Network Protection – Bitdefender TechZone

NAD provides protection against network-based threats on the Internet (IPv4/IPv6), Transport (TCP/UDP), and Application levels (various protocols). Various application protocols are supported, including HTTP(S), SSL, SCP/SSH, (S)FTP, RDP, DNS, Telnet, SMB (including Samba-based subprotocols such as RPC), and many others. Specifically for incoming server traffic, Network Protection extends its scanning capabilities to protocols such as SMB, RPC, Kerberos, LDAP, and WinRM. Additionally, for enhanced security on Domain Controllers, enabling the 'Inspect encrypted domain controller traffic' option activates decryption for SMB, RPC, and Kerberos protocols on those specific servers. Email protocols such as POP3, SMTP, IMAP, and MAPI are also supported. For POP3, SMTP, and IMAP, infected emails are replaced by notifications to the recipients, while MAPI traffic is only monitored and reported.

For all supported protocols, NAD deconstructs the packets and extracts relevant attributes (a process known as feature extraction). NAD examines the content and structure of packets at a deep level, beyond just the basic header information, in order to understand the nature of the traffic and identify specific patterns or behaviors.

If a protocol is not recognized, NAD includes algorithms for generic content identification. This allows it to recognize objects such as executables or URL addresses even for previously unknown or custom-built protocols.

Network Protection Policy configuration

On endpoints, Network Protection can be easily managed through Policy. For granular control, you can specify which protocols should be inspected by Secure Sockets Layer (SSL) for web traffic inspection. You can also define specific processes, such as those used by your Enterprise Browser.

The Network Attack Defense (NAD) solution continuously monitors the network traffic flowing to and from endpoints, enabling it to inspect network packets, headers, and payload data. This analysis provides valuable information about the traffic's source and destination. By integrating seamlessly with our Threat Intelligence platform, NAD gains access to a real-time database of reputation scores for domains, IP addresses, and URLs. These reputation scores serve as indicators of potential malicious activity.

Through active monitoring and analysis of network traffic, NAD identifies known malicious entities by leveraging the reputation scores provided by our threat intelligence platform. When network traffic attempts to access domains, IP addresses, or URLs with poor reputation scores, NAD promptly blocks access. This proactive approach effectively prevents endpoints from connecting to malicious websites, reducing the risk of malware infections, phishing attempts, and other network-based attacks.

By combining continuous network traffic monitoring, comprehensive inspection of packets, and integration with our robust threat intelligence platform, NAD offers a powerful defense mechanism. It detects and blocks access to known malicious entities, fortifying the security of endpoints and safeguarding sensitive data and systems from potential threats.

When analyzing traffic flow, the NAD solution has the capability to recognize and identify executable code within the network packets. This includes file types such as binaries, HTML, JavaScript, or PDF files, often containing active content that can pose security risks. Upon identification of the executable code, the code is extracted and forwarded to an external content scanner for validation.

The content scanner modules specialize in analyzing the extracted code to determine its nature and assess if it poses any malicious intent or threat. The content scanner goes beyond simple file type recognition and employs advanced techniques to scrutinize the code for indicators of malicious behavior. It examines the code's structure, behavior, and embedded elements to identify any signs of malicious activity, such as attempts to exploit vulnerabilities, execute unauthorized commands, or propagate malware.

In addition to handling individual executable files, the NAD also supports the analysis of various archived files. Archives, such as .zip files or .eml (email) files, are commonly used to bundle multiple files or data together. NAD ensures that these archive formats are processed by extracting their contents and subjecting them to the content scanner's analysis. This comprehensive approach helps to identify potential threats even within compressed or bundled files.

NAD can be installed directly on each endpoint, including desktop computers, laptops, servers, and other devices connected to the network. In addition to individual endpoint deployment, NAD is also available as the XDR Network Sensor, which functions as a network appliance. The XDR Network Sensor is designed to analyze network traffic from devices like iPads that connect to the same network but do not have an agent installed. These devices, without endpoint-specific NAD installations, can still contribute to the overall network security by having their traffic captured and analyzed by the XDR Network Sensor. This approach ensures comprehensive visibility and protection for the entire network, while also protecting individual users that are working outside of the network perimeter.

By combining data from NAD-enabled endpoints and the XDR Network Sensor, the central correlation engine strengthens its understanding of the network environment. It can detect anomalies, identify potential threats, and generate alerts or take automated actions to mitigate risks promptly. This centralized approach ensures a unified and coordinated response to security incidents across the network.

Network Attack Defense settings

Detailed information about Network Attack Defense configurations can be found at our Bitdefender Support Center here.

In the context of initial access, which typically originates from external sources, NAD provides several mechanisms to prevent security incidents. Here's an overview of the capabilities offered by NAD:

In the critical phase of establishing foothold and persistence following an initial compromise, NAD plays a pivotal role in preventing a security incident from escalating into a security breach. By focusing on the initial "call home" connection between malware and the Command & Control (C2) server, NAD employs various criteria to effectively block potential threats. As with the previous example, reputation-based blocking is highly effective, as threat actors often reuse existing infrastructure for attacks. But there are other methods of how NAD can identify “call home” connections:

In situations where threat actors have successfully compromised the network and switched to stealth mode, NAD proves highly valuable by providing critical data to the central correlation engine that powers our EDR/XDR platform. This integration enables enhanced visibility and context, allowing for more effective threat detection and response.

NAD is effective in identifying malicious operations that may be concealed or harder to detect without this additional context. Here are some examples of how NAD contributes to identifying and understanding such activities:

When it comes to data exfiltration attempts, NAD serves as a proactive defense mechanism, actively identifying and thwarting such activities while offering additional insights. As with all previous cases, reputation service would block connections to known malicious destinations. But NAD employs various other methods to detect and prevent data exfiltration, including: