Netography Detection Release Notes - 2023-05-15
On May 15, 2023, The Netography Threat Research Team released their Detection Model update, featuring Misconfiguration Detection with outbound_rejected_traffic
and internal_socks5_proxy
enabled by default, and Operational Governance Detection, which alerts customers when a socks5 proxy is detected. Post-Compromise Detection has ping_scan_int-ext
enabled by default, while Recon Detection includes internal_scan_tcp-rst-ack
to identify vulnerability identification and network mapping. Additionally, ping_scan_ext-int
and ping_scan_int-int
are available, but off by default. These NDMs are included at no additional cost and are fully open for analysts to work with, without the need to push updates or download new packages. The Netography Threat Research Team is constantly improving their detection capabilities and seamlessly integrating them into the Netography Fusion platform, helping customers detect threats more easily and effectively.
Misconfiguration Detection
outbound_rejected_traffic
- This NDM detects traffic attempting to leave the network that has been blocked or denied by network security policies. This event helps to identify potential threats or policy violations that could be compromising network security. This NDM is enabled by default.
internal_socks5_proxy
- This NDM is designed to detect socks5 traffic on the local customer network. This NDM is enabled by default.
Operational Governance Detection
external_socks5_proxy
- This security event is triggered when the Netography Fusion Portal detects the use of a socks5 proxy on the internet by an internal customer IP address. This may indicate that security controls are being bypassed. This NDM is enabled by default.
Post-Compromise Detection
ping_scan_int-ext
- This NDM monitors for internal to external ping scans on the network. This may be indicative of infection or a misconfiguration of a network scanning or mapping tool. This NDM is on by default.
Recon Detection
internal_scan_tcp-rst-ack
- This NDM is triggered when an internal scan is detected where the server sends a reset (RST) and acknowledgement (ACK) packet to terminate the connection. This type of scan is commonly used by attackers to map out internal networks and identify vulnerable hosts. It also indicates a machine that is repeatedly attempting to reach out to the same host + port combination hundreds of times. This may be indicative of a firewall block, or misconfiguration. This NDM is enabled by default.
ping_scan_ext-int
- This NDM monitors for external to internal ping scans on the network. It detects when an external entity is trying to map out the internal infrastructure by pinging various IP addresses. This NDM is off by default.
ping_scan_int-int
- This NDM monitors for Internal to Internal Ping Scans on a network. This NDM is off by default.
The Netography Threat Research Team constantly updates and improves our detection capabilities, seamlessly integrating them into the Netography Fusionยฎ platform, so our customers can write once, then detect everywhere.