Network Traffic Analysis

Network Traffic Analysis (NTA) allows you to monitor the traffic that flows across your network, and provides your team with visibility into which systems are communicating with each other, what applications and protocols they are using, with whom they are talking, and more. NTA also includes a built-in Intrusion Detection System (IDS) with a set of custom Rapid7 signatures and various other built-in detections that enable you to gain a deeper understanding of attacker activity, detect intrusions earlier, and meet compliance needs.

Installing the Insight Network Sensor?

Check out the Insight Network Sensor documentation.

Network Traffic Analysis for InsightIDR

With Network Traffic Analysis for InsightIDR, you can use network data to detect malicious intruders, generate rule-based alerts, and add critical context to investigations. Once you start collecting data in InsightIDR, you can view processed network traffic in the Log Search feature. Additionally, you can use your network sensor data as a foundation for custom-built reports and dashboards listing top applications, top external clients making inbound connections, and other data points.

How does it work?

Rapid7s Network Traffic Analysis offering is powered by the Insight Network Sensor. Our sensor plugs into your network as a passive, non-inline component. This allows it to get full visibility without impacting the performance of your network. To get the most out of a sensor, place one at each of your network aggregation points – core switches are ideal – or in an area where having network visibility combined with traditional logging or endpoint data sources would make for a powerful combination.

Once a sensor is viewing traffic, InsightIDR will use network sensor data to generate investigations and alerts based on the network traffic traversing your environment.

InsightIDR can use network sensor data to generate investigations and alerts based on the network traffic traversing your environment, one of which is a new investigation data source based on IPv4 flow data. InsightIDR also leverages DNS and DHCP information that the network sensor extracts from network packets to produce other actionable alerts.

Key use cases

Visibility into your network traffic is critical to securing your organization. With Rapid7’s Network Traffic Analysis, you can gain visibility to your network traffic, you can detect potentially malicious network activity, and can investigate incidents with more context.

Gain advanced network visibility

The Insight Network Sensor gives you the ability to see, search, and analyze network flow events so that you can gain visibility into what is happening on your network. This helps you to understand what is normal and, when it occurs, to identify what is abnormal.

With a full set of out-of-the-box, network-based charts, graphs, and tables, IDR gives you the ability to quickly see what is happening on your network.

Detect potentially malicious network activity

The Insight Network Sensor sends network flow and IDS event records to the IDR cloud for Attacker Behavior Analysis (ABA). These ABA alerts are generated when specific network conditions are detected based on specially-curated rules crafted by the the Rapid7 Threat Intelligence team. These alerts will point to conditions that we believe need further investigation.

We recognize that every environment is unique. With the data that the Insight Network Sensor provides you can also create custom alerts based on network flow and IDS events to detect specific conditions on your network.

Improve investigations

During an investigation, context is critical to determining whether or not an alert is a false positive. With the Insight Network Sensor, network flow and IDS data can be added to any investigation to provide insight into potentially malicious activity related to the alert.

How to get started

  1. Set up Network Traffic Analysis for InsightIDR
  2. Monitor your data

Set up Network Traffic Analysis for InsightIDR

The following sections will guide you through the process of setting up a single sensor on your network.

  1. Install an Insight Sensor
  2. Configure Network Activity Dashboards
  3. Configure Custom Alerts
  4. Complete your roll-out of NTA

Task 1: Install an Insight Network Sensor

For a list of requirements, guidelines on where to install your sensor, and detailed deployment instructions, see the Insight Network Sensor Help site.

Task 2: Configure network activity dashboards

To take full advantage of your network sensor data, we recommend that you configure two dashboards: one to monitor the flow of data within your network, and one to monitor perimeter activities. You can populate each of these dashboards with custom-built cards that give you insight into your network data. For detailed descriptions of each of these cards, see Custom Cards.

Add an Internal Network Activity dashboard

  1. From the left menu, click Dashboards.
  2. Click Add Dashboard.
  3. Hover over “Add Card”, and click From Library.
  4. From the pre-configured card list, select Network Flow: Internal Network Activity.
  5. Select all 8 cards, and click Add Cards.
  6. Name your dashboard. You can arrange the display of your cards by clicking and dragging each card.

Add a Network Perimeter dashboard

  1. From the left menu, click Dashboards.
  2. Click Add Dashboard.
  3. Hover over “Add Card”, and click From Library.
  4. From the pre-configured card list, select Network Flow: Network Perimeter.
  5. Select all 13 cards, and click Add Cards.
  6. Name your dashboard and arrange the card display.

Task 3: Configure custom alerts

Network Traffic Analysis includes out-of-the-box intrusion detection alerts that notify you when suspected malicious network activity is detected. However, you may want to track certain environment-specific behaviors that we have not accounted for in our out-of-the-box detections. With InsightIDR, you can do this by creating your own custom alerts.

Task 4: Complete your rollout of Network Traffic Analysis

Now that you have completed the setup process for your first sensor and configured your dashboards and custom alerts, it’s time to start thinking about your broader approach to network traffic analysis.

Deploy additional sensors

Insight Network Sensors can be placed throughout your network to achieve the visibility and alerting needed for your environment. Sensors can be placed at:

  • Any network ingress or egress point to gain visibility into inbound or outbound traffic.
  • Network segment boundaries to view traffic moving between those segments (i.e. user and server networks; VPN aggregation points; virtualized environments).
  • User network segments to see lateral movement between user hosts.
  • Each regional data center for organizations with multiple sites. The specific needs for your environment including where you need network visibility will drive where you should consider placing additional sensors.

Monitor your data

As soon as data starts flowing into InsightIDR, you can begin monitoring your network activity through log search, investigations, and your custom build dashboards.

Search network flow logs

You can access your processed sensor data from the Log Search feature and aggregate your data by running specific queries. To illustrate, we’ll use an IP address that triggered an alert on your system.

You can access your processed sensor data from the Log Search feature and aggregate your data by running specific queries. To illustrate, we’ll use an IP address that triggered an alert on your system.

To search your logs:

  1. From the left menu, click Log Search.
  2. Under Log Sets, select Network Flow, and expand the applicable data set.
  3. From the Entry record, highlight the field you want to search on, such as an IP address, paste it in the Search bar, and run your search. In our example, the search results would display all flow activity associated with that IP address.
  4. To group data within the search, click Functions, and enter a field. For example, you could group the data by “app_protocol_description” to see all network traffic applications related to that IP address.
  5. Click Search.

The same search can be performed on a user or asset where you would use a user’s name or an asset name to see the applications they are communicating with.

Add evidence to an investigation

When unusual activity triggers an alert, investigations are opened automatically. With Network Traffic Analysis for InsightIDR, you can add sensor data as evidence to an investigation.

To add evidence to an investigation:

  1. Go to Investigations, and select the investigation you want to update.
  2. At the top of your investigation record, click Add Data > Log Data.
  3. Run a query on the data you want to add to your investigation. For example, an IP address.
  4. Select the entries you want to add, and click Send to Investigation.
  5. On the “Add Raw Log Data” page, add context to the evidence.
  6. Click Save. The log line will then appear in the Investigation timeline.

Review Custom Dashboard Data

This section contains descriptions of the custom cards that are provided out-of-the-box.

Network Flow: Internal Network Activity The following cards provide a summary of what is happening inside your network.

Custom Card

Description

Internal Servers of HTTP

Internal HTTP servers based on traffic volumes. Allows you to assess efforts to adopt HTTPS across the network.

Most Active Internal Systems Based on Traffic Volumes

Top systems sending and receiving data on the network.

Network Application Breakdown

Breakdown of top applications running on network.

Network Based Applications

Top applications and protocols based on volume of data sent and received.

Top Destination Ports in Use

Network activity based on the destination port.

Top Unattributed Systems

Network activity associated with clients where there is no asset name.

Top Users Based on Traffic Volumes

Top users based on data volumes sent and received.

Total Network Traffic

Total amount of network traffic processed by network sensors.

Network Flow: Perimeter Activity These cards depict the activity that is occurring at the gateway of your network, and provide a summary of all the data entering and exiting your network.

Custom Card

Description

DNS Servers in Use By Country

Displays top countries based on DNS server use.

Inbound Port Activity

Displays open ports on your firewall, and identifies any external source addresses that have established a connection with internal clients.

Inbound RDP Connections

Most active external IP addresses attempting to connect inbound using remote desktop protocol (RDP).

Inbound TLS1.0 or TLS1.1 Connections

Top servers hosted internally accepting TLS 1.0 or TLS 1.1 connections from external clients.

Network Perimeter Activity

Total traffic generated by your network devices to external applications and services.

Outbound Applications

Application use based on connections to IP addresses outside the network perimeter.

Outbound Port Activity

Ports open on firewall where source address is internal and destination address external.

Top Geo IP Organizations

Top resolved Geo IP organizations based on traffic volumes.

Top Inbound Applications

Most active applications where source IP address is external.

Top Inbound Clients

Top external clients connecting inbound to network based on data volumes transmitted.

Top Inbound Countries

Displays the countries that are currently connected to your network based on GEOIP attribution.

Top Outbound Clients

Displays your top internal clients that are connecting outbound from network based on data volumes transmitted.

Top Outbound Geo IP Organizations

Outbound traffic. Top resolved Geo IP organizations based on traffic volumes.