Mitigate Ransomware Risk with Netography’s New Auto-Thresholding Capabilities
by Netography Detection Engineering Team
For at least a decade, ransomware has remained one of the most significant security problems organizations have faced, and it continues to grow more damaging. In 2023, ransomware incidents increased by 73%, and payments exceeded $1 billion for the first time.
Netography wants to help combat those threats on our customers’ networks. So, we introduced a new collection of Network Detection Models (NDMs) to help them detect and stop anomalous data movement that could indicate a ransomware attack.
Based on our new auto-thresholding capability, these NDMs allow the Netography Fusion® platform to adjust threshold values based on each network’s unique traffic baseline. When Fusion sees suspicious data movement that is consistent with a network intrusion or security incident, the platform fires an event. Auto-thresholding observes network traffic behavior on customers’ networks over time and learns what constitutes normal activity. Once the Fusion platform collects a sufficient volume of traffic, auto-thresholding adjusts threshold values to statically significant values based on your network environment.
In this blog post, we want to make you aware of these capabilities so you can better understand when they fire and help you investigate the cause. A closer look will allow you to confirm if a threat actor is active in your network and enable you to prevent them from staging or exfiltrating data for a ransomware attack.
New NDM that Requires Activation
Because Netography Fusion is a SaaS platform, customers automatically receive the latest detections when released. Although most NDMs are activated automatically when we release them, customers will need to activate large_internal_smb_download to detect internal staging via SMB protocol.
large_internal_smb_download: Ransomware attacks unfold in phases. Once a threat actor finds the data they want to steal, they may collect it in a staging location before exfiltration. Attackers frequently collect data from internal systems using SMB (the Server Message Block protocol, which uses TCP port 445) because it is the most common protocol for sharing files between clients and servers and can be found in most computer networks. Finding suspicious data movement at this phase is extremely useful for mitigating risk and stopping attacks before the encryption and exfiltration of data. This NDM tracks movement of data from around the network into a single location over SMB. The detection learns what levels of traffic are normal to expect between different machines on your network and alerts you to anomalous activity within your environment.
SMB activity can vary significantly from one business to another due to an organization’s architectural decisions, so the amount of learning time required to generate actionable events will vary. For this reason, this is the only NDM of the six described in this blog that customers must manually activate. Most customers will receive actionable events worthy of investigation relatively quickly. For other customers, it may take longer to develop a good profile as SMB activity may vary from week to week which will lead to some noise in the short term. However, once the detection has time to distinguish anomalies from legitimate traffic reliably, the benefit will be well worth it.
New NDMs Already Activated
The following new NDMs are opt-out, meaning they are on by default in all our customer environments because they operate quietly and usually only trigger an event when a significant aberration occurs. These detections look for indications of data exfiltration via a port or protocol or to a particular place on the internet that, based on our research, strongly suggests activity tied to a ransomware attack.
anomalous_traffic_s3: Threat actors may exfiltrate data to Amazon S3 cloud storage during a ransomware attack (often before encrypting data where it lives within a network). This NDM monitors how much data is being sent to S3 by the systems within your enterprise and alerts if the volume of data from a particular system exceeds the automatically determined threshold.
anomalous_traffic_mega: Threat actors may also send data to the MEGA file sharing and storage service before encryption. When this NDM sees a statistically significant increase in MEGA uploads from the baseline, it will trigger an event, as that could be indicative of a ransomware actor stealing data from your environment.
anomalous_traffic_ssh: This detection looks for statistically higher amounts of traffic leaving your network over the Secure Shell (SSH) network protocol, which might indicate ransomware exfiltration. A traffic volume exceeding the baseline determined by auto-thresholding fires an event that is worthy of investigation.
anomalous_traffic_dns: Every network uses the Domain Name System (DNS), but how it is used is rarely indicative of data transfers. When a data transfer occurs over DNS for legitimate reasons it is usually brief and low volume. Threat actors may exfiltrate data over Domain Name System (DNS) using traditional DNS, DNS over HTTPS, or DNS over TLS. This detection filters out normal DNS traffic and fires an event when the amount of traffic leaving your network over traditional DNS or DNS over TLS exceeds the automatically generated threshold.
anomalous_traffic_itar: This NDM focuses on the countries listed in the U.S. International Traffic in Arms Regulation (ITAR) (USC 126.1). The detection is agnostic of underlying protocols and focuses on the volume of your network traffic going to IP addresses that correlate with those countries. By simply hosting a public website, your network may have a baseline amount of traffic you send to these countries. This detection alerts you when traffic leaving your network is destined to an ITAR country in an amount exceeding the automatically generated threshold.
Remember: NDMs based on machine learning, such as auto-thresholding, require some time to collect information and learn before generating events. Be a little patient with some noise initially, and you’ll find the benefit of mitigating ransomware risk is well worth it.
Want to Write Your Own?
There are cases where customers may want to write their own custom detections using auto- thresholding. We are here to help.
The Netography Detection Models are open and any customer can view them from within the portal. We welcome collaboration and can provide you with guidance about how to best utilize the feature to configure NDMs for your environment. To start creating custom detection models, contact your sales engineer.
More to Come
Auto-thresholding is an exciting new feature with a lot of potential for customers to detect suspicious activity relevant to different protocols, ports, and services. The Netography Detection Engineering Team is looking at various opportunities to apply this capability to analyze data movement and network traffic and plans to introduce additional detections in the months ahead.
On Discord? We encourage customers to join our Discord user community to learn more about new detection capabilities as we release them.