Netography Fusion^® for Detecting Ransomware in Multi-Cloud and Hybrid Networks

Ransomware Continues to Disrupt Operations

Ransomware has remained one of the most significant cybersecurity challenges organizations have faced for over a decade. Despite hundreds of millions of dollars invested in a range of technologies and end-user education, the impact of ransomware has continued to grow. In 2023, ransomware payments exceeded $1 billion for the first time.

Most Security Technologies Cannot Detect Ransomware

One of the primary reasons organizations continue to fall victim to ransomware is because much of the technology they have invested in simply cannot detect ransomware activity during any stage of an attack. There are several factors why existing technology isn’t able to keep up with the attackers, including:

• Distribution of critical data, applications, and systems across multiple cloud providers and legacy on-prem networks, as well as dissimilar IT, OT, and IoT operational environments.
• Deployment of a wide range of tools to monitor diverse environments, which creates silos of data that operations teams must stitch together to analyze. 
• Continued reliance on detection technologies engineered initially for on-prem networks, which cannot operate at cloud scale nor within a shared responsibility model.
• Lack of ability to deploy agents on all workloads and systems in IT, OT, and IoT environments
• Cost of deploying sensors, taps, or probes to capture activity where agents are not deployed
• Boom in ransomware-as-a-service (RaaS) that put more sophisticated techniques within reach of unsophisticated cybercriminals 
• Inability of many inspection-based tools (such as NGFW, NDR, or EPP) to block malicious content or links, thus not preventing initial compromise nor detecting post-compromise activity.
• Platform-native monitoring tools have a limited number of detections that identify any anomalous or malicious network activity (and are not ransomware-specific)
• Cloud-native tools like Cloud-Native Application Protection Platforms (CNAPP) and Cloud Access Security Brokers (CASB) do not monitor network-level activity and therefore do not see anomalous activity like lateral movement of a cloud asset.

After a successful ransomware attack, operations teams lack the forensic data to identify the initial compromise vector. In Q2 2024.“Unknown” was the most common ransomware attack vector reported.

Most Common Attack Vectors in Q2 2024 Source: Coveware

Data Exfiltration is the Most Common Ransomware Tactic

Once a threat actor gains access to a network, the most common tactics, techniques, and procedures (TTPs) they used was data exfiltration. Data exfiltration compounds the cost of ransomware, with companies being “2.5X more likely to pay a ransom in cases where data has been exfiltrated, on top of encryption.”

Most Common TTPs in Q2 2024 Source: Coveware

This graphic reinforces the point that organizations invest too much in technology to prevent the initial compromise. It shows that once a threat actor gains a foothold within a network, there are few controls to prevent them from communicating externally to C2 resources, moving laterally to identify and harvest data, and eventually exfiltrate the data. 

Detecting Ransomware Activity Using Netography Fusion^®

The Netography Fusion platform overcomes the shortcomings of other approaches to deliver high-confidence alerts of active ransomware attacks in real-time. Fusion is cloud-agnostic and environment-agnostic, and it can monitor all your network activity anywhere it occurs. 

The Fusion platform includes three unique capabilities that set it aside from other platform-native, cloud-native, or on-prem approaches:

• Frictionless detection that eliminates the burden of deploying sensors and agents. You can start monitoring your network in minutes or hours, instead of days or weeks. 
• Holistic, contextualized view of all network activity across your multi-cloud or hybrid network. Your operations CloudOps, NetOps, and SecOps teams will have a single platform to monitor all communications into or out of your network. 
• Ransomware-specific detections of pre- and post-compromise activity to alert you to an attack in progress. You will know in real-time when Fusion detects activity associated with ransomware, such as external or internal reconnaissance, lateral movement and data staging, or data exfiltration. 

How Netography Works

Fusion’s AI-powered detection engine monitors your network utilizing network metadata, rather than packets, to detect anomalous and malicious activity. Fusion aggregates, normalizes, and analyzes your VPC flow logs, VNet flow logs, on-prem flow logs and DNS logs from your cloud providers.

The Fastest & Easiest Way to Detect Ransomware

The Fusion platform delivers a holistic view of network activity across all cloud platforms and on-prem networks. It aggregates, normalizes, and orchestrates VPC and VNet flow logs from AWS, Microsoft Azure, Google Cloud, IBM Cloud, and Oracle Cloud Infrastructure into a unified view of all activity. Fusion creates high-fidelity insights into critical network events, such as lateral movement, data harvesting, data exfiltration, and trust boundary violations. Unlike platform-native tools that analyze data within one cloud provider, Netography delivers holistic visibility across your organization’s entire cloud infrastructure.

The Fusion platform also contextualizes the flow and DNS data with dozens of critical context attributes from your tech stack. This contextualization allows your operations teams to make fast, effective decisions to respond to activity related to an IP address without having to sift through tables of raw data or query other tools or teams. This approach drastically improves their speed and accuracy when detecting and responding to ransomware.

With over 300 customizable detections, Fusion provides 10 times the number of network detections that AWS, Azure, or Google Cloud’s platforms offer. These customizable detections allow you to fine-tune your monitoring based on your specific policies, infrastructure, and risk tolerance, ensuring that you can quickly identify and mitigate even sophisticated attacks. 

In addition to real-time monitoring, Netography Fusion can store and analyze up to one year of flow data for forensic investigations. This capability is particularly valuable for post-incident analysis, allowing your security teams to reconstruct events, investigate breaches, and ensure compliance. Native tools, on the other hand, often offer limited or no historical data storage, which can impede your investigations when you are looking for patterns or understanding the full scope of an attack.

Netography Detects Critical Phases of Ransomware Kill Chain

Fusion has ransomware-specific detection models in its library of over 300 user-customizable models that detect different stages of ransomware activity, including: 

• Internal recon
  Fusiondetects network scanning activity; through integration with vulnerability management solutions, it automatically differentiates between your approved internal security scans and malicious activity
  • • Example detection model: portscan

• Collecting and staging data
  Fusion learns what is normal internal (east-west) network activity and identifies anomalous traffic patterns using machine learning.
  • • Example detection: large_internal_smb_download

• Data exfiltration
  Fusion learns what is normal outbound (north-south) network activity and identifies anomalous traffic patterns using machine learning.
  • • Example detection: anomalous_traffic_s3,anomalous_traffic_dns, anomalous_traffic_ssh

Start Detecting Ransomware. Today.

The Fusion platform unlocks your fundamental source of truth in your network and delivers a real-time, contextualized view of all network activity across your multi-cloud or hybrid network. Fusion’s AI-powered detection engine identifies ransomware activity your platform-native tools and legacy technologies miss, delivering high-confidence alerts. 

About Netography

Netography is the leader in holistic network security and observability across your multi-cloud, single-cloud, or hybrid network. Neography’s AI-powered analytics and high fidelity, high confidence alerts enable your operations teams to respond faster before malicious and anomalous activity can disrupt operations, spike costs, or threaten business continuity.

Netography Fusion is a 100% SaaS, cloud-native platform that provides real-time detection and response to compromises and anomalies at scale without the burden of deploying sensors, agents, or taps.

Based in Annapolis, MD, Netography^® is backed by leading venture firms, including Bessemer Venture Partners, SYN Ventures, A16Z, and more. For more information, visit netography.com.