Netography Detection Model Release – February 7, 2023
The Netography Threat Research Team has released its latest detections:
The team creates Netography Detection Models (NDMs) to detect botnets, malware, P2P, data exfiltration, ransomware, phishing, SPAM, DDoS activity, and more. These powerful threat and network configuration detection models are included at no additional charge and are continuously refined, with new NDMs being added frequently as threats evolve. There are no packages to download, and no updates to push. All models are completely open, customizable, and transparent to your analysts.
Netography Detection Model Updates:
sinkhole_detection — Sinkholes are aggregators of traffic from infected machines. sinkhole_detection will trigger if a customer’s internal IP reaches out to a known sinkhole. The source IP should be examined for possible infection. This NDM works best when “Network Classifications” are set correctly in the Fusion portal.
external_printing_connections — This detection model detects attempted connections to network printers from outside the network. This behavior may indicate a DOS attack, or an attempt to exfiltrate data by printing documents. This NDM works best when “Network Classifications” are set correctly in the Fusion portal.
internal_snmp_sweep — This detection model detects an attempt to reach a large number of hosts using SNMP. This may indicate network reconnaissance by malicious software. An SNMP sweep could result in gathering information about your network. If there are trusted sources doing this, they should be added to the “Discard” function in the detection model. This NDM works best when “Network Classifications” are set correctly in the Fusion portal.
external_snmp_sweep — This detection model identifies when someone outside the network tries to access many hosts using SNMP, which could mean a malicious attack. If there are trusted sources doing this, they should be added to the “Discard” function in the detection model. This NDM works best when “Network Classifications” are set correctly in the Fusion portal.
external_ldap_access — This detection model detects an attempt to connect to an internal LDAP resource from outside the network. This may be an indication of malware or abuse. This NDM works best when “Network Classifications” are set correctly in the Fusion portal.
external_kerberos_access — This detection model detects an attempt to connect to an internal Kerberos resource from outside the network. This may be an indication of malware or abuse. This NDM works best when “Network Classifications” are set correctly in the Fusion portal.
outbound_ldap_spike — This detection model detects attempts to connect to an external LDAP resource from inside the network. This may be an indication of malware, abuse, or scanning. This NDM works best when “Network Classifications” are set correctly in the Fusion portal.
outbound_smb_spike — This detection model detects attempts to connect to an external SMB resource from inside the network. This may be an indication of malware, abuse, or scanning. This NDM works best when “Network Classifications” are set correctly in the Fusion portal.
outbound_snmp_sweep — This detection model detects an attempt to reach a large number of hosts using SNMP. This may indicate network reconnaissance by malicious software. This may be an indication of malware, abuse, or scanning. If there are trusted sources doing this, they should be added to the “Discard” function in the detection model. This NDM works best when “Network Classifications” are set correctly in the Fusion portal.
scanner_rwth_aachen_univ — This detection model detects an attempt to scan an internal resource from RWTH Aachen University. This university conducts regular scanning of the internet for research purposes. Results of these scans can expose information about a customer’s network. This NDM works best when “Network Classifications” are set correctly in the Fusion portal.
third_party_vpn_usage — This detection model detects the use of a possibly unauthorized third party (free or paid) VPN client on the internal network. This allows users on the network to hide their traffic from examination by security tools and may jeopardize audit and security requirements on the customer network. The following VPNs are detected with this model:
- CyberGhost
- ExpressVPN
- hide.me
- HMA (or Hide My Ass)
- Hola
- Hotspot Shield
- NordVPN
- PrivateInternetAccess (or PIA)
- Proton VPN
- SoftEther
- Surfshark
- Tunnelbear
Categorization Updates:
Categories can be used in NDMs, Widgets, or anywhere else Netography Query Language (NQL) is used in the Netography Fusion® portal to monitor, detect, and secure the Atomized Network. The following IP Reputation Categories were added to the portal:
- vpn_cyberghostvpn
- vpn_expressvpn
- vpn_hide-me
- vpn_hma
- vpn_hola-vpn
- vpn_hotspot-shield
- vpn_icloud-private-relay
- vpn_nordvpn
- vpn_privateinternetaccess
- vpn_proton-vpn
- vpn_softether
- vpn_surfshark
- vpn_tailscale
- vpn_tunnelbear
- vpn_zscaler
The Netography Threat Research Team constantly updates and improves our detection capabilities, seamlessly integrating them into the Netography Fusion platform, so our customers can write once, then detect everywhere.