Carbon Black XDR Network Traffic Analysis Exposes Adversaries

July 26, 2023

VMware Carbon Black is excited to announce our next extension of VMware Carbon Black XDR, with the release of Network Traffic Analysis (NTA) capabilities. NTA provides SOC analysts the ability to rapidly identify and monitor anomalous network traffic. This anomalous network traffic, or traffic which deviates sufficiently from a customer’s baseline of what is considered a pattern of ‘normal’ traffic, is yet another breadcrumb left behind by adversaries as they attempt to move laterally across an environment or establish malicious connections between customer systems and the internet.

Carbon Black XDR’s new NTA capability, together with the deep process level visibility delivered by endpoint detection and response (EDR), Identity Intelligence, IDS Observations, and deep network telemetry delivers to defenders the means to see more and stop more.

Using the capabilities of NTA, Carbon Black XDR can now generate baseline models of a customer’s network traffic. Traffic profiles which sufficiently deviate from the baseline models will automatically generate an alert. While not all anomalous activity is malicious, NTA’s identification of outlier behaviors provides an additional angle for data analysis, and when correlated with other indicators of attack bolster a customer’s security detection capabilities.

With this release we are delivering three specific NTA detectors:

  • IP Profiler: identifies anomalous IP address connections associated with a device, compared to those typically seen on that same device
  • User Agent Profiler: identifies unusual user agents in connections being made from a local device compared to the user agents typically associated with a device.
  • Port Profiler: identifies connections to or from a local host that has an unusual,destination port compared to destination ports that host typically observes from expected network connection.

To understand the benefits of these, let’s look at a simple example. The most common C2 channel today are the web protocols HTTP and HTTPS. An attacker may set a User-Agent HTTP header that is not typically associated with a given device. NTA’s User Agent Profiler detector will automatically flag these anomalous headers, elevating them in the single Carbon Black console to the SOC analyst. The SOC analyst can now more rapidly and easily investigate this unusual behavior. Attempted attacks are identified faster, and the SOC analyst experience is improved as they investigate the alert with increased confidence that this traffic is malicious.

With NTA, Carbon Black XDR further delivers to SOC analysts the means to reduce the likelihood of, and scope of damage resulting from adversary attacks. Additional detectors are planned for release in the coming months.

To learn more about NTA and VMware Carbon Black XDR, check out the following resources: 

Filter Tags

Carbon Black XDR Blog Document Advanced