Netography Detection Model Release – April 24, 2023
The Netography Threat Research Team has released its latest detections:
The team creates Netography Detection Models (NDMs) to detect botnets, malware, P2P, data exfiltration, ransomware, phishing, SPAM, DDoS activity and more. These powerful threat and network configuration detection models are included at no additional charge and are continuously refined, with new NDMs being added frequently as threats evolve. There are no packages to download, and no updates to push. All models are completely open, customizable, and transparent to your analysts.
Netography Detection Model Updates:
Threat Detection
censys_scanning – This NDM was adjusted to reduce the amount of alerts generated across the customer base.
knowntorproxy – This NDM was adjusted to take advantage of Netography Threat Research team generated intelligence.
outbound_ftp_traffic – This NDM alerts on the presence of outbound plaintext FTP sessions. This traffic should be examined for allowed usage of cleartext protocols. This NDM is enabled by default.
outbound_telnet_traffic – This NDM alerts on the presence of outbound plaintext telnet traffic. This traffic should be examined for allowed usage of cleartext protocols. This NDM is enabled by default.
outbound_pop3_traffic – This NDM alerts on the presence of outbound plaintext pop3 traffic. This traffic should be examined for allowed usage of cleartext protocols. This NDM is disabled by default.
outbound_imap_traffic – This NDM alerts on the presence of outbound plaintext imap traffic. This traffic should be examined for allowed usage of cleartext protocols. This NDM is disabled by default.
Post Compromise Detection
ip_lookup_attempt – This NDM will generate an alert when an internal IP attempts to look up its own IP via an external IP lookup service. This is often an indicator of malware. The Internal IP should be examined to determine what process is making this external connection. This NDM is enabled by default.
neto_scanner_outbound – This NDM will generate an alert when an internal IP makes a connection to a known scanner on the internet. This is done by examining connections to the IP Reputation category “neto_scanners”. This is Netography Threat Research team intelligence generated intelligence category that is created through monitoring dark IP space. Alerts from this NDM indicate a positive response to an inbound scan. Firewall permissions should be examined. This NDM is enabled by default.
The Netography Threat Research Team constantly updates and improves our detection capabilities, seamlessly integrating them into the Netography Fusion® platform, so our customers can write once, then detect everywhere.