TestDrive

Application and Network Traffic Visibility with NSX Intelligence & NTA

Updated on

The console is accessed through a supported supported web browser Chrome. Login to NSX Manager:

  • Click on NSX 4.1 Chrome shortcut on the Desktop. Shortcut will open the URL to NSX: https://nsx-mgr.vmwdp.com/
  • The login credentials are located under Credentials.txt file on the Desktop. Refer to the section titled NSX Manager.

A: Investigate - NSX Intelligence Traffic Visibility

Your first step will be to inspect the application traffic flow in NSX Intelligence.

  • Click on Plan & Troubleshoot (1). Here we are looking at the Plan & Troubleshoot page and this shows a high-level overview of existing workload groups and flows between them. Green lines indicate flows that are matching an existing segmentation policy in NSX while the red dotted lines indicate unprotected flows.
  • Click on the Objects filter (2), select Computes from the dropdown and check all the VMs that makes up the acme multi-tier application - VDI-03, acme-web02, acme-app02, acme-db02.
  • Click on Apply (3).
  • Change the timeline from NOW to Last 2 Weeks (4) as highlighted in the above image.

 

Impact Score

Click on Apply Filter and under Suspicious Traffic, select Impact Score (1).

Apply Additional Filter

Apply an additional filter to review the Suspicious Traffic flows with more Impact Score.

  • Click on Apply Filter (1). Scroll down to Suspicious Traffic Section.
  • Select Impact Score as a option. In Custom Range Prompt add Min = 64 and Max = 100 (2).
  • Click on Apply (3).

Review Threat Events

We can see that workloads with an exclamation mark. This indicates that we've depicted a threat affecting these workloads. Review Threat Events for an individual Virtual Machine.

B: Investigate - Suspicious Traffic & Initial Access

  • Right click on the VM acme-db02 and select Suspicious Network Activities.

DGA Algorithm

2. Find the event with Impact score 65(1) under Threat Detection. Expand the event by clicking on button > next to it. Review the suspicious activity.

  • As you can observe the Event Command and Control Domain Generation Algorithm(DGA).
  • DGAs are psuedo-random generators that construct a random sequence of characters used to form domain names. DGAs provide malware with new domains in order to evade security countermeasures.
  • Its an Anomaly in the DNS lookup performed by an internal host. The highlighted campaign in the event details indicates that it is not an individual detection instead there are multiple events across multiple assets.

NSX Advanced Threat Prevention leverages enhanced net flow data and layer 7 flow information to build a baseline of what's normal for every workload and then uses both unsupervised machine learning and supervised machine learning with threat centric models to identify deviations from normal that are securely relevant. The detection with the highest stress score here in the case that we've detected the use of a domain generation algorithm.

Click on the campaign link(2) available in this event. It will redirect to NSX Network Detection and Response(NDR) window. We will learn more about NDR in the following sections.

Previous Article Protect East-West Lateral Security with NSX Intelligence and NSX NDR
Next Article Cryptowall protection with NSX Security MITRE ATT&CK Framework