PT NAD 11.1 gets even more powerful

Positive Technologies announced a new version of its PT Network Attack Discovery (PT NAD) traffic analysis system for detecting attacks on the perimeter and inside the network. IN PT NAD 11.1 new statistical and behavioral modules have been introduced that allow detecting hitherto unknown ICMP tunnels, anomalies in SMB traffic, as well as signs of the use of hacker tools Cobalt Strike and Brute Ratel C4. In addition, this version introduces a module that confirms the successful exploitation of vulnerabilities on hosts.

Using behavioral traffic analysis allows you to accurately identify attacks. The new release of PT NAD introduces sophisticated algorithms based on profiling each device on the network, collecting data and looking for anomalies. The PT NAD development team has successfully transferred its expertise in the proactive search for threats in network traffic to automatic detections. They focus on expanding the product’s customization options for each company’s specific infrastructure to provide more accurate detection of anomalies and unique positives that can pose a security risk.

One method of maintaining communication with a compromised infrastructure is the use of covert data transmission channels, such as ICMP tunnels. Such activity usually goes unnoticed by firewalls and other detection systems. However, PT NAD 11.1 is able to detect known and new utilities used by attackers to hide their presence on the network by analyzing ICMP packet statistics.

To remain undetected, attackers encrypt SMB traffic and use malware and post-exploitation tools to communicate with their agents over SMB named pipes. New behavioral modules in PT NAD detect the encrypted SMB protocol and new SMB pipes in traffic.

PT NAD 11.1 is able to detect the work of the Cobalt Strike and Brute Ratel C4 frameworks, which are actively used in targeted attacks. Frameworks allow attackers to interact with compromised hosts, execute commands, and penetrate infrastructure. To detect malicious activity, Positive Technologies specialists developed statistical modules that detect the communication of agents of these post-exploitation frameworks with the control server.

PT NAD 11.1 also includes a new module for detecting successful exploits. The experience of the Positive Technologies security expert center shows that the exploitation of vulnerabilities is one of the most common vectors of attacks on corporate networks. A new behavioral analysis module automatically extracts malicious indicators from network requests and checks for their use after exploiting a vulnerability on a host.

The new version of PT NAD introduces a setup wizard that allows users to set up basic product settings in half the time. The wizard also simplifies product deployment.

Other changes in PT NAD 11.1 include an improved mechanism for exclusions from the activity stream, the ability to create shared filters and share them with the team, validate the capture and processing of traffic, as well as various engineering and user interface improvements.