Network Traffic Analysis

Network Traffic Analysis (NTA) allows you to monitor the traffic that flows across your network, and provides your team with visibility into which systems are communicating with each other, what applications and protocols they are using, with whom they are talking, and more. NTA also includes a built-in Intrusion Detection System (IDS) with a set of custom Rapid7 signatures and various other built-in detections that enable you to gain a deeper understanding of attacker activity, detect intrusions earlier, and meet compliance needs.

NTA is powered by the Insight Network Sensor, which includes out-of-the-box capabilities such as Intrusion Detection System events and DNS and DHCP events.

Enhanced network traffic analysis (ENTA) is an Ultimate package feature, previously available as an add-on module. ENTA gives you access to all raw network flow data and the rich metadata collected by the Network Traffic Sensor including IP addresses, ports, content based application recognition, and other metadata attributed to specific users and devices.

Installing the Insight Network Sensor?

Check out the Insight Network Sensor documentation.

Network Traffic Analysis for InsightIDR

With Network Traffic Analysis for InsightIDR, you can use network data to detect malicious intruders, generate rule-based detections, and add critical context to investigations. Once you start collecting data in InsightIDR, you can view processed network traffic in the Log Search feature. Additionally, you can use your network sensor data as a foundation for custom-built reports and dashboards listing top applications, top external clients making inbound connections, and other data points.

How it works

Rapid7s Network Traffic Analysis offering is powered by the Insight Network Sensor. Our sensor plugs into your network as a passive, non-inline component. This allows it to get full visibility without impacting the performance of your network. To get the most out of a sensor, place one at each of your network aggregation points – core switches are ideal – or in an area where having network visibility combined with traditional logging or endpoint data sources would make for a powerful combination.

Once a sensor is viewing traffic, InsightIDR will use network sensor data to generate detections based on the network traffic traversing your environment.

InsightIDR can use network sensor data to generate detections based on the network traffic traversing your environment, one of which is a new investigation data source based on IPv4 flow data. InsightIDR also leverages DNS and DHCP information that the network sensor extracts from network packets to produce other actionable detections.

Key use cases

Visibility into your network traffic is critical to securing your organization. With Rapid7’s Network Traffic Analysis, you can gain visibility to your network traffic, you can detect potentially malicious network activity, and can investigate incidents with more context.

Understand how to query network flow data with Log Search and create custom dashboards in this video.

Gain advanced network visibility

The Insight Network Sensor gives you the ability to see, search, and analyze network flow events so that you can gain visibility into what is happening on your network. This helps you to understand what is normal and, when it occurs, to identify what is abnormal.

With a full set of out-of-the-box, network-based charts, graphs, and tables, IDR gives you the ability to quickly see what is happening on your network.

Detect potentially malicious network activity

The Insight Network Sensor sends network flow and IDS event records to the InsightIDR cloud for attacker behavior analysis. Detection rules are triggered when specific network conditions are detected based on specially-curated rules crafted by the the Rapid7 Threat Intelligence team. These rules will point to conditions that we believe need further investigation.

We recognize that every environment is unique. With the data that the Insight Network Sensor provides you can also create basic detection rules (formerly known as custom alerts) based on network flow and IDS events to detect specific conditions on your network.

Improve investigations

During an investigation, context is critical to determining whether or not a detection is a false positive. With the Insight Network Sensor, network flow and IDS data can be added to any investigation to provide insight into potentially malicious activity related to the alert.

Optimization and performance tuning

InsightIDR engineering teams utilize a variety of tuning measures to optimize for system performance and data storage limits. These measures may include removal of excessively noisy, irrelevant, or duplicated data that would otherwise clutter dashboards and log sets, as well as data compression to make the best use of your available storage space. When implementing these measures, InsightIDR engineering teams work closely with Rapid7 researchers and security experts to ensure we are collecting data that is the most effective for detecting and investigating malicious activity in your environment.

Get Started with Network Traffic Analysis

  1. Set up Network Traffic Analysis for InsightIDR
  2. Monitor your data

Set up Network Traffic Analysis for InsightIDR

The following sections will guide you through the process of setting up a single sensor on your network.

  1. Install an Insight Sensor
  2. Configure Network Activity Dashboards
  3. Configure Basic Detection Rules
  4. Complete your roll-out of NTA

Task 1: Install an Insight Network Sensor

For a list of requirements, guidelines on where to install your sensor, and detailed deployment instructions, see the Insight Network Sensor Help site.

Task 2: Configure network activity dashboards

To take full advantage of your network sensor data, we recommend that you configure two dashboards: one to monitor the flow of data within your network, and one to monitor perimeter activities. You can populate each of these dashboards with custom-built cards that give you insight into your network data. For detailed descriptions of each of these cards, see Custom Cards.

Add an Internal Network Activity dashboard

  1. From the left menu, click Dashboards.
  2. Click Add Dashboard.
  3. Hover over “Add Card”, and click From Library.
  4. From the pre-configured card list, select Network Flow: Internal Network Activity.
  5. Select all 8 cards, and click Add Cards.
  6. Name your dashboard. You can arrange the display of your cards by clicking and dragging each card.

Add a Network Perimeter dashboard

  1. From the left menu, click Dashboards.
  2. Click Add Dashboard.
  3. Hover over “Add Card”, and click From Library.
  4. From the pre-configured card list, select Network Flow: Network Perimeter.
  5. Select all 13 cards, and click Add Cards.
  6. Name your dashboard and arrange the card display.

Task 3: Configure Basic Detection Rules

Network Traffic Analysis includes out-of-the-box intrusion detections that notify you when suspected malicious network activity is detected. However, you may want to track certain environment-specific behaviors that we have not accounted for in our out-of-the-box detections. With InsightIDR, you can do this by creating your own basic detection rules (formerly known as custom alerts).

Task 4: Complete your rollout of Network Traffic Analysis

Now that you have completed the setup process for your first sensor and configured your dashboards and basic detection rules, it’s time to start thinking about your broader approach to network traffic analysis.

Deploy additional sensors

Insight Network Sensors can be placed throughout your network to achieve the visibility needed for your environment. Sensors can be placed at:

  • Any network ingress or egress point to gain visibility into inbound or outbound traffic.
  • Network segment boundaries to view traffic moving between those segments (i.e. user and server networks; VPN aggregation points; virtualized environments).
  • User network segments to see lateral movement between user hosts.
  • Each regional data center for organizations with multiple sites. The specific needs for your environment including where you need network visibility will drive where you should consider placing additional sensors.

Monitor your data

As soon as data starts flowing into InsightIDR, you can begin monitoring your network activity through log search, investigations, and your custom build dashboards.

Search network flow logs

You can access your processed sensor data from the Log Search feature and aggregate your data by running specific queries. To illustrate, we’ll use an IP address that triggered a detection on your system.

To search your logs:

  1. From the left menu, click Log Search.
  2. Under Log Sets, select Network Flow, and expand the applicable data set.
  3. From the Entry record, highlight the field you want to search on, such as an IP address, paste it in the Search bar, and run your search. In our example, the search results would display all flow activity associated with that IP address.
  4. To group data within the search, click Functions, and enter a field. For example, you could group the data by “app_protocol_description” to see all network traffic applications related to that IP address.
  5. Click Search.

The same search can be performed on a user or asset where you would use a user’s name or an asset name to see the applications they are communicating with.

Add evidence to an investigation

When unusual activity triggers a detection, investigations are opened automatically. With Network Traffic Analysis for InsightIDR, you can add sensor data as evidence to an investigation.

Read more about how to add evidence to an investigation.

Review Custom Dashboard Data

This section contains descriptions of the custom cards that are provided out-of-the-box.

Network Flow: Internal Network Activity The following cards provide a summary of what is happening inside your network.

Custom Card

Description

Internal Servers of HTTP

Internal HTTP servers based on traffic volumes. Allows you to assess efforts to adopt HTTPS across the network.

Most Active Internal Systems Based on Traffic Volumes

Top systems sending and receiving data on the network.

Network Application Breakdown

Breakdown of top applications running on network.

Network Based Applications

Top applications and protocols based on volume of data sent and received.

Top Destination Ports in Use

Network activity based on the destination port.

Top Unattributed Systems

Network activity associated with clients where there is no asset name.

Top Users Based on Traffic Volumes

Top users based on data volumes sent and received.

Total Network Traffic

Total amount of network traffic processed by network sensors.

Network Flow: Perimeter Activity These cards depict the activity that is occurring at the gateway of your network, and provide a summary of all the data entering and exiting your network.

Custom Card

Description

DNS Servers in Use By Country

Displays top countries based on DNS server use.

Inbound Port Activity

Displays open ports on your firewall, and identifies any external source addresses that have established a connection with internal clients.

Inbound RDP Connections

Most active external IP addresses attempting to connect inbound using remote desktop protocol (RDP).

Inbound TLS1.0 or TLS1.1 Connections

Top servers hosted internally accepting TLS 1.0 or TLS 1.1 connections from external clients.

Network Perimeter Activity

Total traffic generated by your network devices to external applications and services.

Outbound Applications

Application use based on connections to IP addresses outside the network perimeter.

Outbound Port Activity

Ports open on firewall where source address is internal and destination address external.

Top Geo IP Organizations

Top resolved Geo IP organizations based on traffic volumes.

Top Inbound Applications

Most active applications where source IP address is external.

Top Inbound Clients

Top external clients connecting inbound to network based on data volumes transmitted.

Top Inbound Countries

Displays the countries that are currently connected to your network based on GEOIP attribution.

Top Outbound Clients

Displays your top internal clients that are connecting outbound from network based on data volumes transmitted.

Top Outbound Geo IP Organizations

Outbound traffic. Top resolved Geo IP organizations based on traffic volumes.