Upload
netfort
View
75
Download
1
Tags:
Embed Size (px)
Citation preview
www.netfort.com
Ransomware.
How wire data can be used to detect the source of the problem
Darragh Delaney
www.netfort.comSlide 2
How will you know there is Ransomware on your network?
• IDS (Intrusion Detection System) events
• Users complaining they cannot access files
• User reports strange message on desktop
www.netfort.comSlide 4
• This question was posted on an IT forum – Main points from it are below:
• End user creates a file with a certain name in the file server.
• Issue currently is by default, windows logs or FIM does not capture the IP address of the client who is creating this file on the file server.
• Infection starts to encrypt files and every time it moves from a directory to another.
• Leaves an instruction note that leads to a website/tor network site or something.
• Immediate block on this IP from further causing damage.
www.netfort.comSlide 5
Wire Data Analytics
• Wire data is data contained within the headers and payloads of network packets as traffic moves from one node to another.
• Wire data analytics is the process by which raw packet data is transformed into real-time and historical business and IT insight. This data in motion is what you’re learning in “continuously updated” mode, a constant mind-boggling flow of information that might include usernames, filenames, or website names.
www.netfort.comSlide 7
How does Ransomware get in?
• The most common way that ransomware can get in to your network is through phishing campaigns
• These types of attacks have become much more sophisticated over the last number of years
• Some common examples of what the phishing campaigns might look like can be seen in the next few slides
www.netfort.comSlide 12
Why LANGuardian should be your only choice for Wire Data Analytics• Logs and reports on activity by IP address and actual user name.• Unique levels of detail using NetFort metadata for critical protocols
including SMB, HTTP and SQL.• All wire data retained in a built in database.• Go back on data days, weeks or months without the need for expensive
hardware and storage.• Built in application recognition engine tracks usage by application and
user name.• Connect to a SPAN or mirror port and instantly monitor anywhere across
your network.• Download and deploy on standard server hardware, VMware or HyperV.