This document discusses how wire data analytics can be used to detect ransomware infections on a network. It explains that wire data contains information within network packet headers and payloads that can reveal the source of ransomware infections in real-time. Specific wire data sources like IDS events, user complaints of blocked files or strange desktop messages can indicate an infection. The document also describes how ransomware most commonly enters networks through phishing emails and recommends Langaurdian as a wire data analytics tool that can log and report on activity by IP address and user to investigate ransomware infections.
2. www.netfort.comSlide 2
How will you know there is Ransomware
on your network?
• IDS (Intrusion Detection System) events
• Users complaining they cannot access
files
• User reports strange message on desktop
4. www.netfort.comSlide 4
• This question was posted on an IT forum – Main points from it are below:
• End user creates a file with a certain name in the file server.
• Issue currently is by default, windows logs or FIM does not capture the IP
address of the client who is creating this file on the file server.
• Infection starts to encrypt files and every time it moves from a directory to
another.
• Leaves an instruction note that leads to a website/tor network site or
something.
• Immediate block on this IP from further causing damage.
5. www.netfort.comSlide 5
Wire Data Analytics
• Wire data is data contained within the headers and payloads of network
packets as traffic moves from one node to another.
• Wire data analytics is the process by which raw packet data is
transformed into real-time and historical business and IT insight. This data
in motion is what you’re learning in “continuously updated” mode, a
constant mind-boggling flow of information that might include usernames,
filenames, or website names.
7. www.netfort.comSlide 7
How does Ransomware get in?
• The most common way that ransomware can get in to your network is
through phishing campaigns
• These types of attacks have become much more sophisticated over the
last number of years
• Some common examples of what the phishing campaigns might look like
can be seen in the next few slides
12. www.netfort.comSlide 12
Why LANGuardian should be your only
choice for Wire Data Analytics
• Logs and reports on activity by IP address and actual user name.
• Unique levels of detail using NetFort metadata for critical protocols
including SMB, HTTP and SQL.
• All wire data retained in a built in database.
• Go back on data days, weeks or months without the need for expensive
hardware and storage.
• Built in application recognition engine tracks usage by application and
user name.
• Connect to a SPAN or mirror port and instantly monitor anywhere across
your network.
• Download and deploy on standard server hardware, VMware or HyperV.
Editor's Notes
Can Download and get it on your network in 30 minutes!!!
Virtual or physical!!
Free fully functional trial, 30 days