHCP) servers, which automatically assign IP addresses and other communication parameters to devices connected to the network.