Free Network Threat Detection Monitoring and Forensics Tool

0

Today’s networks are becoming increasingly complex and full of many different kinds of traffic traversing them. Capable tools are needed to be able to detect threats in real time and perform network monitoring and forensics. Often organizations combine many different types of tools to gather data and then attempt to correlate the data between the various tools and utilities. Many network threat detection and forensics tools are costly and may not perform all the functionality that is desired. Can you possibly get network threat detection and forensics for free? Yes! Let’s take a look at free network threat detection monitoring and forensics tool by way of LogRhythm Netmon Freemium.

What is LogRhythm Netmon Freemium?

What is LogRhythm NetMon Freemium? This is a tool that is available to download for FREE. It is able to detect threats in real time and perform network monitoring and forensics all in a very simple and intuitive user interface. The features provided are enterprise grade features including network-based threat detection and network-based incident response.

Why are network monitoring, threat detection, and forensics important in today’s security conscious world? Security events can be very difficult to correlate. Attackers may spread out bits and pieces of the attack over various hosts and networks. Manually finding and attempting to correlate network and other events manually can be like finding the proverbial “needle in a hay stack”. It doesn’t have to be however. This is where the value of a network threat detection monitoring and forensics tool comes into play.

LogRhythm Netmon Freemium allows capturing and easily displaying this data in a way that is friendly to analysis and allows intuitive, powerful searching capabilities.

Free Network Threat Detection Monitoring and Forensics Tool

For testing out the LogRhythm Netmon threat detection, monitoring, and forensics tool, I loaded the Netmon Freemium installaton in a VMware vSphere virtual machine that had a couple of virtual network adapters provisioned. One is for management and the other is connected to a vSwitch that is uplinked to a port that is mirrored to the uplink port for the firewall interface for a particular LAN segment I wanted to monitor. There are various ways to configure LogRhythm Netmon to capture traffic via a SPAN port or a network TAP of various configurations. Look for an upcoming post detailing my installation inside of VMware vSphere to monitor network traffic.

6 Ways You Can Use LogRhythm NetMon Freemium:

  1. Surface potential insider threats – With this capability, Netmon Freemium allows seeing any potential data exfiltration, identified by long running sessions, low and slow sessions hidden in normal traffic, anomalous outbound network sessions, and outbound traffic to cloud file shares such as DropBox, etc.
  2. Discover operational anomalies – Verify absence of blocked traffic such as outbound ICMP, identify tunneling holes such as RDP or TOR traffic over non-standard ports, and compare application profiles pre and post security changes.
  3. Find hidden security threats – Use Netmon Freemium to catch cyberthreats sneaking around in low-level chatty protocols like DNS, ICMP, or Kerberos.
  4. Detect botnets and beaconing – Identify traffic using anomalous ports, view malformed packet headers, recognize command and control callbacks, and see time-based activity trends to/from specific addresses.
  5. Expose nuisance apps and bandwidth hogs – Discover when people are using apps that are against your corporate policy, or find out who or what is taking up the most bandwidth.
  6. See where your network traffic is going – Identify outbound IP and URL destinations and classify traffic by ingress, egress, or lateral motion in your network.

Screenshots of the LogRhythm Freemium Dashboards and Interface

There are many things that struck me about the LogRhythm Netmon Freemium interface and dashboards for network threat detection, monitoring, and forensics. The interface is super clean and very intuitive. Even though I wasn’t familiar with it at all, the menus have a way of finding you when you are looking for a particular view, etc. Performance of the interface was great with no lagginess. Everything was responsive. The various view were crisp and easy to read and interpret.

The first view below is the Discover view that displays low-level TCP traffic flows that you can drill into to look at the various metadata included.

The-Analyze-Discover-Dashboard-in-LogRhythm-Netmon-Freemium Free Network Threat Detection Monitoring and Forensics Tool
The Analyze Discover Dashboard in LogRhythm Netmon Freemium

Perhaps the area you want to focus your attention when you first login is found under the Analyze menu. Under this menu, you have the Discover, Visualize, and Dashboard options. This is where you will look to discover and consume most of the data the solution will capture.

Analyze-options-in-LogRhythm-Freemium Free Network Threat Detection Monitoring and Forensics Tool
Analyze options in LogRhythm Freemium

A really great view is the Destination Port Dashboard. I find that many focus on filtering and knowing what is coming into a network. However, equally important is egress traffic. If attackers get in, they will most definitely be making connections outbound. Having this kind of visibility and knowing where traffic is exiting to, is a key component of network security, visibility, and forensics.

Destination-port-dashboard-in-LogRhythm-Netmon-Freemium Free Network Threat Detection Monitoring and Forensics Tool
Destination port dashboard in LogRhythm Netmon Freemium

Under the top navigation ribbon, there is a few buttons in the upper-right quadrant that allow opening and saving dashboards. There are quite a few prebuilt dashboards that are installed by default. you can see these by clicking the “open” icon and navigating through the dashboards (in alphabetical order) with the “numbers” menu underneath.

Opening-prebuilt-LogRhythm-Netmon-Freemium-dashboards Free Network Threat Detection Monitoring and Forensics Tool
Opening prebuilt LogRhythm Netmon Freemium dashboards

The Traffic Endpoints Dashboard displaying various traffic flows and the network endpoints they are communicating with.

Traffic-Endpoints-analysis-with-LogRhythm-Netmon-Freemium Free Network Threat Detection Monitoring and Forensics Tool
Traffic Endpoints analysis with LogRhythm Netmon Freemium

A look at some of the system configuration screens, diagnostics, etc. I found the installation had great visibility into what was going on at a system level and not just the network data it was capturing.

Diagnostics-and-configuration-menus-in-LogRhythm-Netmon-Freemium Free Network Threat Detection Monitoring and Forensics Tool
Diagnostics and configuration menus in LogRhythm Netmon Freemium

Finding bandwidth usage can sometimes be a challenge in various environments. With LogRhythm Netmon Freemium, you can see the Application Families by bandwidth to view the applications being used and which applications are the “top talkers” on the network in terms of bandwidth used.

Application-families-by-bandwidth-analysis-in-LogRhythm-Netmon-Freemium Free Network Threat Detection Monitoring and Forensics Tool
Application families by bandwidth analysis in LogRhythm Netmon Freemium

It is amazing to have so much functionality included for free. What are the limitations of the Freemium version of Netmon?

Differences-between-Netmon-Freemium-License-and-Netmon-Full-License Free Network Threat Detection Monitoring and Forensics Tool
Differences between Netmon Freemium License and Netmon Full License

Wrapping Up

If you are looking for a Free Network Threat Detection Monitoring and Forensics Tool, then LogRhythm’s Netmon Freemium is a great solution! Perhaps you have an older firewall in your environment or a commodity router or other solution that simply doesn’t give you the visibility needed for network awareness and security. Maybe you want visibility in your home network for IoT devices and other traffic. The LogRhythm Netmon Freemium solution allows augmenting these types of environments to provide the visibility that are not available otherwise.

However, Netmon Freemium is not just a lightweight solution that you only need if you don’t have a next-gen firewall. It can provide valuable insights into traffic flows even in enterprise environments that most likely are not available currently. The forensic and threat detection value are invaluable. LogRhythm’s Netmon solution can also be tied into the full-blown LogRhythm SIEM for even further capabilities and functionality.