Netography Detection Model Release – April 24, 2023

Netography Detection Model Release – April 24, 2023

 

The Netography Threat Research Team has released its latest detections:

The team creates Netography Detection Models (NDMs) to detect botnets, malware, P2P, data exfiltration, ransomware, phishing, SPAM, DDoS activity and more. These powerful threat and network configuration detection models are included at no additional charge and are continuously refined, with new NDMs being added frequently as threats evolve. There are no packages to download, and no updates to push. All models are completely open, customizable, and transparent to your analysts.  

Netography Detection Model Updates:

Threat Detection

censys_scanning – This TDM was adjusted to reduce the amount of alerts generated across the customer base.

knowntorproxy – This TDM was adjusted to take advantage of Netography Threat Research team generated intelligence.

outbound_ftp_traffic – This TDM alerts on the presence of outbound plaintext FTP sessions.  This traffic should be examined for allowed usage of cleartext protocols.  This TDM is enabled by default.

outbound_telnet_traffic – This TDM alerts on the presence of outbound plaintext telnet traffic.  This traffic should be examined for allowed usage of cleartext protocols.  This TDM is enabled by default.

outbound_pop3_traffic – This TDM alerts on the presence of outbound plaintext pop3 traffic.  This traffic should be examined for allowed usage of cleartext protocols.  This TDM is disabled by default.

outbound_imap_traffic – This TDM alerts on the presence of outbound plaintext imap traffic.  This traffic should be examined for allowed usage of cleartext protocols.  This TDM is disabled by default.

Post Compromise Detection

ip_lookup_attempt – This TDM will generate an alert when an internal IP attempts to look up its own IP via an external IP lookup service.  This is often an indicator of malware.  The Internal IP should be examined to determine what process is making this external connection.  This TDM is enabled by default.

neto_scanner_outbound – This TDM will generate an alert when an internal IP makes a connection to a known scanner on the internet.  This is done by examining connections to the IP Reputation category “neto_scanners”.  This is Netography Threat Research team intelligence generated intelligence category that is created through monitoring dark IP space.  Alerts from this TDM indicate a positive response to an inbound scan.  Firewall permissions should be examined.  This TDM is enabled by default.

 

The Netography Threat Research Team constantly updates and improves our detection capabilities, seamlessly integrating them into the Netography Fusion® platform, so our customers can write once, then detect everywhere.

The post Netography Detection Model Release – April 24, 2023 appeared first on Netography.

*** This is a Security Bloggers Network syndicated blog from Netography authored by Netography Threat Research Team. Read the original post at: https://netography.com/netography-detection-model-release-april-24-2023/