The goal of the NSX Suspicious Traffic feature in the Security Intelligence application is to detect suspicious or anomalous network traffic behaviors in your NSX environment.
How It Works
After you have satisfied the prerequisites, the NSX Suspicious Traffic feature can start generating network threat analytics on the network traffic flow data that Security Intelligence has collected from your eligible NSX workloads (hosts or clusters of hosts). Security Intelligence stores the collected data and persists that data for 30 days. The NSX Suspicious Traffic engine analyzes the data and flags suspicious activities using the supported detectors. You can view the information about the detected threat events using the Events tab of the NSX Suspicious Traffic UI page.
If activated, the NSX Network Detection and Response application sends the suspicious traffic events to the VMware NSX® Advanced Threat Prevention service for deeper analysis. If the NSX Advanced Threat Prevention service determines that certain suspicious traffic events are related, it correlates those suspicious traffic events into a campaign. The service then organizes the events in that campaign into a timeline and visualizes it on the NSX Network Detection and Response user interface. All threat events are visualized using the NSX Network Detection and Response user interface. The individual threat events and campaigns can be further investigated by your network security team. The NSX Advanced Threat Prevention service fetches periodic updates on the previously detected threats and updates the visualization UI screens when needed.
Supported Detectors
The following table lists the supported detectors that the NSX Suspicious Traffic feature uses to classify the detected suspicious network traffic. The detections generated by these detectors might be associated to specific techniques or tactics in the MITRE ATT&CK® Framework.
These detectors are turned off by default and you must explicitly turn on each detector that you want to use in your NSX environment. See Activate the NSX Suspicious Traffic Detectors for more details on any prerequisites and how to turn on the detectors.
You can manage the exclusion lists and the likelihood value for some of the definitions of these supported detectors using the Detector Definitions tab. See Managing the NSX Suspicious Traffic Detector Definitions for details.
Detector Name |
Description |
---|---|
Data Upload/Download |
Detect unusually large data transfers (uploads/downloads) for a host. |
Destination IP Profiler |
Detect attempts by internal devices to perform unusual connections toward other internal hosts. |
DNS Tunneling |
Detect attempts by an internal device to communicate covertly with an external server by abusing DNS traffic. |
Domain Generation Algorithm (DGA) |
Detect anomalies in the DNS lookups performed by an internal host that might be caused by DGA malware. |
Horizontal Port Scan |
Detect if an intruder tries to scan one or more ports or services across multiple systems (Sweeping). |
LLMNR/NBT-NS Poisoning and Relay |
Detect if a VM shows an unusual response pattern to LLMNR/NBT-NS requests. |
Netflow Beaconing |
Detect beaconing behavior from an internal host. |
Network Traffic Drop |
Detect if an unusually high amount of traffic is dropped by a distributed firewall rule. |
Port Profiler |
Detect when an internal client host communicates with an external host on an unusual port. |
Server Port Profiler |
Detect when an internal host is connected to by another internal host on an unusual port. |
Remote Services |
Detect suspicious behavior for remote connections, such as telnet, SSH, and VNC. |
Uncommonly Used Port |
Detect L7 Application ID Traffic mismatch with the standard assigned port/protocol. For example, SSH traffic runs on a non-standard port instead of the standard Port 22. |
Unusual Network Traffic Pattern |
Detect anomalies in the time series profile of a host. |
Vertical Port Scan |
Detect if an intruder tries to attack multiple open ports or services of a single system (Scanning). |