Kaspersky

Network Monitor - APT capture

  • 13 September 2020
  • 4 replies
  • 81 views

Userlevel 1
Badge

Seeing that Network Monitor suppose to capture all network traffic, wouldn’t this be a great source for tracking down an APT ? 

 

APTs create C2C channel (command and control) which communicates with the threat actor. Does Kaspersky capture this communication in Network Monitor ?  Is it possible to have communication that isn’t captured by Network Monitor ? 

 

I’m assuming Network Monitor also captures UDP traffic as well but I can’t confirm. 


4 replies

Userlevel 7
Badge +2

Hi @celsurf

APTs create C2C channel (command and control) which communicates with the threat actor. Does Kaspersky capture this communication in Network Monitor ?  Is it possible to have communication that isn’t captured by Network Monitor ? 

I’m assuming Network Monitor also captures UDP traffic as well but I can’t confirm. 

Yes, Network Monitor shows activity of all apps. 

UDP is monitored as well. 

Please also take into account that protection is complex, and APTs would also be controlled by Application Control, System Watcher, File Anti-Virus, Web Anti-Virus and Firewall. 

Regards,

Igor

Userlevel 1
Badge

Please also take into account that protection is complex, and APTs would also be controlled by Application Control, System Watcher, File Anti-Virus, Web Anti-Virus and Firewall. 

 

 

If a very sophisticated APT was able to avoid detection by Application Control, System Watcher, File Anti-Virus and Firewall, wouldn’t it still be logged in Network Monitor assuming it tries to setup a command and control (C2C) communication ?

Is it possible that this C2C communication can  ‘hide’ itself within other legitimate Windows processes/apps that are running at the time ? ie. Chrome or Explorer.  (If that is possible, then C2C communication can take place without easily being seen)

 

What I’m trying to determine is if C2C communication will ALWAYS be logged by Network Monitor and easily spotted. (I am not a security expert and don’t know if APTs go to great lengths to hide their communication from being logged) 

Userlevel 1
Badge

I did some research and came across this interesting bit from MITRE

It makes note of items that are logged as well as C2 communications.

 

Would be great to see how Home security products stand up to these APT tests. 

 

https://attackevals.mitre-engenuity.org/APT29/results/kaspersky/

 

 

Userlevel 7
Badge +2

If a very sophisticated APT was able to avoid detection by Application Control, System Watcher, File Anti-Virus and Firewall, wouldn’t it still be logged in Network Monitor assuming it tries to setup a command and control (C2C) communication ?

Yes, Network Monitor would show the network activity of the application. 

Is it possible that this C2C communication can  ‘hide’ itself within other legitimate Windows processes/apps that are running at the time ? ie. Chrome or Explorer.  (If that is possible, then C2C communication can take place without easily being seen)

Taking into account other protection components, such as Application Control and System Watcher, this scenario is hardly probable. 

What I’m trying to determine is if C2C communication will ALWAYS be logged by Network Monitor and easily spotted. (I am not a security expert and don’t know if APTs go to great lengths to hide their communication from being logged) 

Yes, we expect it to be logged by Network Monitor.

Reply / Ответить