Detection Model Library

Detection Categories

Categorizing Fusion detections (aka NDMs) helps you understand the type of event encountered by Fusion.

Attack

Attack detections within Netography Fusion's Netography Detection Models (NDMs) are designed to identify and alert network administrators to attempts to break into their networks remotely. These detections look for suspicious patterns of network activity coming inbound from the Internet, including, in some cases, activity that is coming from IP addresses with bad reputations. Although scanning, brute force, and other malicious activity is quite common on the Internet, the NDMs in the attack category detect patterns of activity that may be of greater concern, such as interactive login sessions. By promptly identifying these indicators, the NDMs allow network administrators to take immediate action, mitigating further damage and initiating incident response procedures if necessary.

Brute Force

Brute Force detections within Netography Fusion's Netography Detection Models (NDMs) are designed to identify and alert network administrators to activities associated with attempts at guessing usernames and passwords for network services. These detections look for patterns of network activity consistent with large numbers of repeated connections between the same client and server, which is often indicative of a situation where a client is repeatedly trying different login credentials at the server, over and over again. Brute force activity against Internet facing services is very common place, but brute force attacks originating within your network may indicate a compromise is in progress. By promptly identifying these indicators, the NDMs allow network administrators to take immediate action, mitigating further damage and initiating incident response procedures if necessary.

Denial of Service

Denial of Service (DoS) attacks are a significant security risk where threat actors aim to make a network, service, or server unavailable by flooding it with excessive traffic, leading to potential operational disruptions. Netography Fusion has developed the Netography Detection Models (NDMs) to counter these threats effectively. NDMs use a combination of advanced analytics and comprehensive network behavior modeling to identify and flag potential DoS attacks. These detection models use specific, predefined patterns and rules to recognize potential threats, and provide real-time alerts about suspicious activity. By promptly identifying and responding to these alerts, organizations can take the necessary steps to mitigate the attack, ensuring their systems remain accessible and functional.

Informational

Informational detections are a category within Netography Fusion's Netography Detection Models (NDMs) that provide valuable insights about unusual but not necessarily malicious network behavior. These detections are designed to inform and alert network administrators about irregularities that could impact network functionality or indicate potential vulnerabilities. For example, the 6in4tunnel detection flags IPv6 traffic tunneled over IPv4, which, while not inherently harmful, could be exploited for covert communication. The alltcpflags detection alerts when all TCP flags are set, an unusual condition often associated with network scanning or evasion techniques. While these detections may not always signify an imminent attack, they serve as critical informational tools for maintaining network hygiene and preemptively addressing potential security risks.

Misconfiguration

Misconfigurations detections are a crucial aspect of Netography Fusion's Netography Detection Models (NDMs) that identify potential vulnerabilities caused by incorrect network setup or security configurations. These detections highlight issues that could expose a network to potential security risks. For instance, the 'external_snmp_sweep' detection alerts to attempts to gather SNMP (Simple Network Management Protocol) data from the external network, often indicative of reconnaissance activity by a potential threat actor. The 'msrdp' detection flags instances of Microsoft Remote Desktop Protocol being used, which could expose a network to vulnerabilities if not securely configured. 'Outbound_smb_traffic' detection pinpoints the use of Server Message Block protocol for outbound traffic, which should typically be confined to the internal network for security purposes. Finally, 'outbound_telnet_traffic' detection signals when telnet is being used for outbound traffic, an outdated and insecure protocol that could pose security risks. Each of these detections helps network administrators identify and correct configuration errors, thereby enhancing the overall security posture of their network.

Operational Governance

Operational Governance detections are a part of Netography Fusion's Netography Detection Models (NDMs) and are designed to promote best practices in network hygiene and responsible use of network resources. These detections can identify behaviors that, while not directly malicious, may pose security or compliance risks. For instance, the system can detect use of social media on the network, which can be a potential avenue for phishing or social engineering attacks. Detection of third-party VPN usage is another feature of this category; while VPNs can provide security, unauthorized or non-standard VPNs could be used to bypass network security controls or exfiltrate data. Similarly, the use of instant messaging clients can be detected, which can help enforce communication policies and prevent data leakage. By alerting network administrators to these activities, Operational Governance detections help maintain a clean, secure, and compliant network environment.

Post Compromise

Post-Compromise detections are a vital feature of Netography Fusion's Netography Detection Models (NDMs) designed to identify and alert about activities associated with already compromised systems. These detections focus on recognizing the signs of a machine that has been breached and is possibly being manipulated for malicious activities. For example, the system can detect Command and Control (C2) traffic, often a clear sign of a compromised machine being remotely controlled by a threat actor. Another key detection involves monitoring for connections to external IPs with a known bad reputation, which might suggest data exfiltration or further malware download from malicious sources. The 'ip_lookup_attempt' detection, specifically, flags when a machine is attempting to look up its own IP address. This behavior is often exhibited by certain malware strains post-infection to understand more about the infected network environment. By promptly identifying these post-compromise indicators, the NDMs allow network administrators to take immediate action, mitigating further damage and initiating incident response procedures.

Recon

Recon detections are an essential component of Netography Fusion's Netography Detection Models (NDMs) that are designed to identify and alert network administrators to activities associated with scanning and reconnaissance. These detections help identify potential attackers who are seeking information about the network and its infrastructure. For example, the system can detect Port Scanning and Service Enumeration attempts, which indicate an attacker is trying to identify open ports and the services running on them. The detection of OS Fingerprinting attempts can identify an attacker's attempt to learn more about the target operating system and any associated vulnerabilities. By identifying these reconnaissance activities, the system can alert network administrators to the presence of potential threats and enable them to take the necessary steps to mitigate these threats before they escalate into a full-blown attack.

System

System detections within Netography Fusion's Netography Detection Models (NDMs) identify conditions that relate to the overall health of Netography system and flow collection. System detections help network administrators identify and correct configuration errors, network outages, and other conditions that may negatively impact flow collection by the Netography platform. It is important to identify and rectify problems with flow collection quickly, because they may reduce the coverage and accuracy of other detections within Netography Fusion.