Administrative Network Activity Analysis
Definition
Detection of unauthorized use of administrative network protocols by analyzing network activity against a baseline.
How it works
Network protocols such as RDP, IPMI, SSH, SNMP, VNC, MOSH, NX, TeamViewer, SPICE, PCoIP, and others are used by system administrators to remotely manage servers. Defenders monitor administrative network activity to determine if the use of remote protocols is malicious. Attackers can abuse administrative protocols and leverage them for initial access to various endpoints. For example, an attacker with valid credentials will remotely SSH or RDP into a server and attempt to blend in with existing traffic from system administrators. By monitoring the traffic activity, it is possible to detect when the protocols are behaving differently from a known baseline of system administration activity.
Considerations
- Administrative traffic can be encrypted, making network protocol analysis a challenge
- False alarms can be mitigated by integration with inventory management systems
References
The following references were used to develop the Administrative Network Activity Analysis knowledge-base article.
(Note: the consideration of references does not imply specific functionality exists in an offering.)
Method and system for detecting suspicious administrative activity
MITRE Comments
Collect network traffic metadata directed at administrative services over a period of time to establish a baseline. This baseline is then used to determine suspicious activity that falls outside of the established baseline.