Network Traffic Analysis for Threat Detection: Beyond Signature-Based Tools

Network telemetry exists on a spectrum from lightweight flow records to full packet capture, each with different detection capabilities and storage requirements.

NetFlow / IPFIX (flow records): Records connection metadata: source/dest IP, port, protocol, byte count, packet count, duration. No payload. Storage: approximately 1-5 GB per day per 1 Gbps of traffic. Detection uses: volume anomalies, port scanning, beaconing (regular intervals to the same destination), east-west lateral movement patterns, data exfiltration by volume.

DNS query logs: DNS is the single richest free detection source in most environments. Every domain lookup, successful or not, is a record of intent. Detection uses: DGA domain identification, DNS tunneling, C2 beaconing via DNS, newly registered domain lookups, subpoena-level forensic reconstruction of what a host tried to reach.

TLS metadata (without decryption): SNI (Server Name Indication) in the TLS handshake reveals the target domain even in encrypted traffic. JA3/JA3S fingerprints characterize the TLS client and server behavior without decryption. Detection uses: malware C2 over HTTPS (specific JA3 fingerprints match known malware families), self-signed certificate connections, non-browser TLS from browser processes.

Full packet capture (PCAP): Complete payload capture. Storage: 50-500 GB per day per 1 Gbps of traffic depending on compression. Detection uses: everything above, plus payload inspection, protocol anomaly detection, credential extraction from cleartext protocols. Typically limited to 24-72 hour retention at the tap point, longer in tiered storage for specific sessions.

Practical recommendation: Deploy flow collection everywhere, DNS logging everywhere, TLS metadata at internet egress, and PCAP at chokepoints (internet gateway, sensitive segment boundaries, OT/IT boundary).

Anomaly detection requires knowing what normal looks like. Baselines must be established before detection is meaningful.

Host-level baselines:

• Normal destination IP/domain set per host (web servers should not initiate outbound connections to random internet IPs)
• Normal protocols per host (a domain controller initiating HTTP/S to external IPs is unusual)
• Normal byte volume per connection and per hour
• Normal connection frequency to each destination

Network segment baselines:

• Expected traffic patterns between segments (OT should not communicate with DMZ; development network should not access production database)
• Expected total bandwidth per link at different times of day
• Expected DNS query rate per subnet

Beaconing baseline: Legitimate software phones home at irregular intervals. Malware C2 often beacons at precise regular intervals. Calculate connection frequency distribution per source-destination pair. Highly regular intervals (low variance in inter-connection timing) are a beaconing indicator even when the destination passes reputation checks.

Baselines take 2-4 weeks of clean traffic to establish meaningfully. They must be refreshed quarterly and whenever network topology changes significantly.

Not all anomalies warrant investigation. Focus detection logic on patterns with known attacker relevance:

DNS-based C2 detection:

• High query volume to a single domain or domain family (DNS tunneling)
• Queries to algorithmically generated domain names (DGA): long random subdomains, high entropy, no associated A record history
• Queries to domains registered within the past 30 days from internal hosts
• NXDOMAIN burst (mass failed lookups characteristic of DGA malware scanning for its C2)

Beaconing detection:

• Regular outbound connections (sub-60-second intervals, variance below 5%) to a single external IP
• HTTPS beaconing to IPs without valid PTR records or with mismatched certificates
• HTTP beaconing with minimal data transfer (heartbeat pattern)

Lateral movement detection:

• SMB connections from workstations to other workstations (peer-to-peer SMB is a lateral movement indicator)
• WMI remote execution (TCP 135 + high RPC port connections between workstations)
• RDP connections from servers to workstations (reversed expected direction)
• Authentication sweeps (one source attempting authentication to many internal targets within a short window)

Data exfiltration detection:

• Outbound transfer volume exceeding historical baseline for that host by more than 3 standard deviations
• Large data transfers to cloud storage (Dropbox, Google Drive, OneDrive) from systems that do not normally use them
• DNS exfiltration: queries with unusually long subdomains (encoded payload)
• Uploads to new external IP destinations at unusual hours

The majority of malicious traffic is now encrypted. TLS inspection allows payload analysis but introduces complexity, performance overhead, and privacy considerations.

SSL/TLS interception options:

Inline SSL inspection (man-in-the-middle): Proxy device (Palo Alto, Zscaler, Fortinet) intercepts and re-encrypts traffic. Full payload visibility. Requires certificate deployment to endpoints. Breaks certificate pinning in some applications (banking apps, some SaaS tools). Latency impact: 2-10ms per connection depending on hardware.

Passive TLS metadata analysis (no decryption): Analyze JA3/JA3S fingerprints, SNI, certificate characteristics, and traffic patterns without decrypting. Tools: Zeek (formerly Bro), Suricata, Stamus Networks. Detection power is lower than full inspection but avoids breaking applications and does not require certificate deployment.

Selective decryption: Decrypt traffic to high-risk categories (newly registered domains, low-reputation IPs, anonymizing proxies) while leaving trusted destinations (Microsoft, Google, Salesforce) uninterrupted. Best balance of coverage and operational overhead.

For most enterprise environments: deploy passive TLS metadata analysis everywhere, selective inline inspection at internet egress for high-risk traffic categories.

NTA in isolation catches network-level indicators but lacks context about what process generated the traffic or what the user was doing. The detection value multiplies when correlated with endpoint and identity data.

NTA + EDR correlation:

• EDR identifies the process making the connection; NTA identifies where it connected. Combining these catches malware that uses trusted processes (lolbins) to make network connections that look benign from either source alone.
• Example: EDR shows mshta.exe making an outbound connection; NTA shows the connection is beaconing at 30-second intervals to an IP registered two days ago. Either alone is ambiguous; together they are high confidence.

NTA + Identity correlation:

• Authentication logs from AD or your IdP placed alongside NTA lateral movement detections. SMB peer-to-peer plus authentication events from a new account or after a suspicious login event escalates the priority.

NTA + Threat intelligence:

• Enrich all external connection events with IP and domain reputation at ingestion time. Flag connections to IPs in threat intel feeds (C2 infrastructure, malware distribution, anonymizers) for immediate triage.

SIEM integration: Ingest flow data, DNS logs, and TLS metadata into SIEM alongside endpoint and identity data. Build correlation rules that require multiple data sources. Single-source detections produce more noise; multi-source correlations produce better signal.

Network Detection and Response (NDR) platforms (ExtraHop, Darktrace, Corelight, Vectra AI, Cisco Secure Network Analytics) automate much of the NTA workflow. Evaluation criteria that matter:

Telemetry breadth: Does the platform ingest both flow data and full packet metadata? Can it process east-west (internal) traffic, not just north-south (perimeter)?

Baseline learning period: How long before behavioral baselines are established? What happens to detection quality during that period?

Alert fidelity: What is the true positive rate in your specific environment? Request a proof-of-concept with your actual traffic before committing.

Detection methodology transparency: Does the vendor explain what each detection model is looking for, or is it a black box? Unexplainable detections cannot be tuned.

SIEM and SOAR integration: Does the platform send enriched alerts to your SIEM, or does it require analysts to maintain a separate investigation interface?

Encrypted traffic analysis: What is the platform's approach to encrypted traffic — passive metadata only, or optional decryption? Does it support JA3/JA3S fingerprinting?

Storage and retention: What is the default retention period for flow records and packet capture? What are the storage costs for extended retention?