How to easily detect SMBv1 scanning by using traffic visibility?
SMB Exploitation is an easy way to take control of a Network! - Read how to easily see this attack method!
NetFort has always believed in the visibility that can be extracted from wire data, basic network traffic analysis or deep packet inspection. Every device, user, and application on the network leaves a trail, always. No need to turn it ON, this vendor agnostic trail can easily be captured on any network and used for many security and operational use cases. Look at Wireshark and how strong the community is, it continues to grow from strength to strength. Of course, one of the main reasons is that all the people involved are passionate about network data traffic and really care about what they do.
The traffic analysis engine should do as much of the heavy lifting as possible, to initially present it at a high level so one can see anomalies, make the network traffic data easier to store, query, search, read, analyse, correlate, and act on. This is what we help our customers do with traffic at NetFort.
One of our core building blocks is the ability to generate metadata for easy visibility!
We have a number of application ‘decoders’, stateful followers that generate application specific metadata. The complexity of the decoder depends on the application, some for example including SMB and NFS are not trivial.
Fingerprinting, reassembly, metadata extraction and storage, all in real time is not easy. We have worked hard on these to get them reliable and to perform at scale. But, as a result, we now have a robust scalable unique engine ideal for many use cases proven on many diverse customer networks. The decoders have also helped us grow because they help organisations of all sizes (including central and local government, utilities, legal, education and the military) address various vulnerabilities including those found in implementations of Server Message Block 1.0. Exploitation of this vulnerability could allow a remote attacker to take control of an affected system.
Read more on "How to detect SMB exploitation!" -