Network Excavation: Going Beyond What Your Existing Tools Can Tell You

Network Excavation: Going Beyond What Your Existing Tools Can Tell You

By Joel Esler, VP of Threat Research

Netography Fusion’s unique ability to combine on-premises traffic flow via NetFlow and sFlow, as well as flow traffic from each of the major cloud providers such as Amazon Web Services (AWS), Google Cloud Platform (GCP), Oracle Cloud, and others, provides the unparalleled ability to hunt through data quickly and efficiently. Need to observe and secure how your traffic is flowing between cloud providers? Done. How about traffic between your on-prem infrastructure and the cloud? Done. How about traffic between either one of them and the internet? Done. Simple hunting in data, as powered by our easy-to-use Netography Query Language (NQL) is a powerful tool in any security or network practitioner’s arsenal.

In this blog post I’m going to show you a couple of recent techniques that our Threat Research Team uses to identify malicious traffic on a network and use that information to develop new strategies and Netography Detection Modules (NDM) for customers, as well as alerting customers to issues found on their network so they can take immediate action.

The Netography Threat Research Team was formed with automation, proactive research, and machine learning in mind. We ask ourselves, “How can we develop new detections and proactively defend customers without having to dedicate hundreds of people and hours of resources to each individual threat?” \ I have worked on those teams in my former roles, and I have seen how that sausage is made. While I have seen the effectiveness of those teams, we wanted to reimagine and drive a more effective approach for an increasingly encrypted world.

Our recent addition of context labels enables both our team and customers the ability to visualize their traffic in ways they have never seen before. Let me provide a couple of recent examples where this has proven to be a powerful capability. 

Context Labels in Action

Following the rollout of our context label feature, a customer immediately enabled this functionality to pull information from their AWS infrastructure. Enabling this functionality allows the Netography Fusion portal to pull…