Jump to content

Network Monitor - APT capture


Recommended Posts

Posted

Seeing that Network Monitor suppose to capture all network traffic, wouldn’t this be a great source for tracking down an APT ? 

 

APTs create C2C channel (command and control) which communicates with the threat actor. Does Kaspersky capture this communication in Network Monitor ?  Is it possible to have communication that isn’t captured by Network Monitor ? 

 

I’m assuming Network Monitor also captures UDP traffic as well but I can’t confirm. 

Posted

Hi @celsurf

APTs create C2C channel (command and control) which communicates with the threat actor. Does Kaspersky capture this communication in Network Monitor ?  Is it possible to have communication that isn’t captured by Network Monitor ? 

I’m assuming Network Monitor also captures UDP traffic as well but I can’t confirm. 

Yes, Network Monitor shows activity of all apps. 

UDP is monitored as well. 

Please also take into account that protection is complex, and APTs would also be controlled by Application Control, System Watcher, File Anti-Virus, Web Anti-Virus and Firewall. 

Regards,

Igor

Posted

Please also take into account that protection is complex, and APTs would also be controlled by Application Control, System Watcher, File Anti-Virus, Web Anti-Virus and Firewall. 

 

 

If a very sophisticated APT was able to avoid detection by Application Control, System Watcher, File Anti-Virus and Firewall, wouldn’t it still be logged in Network Monitor assuming it tries to setup a command and control (C2C) communication ?

Is it possible that this C2C communication can  ‘hide’ itself within other legitimate Windows processes/apps that are running at the time ? ie. Chrome or Explorer.  (If that is possible, then C2C communication can take place without easily being seen)

 

What I’m trying to determine is if C2C communication will ALWAYS be logged by Network Monitor and easily spotted. (I am not a security expert and don’t know if APTs go to great lengths to hide their communication from being logged) 

Posted

If a very sophisticated APT was able to avoid detection by Application Control, System Watcher, File Anti-Virus and Firewall, wouldn’t it still be logged in Network Monitor assuming it tries to setup a command and control (C2C) communication ?

Yes, Network Monitor would show the network activity of the application. 

Is it possible that this C2C communication can  ‘hide’ itself within other legitimate Windows processes/apps that are running at the time ? ie. Chrome or Explorer.  (If that is possible, then C2C communication can take place without easily being seen)

Taking into account other protection components, such as Application Control and System Watcher, this scenario is hardly probable. 

What I’m trying to determine is if C2C communication will ALWAYS be logged by Network Monitor and easily spotted. (I am not a security expert and don’t know if APTs go to great lengths to hide their communication from being logged) 

Yes, we expect it to be logged by Network Monitor.

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now


×
×
  • Create New...