Jump to content
Kaspersky Support Forum

Network Monitor - APT capture

celsurf

By celsurf
in Kaspersky Internet Security

 Share

Recommended Posts

celsurf

celsurf

Posted
  • Author
Posted

Seeing that Network Monitor suppose to capture all network traffic, wouldn’t this be a great source for tracking down an APT ? 

 

APTs create C2C channel (command and control) which communicates with the threat actor. Does Kaspersky capture this communication in Network Monitor ?  Is it possible to have communication that isn’t captured by Network Monitor ? 

 

I’m assuming Network Monitor also captures UDP traffic as well but I can’t confirm. 

Link to comment
Share on other sites
Igor Kurzin

Igor Kurzin

Posted
Posted

Hi @celsurf

APTs create C2C channel (command and control) which communicates with the threat actor. Does Kaspersky capture this communication in Network Monitor ?  Is it possible to have communication that isn’t captured by Network Monitor ? 

I’m assuming Network Monitor also captures UDP traffic as well but I can’t confirm. 

Yes, Network Monitor shows activity of all apps. 

UDP is monitored as well. 

Please also take into account that protection is complex, and APTs would also be controlled by Application Control, System Watcher, File Anti-Virus, Web Anti-Virus and Firewall. 

Regards,

Igor

Link to comment
Share on other sites
celsurf

celsurf

Posted
  • Author
Posted

Please also take into account that protection is complex, and APTs would also be controlled by Application Control, System Watcher, File Anti-Virus, Web Anti-Virus and Firewall. 

 

 

If a very sophisticated APT was able to avoid detection by Application Control, System Watcher, File Anti-Virus and Firewall, wouldn’t it still be logged in Network Monitor assuming it tries to setup a command and control (C2C) communication ?

Is it possible that this C2C communication can  ‘hide’ itself within other legitimate Windows processes/apps that are running at the time ? ie. Chrome or Explorer.  (If that is possible, then C2C communication can take place without easily being seen)

 

What I’m trying to determine is if C2C communication will ALWAYS be logged by Network Monitor and easily spotted. (I am not a security expert and don’t know if APTs go to great lengths to hide their communication from being logged) 

Link to comment
Share on other sites
Igor Kurzin

Igor Kurzin

Posted
Posted

If a very sophisticated APT was able to avoid detection by Application Control, System Watcher, File Anti-Virus and Firewall, wouldn’t it still be logged in Network Monitor assuming it tries to setup a command and control (C2C) communication ?

Yes, Network Monitor would show the network activity of the application. 

Is it possible that this C2C communication can  ‘hide’ itself within other legitimate Windows processes/apps that are running at the time ? ie. Chrome or Explorer.  (If that is possible, then C2C communication can take place without easily being seen)

Taking into account other protection components, such as Application Control and System Watcher, this scenario is hardly probable. 

What I’m trying to determine is if C2C communication will ALWAYS be logged by Network Monitor and easily spotted. (I am not a security expert and don’t know if APTs go to great lengths to hide their communication from being logged) 

Yes, we expect it to be logged by Network Monitor.

Link to comment
Share on other sites

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
 Share
Go to topic listing


×
×
  • Create New...