Secure Network Analytics 752: Enhanced Threat Detection with NVM & Zeek Integration

Listen to this Post

The latest release of Secure Network Analytics (version 7.5.2) brings a significant upgrade to network security monitoring, introducing Network Visibility Module (NVM) alerts and Zeek-based detections. By integrating these new telemetry sources, Cisco enhances visibility across networks, strengthening threat detection and response capabilities. This update aligns with the MITRE ATT&CK framework, providing security teams with enriched data to analyze malicious activity effectively.

Organizations leveraging the Data Store architecture can upgrade immediately to take advantage of these new detections. The software update is available through Cisco Software Central. Below, we explore the new alerts introduced by NVM and Zeek and their role in reinforcing cybersecurity defenses.

New Features in Secure Network Analytics 7.5.2

1. Network Visibility Module (NVM) Alerts

NVM, part of Cisco Secure Client, provides endpoint-level visibility by capturing detailed network activity, including hostnames, processes, user details, and operating systems. This expanded context accelerates threat investigations by linking endpoint activity with network traffic patterns. The latest update introduces four new NVM detections:

  • Potential Gamaredon C2 Callout – Detects command-and-control communication associated with the Gamaredon APT.
  • Suspicious Curl Behavior – Flags potential exploitation of CVE-2023-38545 via the curl system utility.
  • Suspicious MSHTA Activity – Identifies misuse of MSHTA.exe, a tool commonly exploited by APT groups.
  • Suspicious Process Path – Alerts when an executable runs from an unexpected directory, signaling possible malware execution.

2. Zeek-Based Threat Detections

Zeek is a powerful open-source network traffic analysis tool that logs activities for security analysis. In version 7.5.2, Secure Network Analytics processes Zeek logs to generate five new detections:

  • DNS Traffic to Tor Proxy – Identifies devices resolving DNS queries related to Tor proxies, often used for command-and-control communication.
  • PetitPotam Attack Detection – Monitors EFS RPC calls, a method used in NTLM relay attacks.
  • Impacket SecretDump Activity – Detects credential dumping attempts from Active Directory servers.
  • Remote Task Creation via ATSVC – Flags unauthorized task scheduling via ATSVC named pipes, a technique used by attackers for persistence.
  • Suspicious PsExec Execution – Identifies misuse of PsExec, particularly when executed with a renamed service name to evade detection.

Upgrade Recommendations

Users operating Secure Network Analytics with Data Store are encouraged to upgrade to version 7.5.2 to leverage these new detection capabilities. These alerts provide security teams with actionable intelligence for proactive threat mitigation.

What Undercode Says:

Cisco’s Secure Network Analytics 7.5.2 marks a significant evolution in network security monitoring, enhancing threat intelligence through deeper integration of endpoint telemetry (NVM) and network analysis logs (Zeek). Here’s why this update is crucial:

1. Expanding Telemetry Sources Enhances Detection Accuracy

Traditional NetFlow and IPFIX data provide valuable traffic insights but lack endpoint-specific details. With NVM telemetry, security teams gain access to user identity, process execution, and system context, enabling faster forensic analysis. Zeek logs further complement this by enriching network data with deep protocol inspection.

2. Aligning with MITRE ATT&CK Strengthens Threat Attribution

The MITRE ATT&CK framework is widely recognized for mapping adversary tactics and techniques. The new nine detections directly correlate with real-world attack methods, allowing security teams to prioritize alerts based on known threat behaviors. This improves both incident response and threat hunting.

3. Advanced Threat Detection for APTs & Exploits

The Gamaredon APT alert specifically helps detect state-sponsored cyber operations, which are notoriously difficult to identify. Additionally, tracking PetitPotam attacks and credential dumping tools (Impacket SecretDump) provides organizations with early indicators of compromise.

4. Strengthening Network Hygiene with Anomaly Detection

By detecting unusual execution paths (Suspicious Process Path) and renamed PsExec executions, the system identifies evasive tactics used by malware and advanced persistent threats. Detecting Tor proxy usage also helps block potential C2 traffic, reducing the risk of botnet infections.

5. Seamless Upgrade & Integration Benefits

Cisco’s approach ensures that existing Secure Network Analytics users can upgrade without major infrastructure changes. The integration with Data Store architecture ensures smooth adoption of these enhanced detections.

6. A Step Towards Autonomous Threat Hunting

Automated detection and behavioral analytics reduce reliance on manual log correlation. Security teams can now shift their focus toward incident response and proactive threat hunting, instead of reactive analysis.

7. The Future of Network Analytics & AI

Future updates may integrate machine learning models for real-time anomaly detection, further refining alerts and reducing false positives. Combining AI-driven insights with Zeek’s network forensics could revolutionize threat intelligence.

Fact Checker Results:

✅ Enhanced Threat Visibility – The inclusion of NVM and Zeek telemetry significantly broadens threat detection capabilities.
✅ MITRE ATT&CK Integration – Ensures alerts map to real-world attack techniques, improving response strategies.
✅ Actionable Security Insights – Upgrading to 7.5.2 provides immediate access to nine critical detections, strengthening an organization’s security posture.

For security professionals, this Cisco Secure Network Analytics update represents a leap forward in cyber threat detection. Organizations seeking proactive defense mechanisms should consider upgrading immediately to stay ahead of evolving cyber threats. 🚀

References:

Reported By: https://blogs.cisco.com/security/network-visibility-module-zeek-detections-in-secure-network-analytics/
Extra Source Hub:
https://www.quora.com
Wikipedia
Undercode AI

Image Source:

Pexels
Undercode AI DI v2

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image