It is becoming the recommended trend in large networks to capture and analyze data for system security. Malware creators are morphing and obfuscating their attack software to bypass anti-virus protection. Also the recent Advanced Persistent Threat (APT) attacks successfully evaded most current anti-virus, security appliances and intrusion detection systems. Signature based detectors have a hard time with these types of attacks.
Recently, I have been using Netwitness’s free version of Investigator. Netwitness was the company that discovered the Kneber botnet. I am no expert by any means, but I am very impressed with the software so far. It captures network traffic, but also does so much more. You can easily analyze the traffic and discover trends. The Kneber bot tends to send data out to random foreign servers. When you look at your data capture in Netwitness, it lists suspicious one way communications. You can click on the suspicious communication link to drill in to view the packets involved. Then, you can filter the data more by clicking the destination address, source address, or even what protocol was involved.
The ability to drill down and focus on individual items allows you to filter through a large amount of data pretty quickly and easily. When I ran it on my machine, it found a suspicious one way transfer. I drilled into it and Investigator showed me the packets involved. I could see source, destination, location, and even the data payload. It revealed that two files were downloaded to my machine from the web. Now I was very curious.
I could view the filenames and what server they came from. Investigator showed me everything, even where the files were downloaded to. Come to find out, I captured a software auto-update for one of my programs. It was very interesting.
How could this be used to detect an APT attack on your system? APT attacks use HTTP communication and usually talk over port 80 and port 443. You need to monitor suspicious outgoing HTTP connections to random foreign servers. If you have consistent traffic of this type, you need to inspect it closer. Investigator makes this very easy to do. Investigator is offered for free and Netwitness even offers free training videos through YouTube. I would highly recommend that you check into this and see if it works for you.