#243: Suricata in Modern Network Defence

#243: Suricata in Modern Network DefenceMore Lessons from the 2025 Kido Cyberattack
͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     
Forwarded this email? Subscribe here for more
#243: Suricata in Modern Network Defence
More Lessons from the 2025 Kido Cyberattack
Austin Miller
May 8 

READ IN APP

Over the last decade, endpoint telemetry, cloud-native security tooling, and identity-driven controls have dominated defensive strategy discussions. Yet the persistence of ransomware, data exfiltration campaigns, and hybrid intrusion operations has reinforced a familiar reality: attackers still have to move data across networks.
That fact is precisely why Suricata remains strategically relevant.
The Return of Network-Centric Detection
Suricata has evolved from a traditional intrusion detection system into a high-performance network security platform capable of intrusion detection (IDS), intrusion prevention (IPS), network security monitoring (NSM), protocol analysis, and threat hunting support. In contemporary environments, Suricata is no longer simply a packet inspection engine sitting passively on a SPAN port. Properly deployed, it functions as a real-time telemetry layer capable of exposing adversary behaviour long before ransomware deployment or public data leakage.
The 2025 cyberattack against Kido International illustrates exactly why this matters. The attack reportedly resulted in the theft of highly sensitive information relating to thousands of children and staff, including photographs, addresses, contact details, and safeguarding information. The attackers, identified in reporting as the Radiant ransomware group, allegedly used extortion tactics that included leaking sample profiles of children online. 
Although the precise technical kill chain was never fully disclosed publicly, the incident reflected a pattern now common across ransomware operations: initial compromise, lateral movement, credential abuse, data staging, exfiltration, and extortion. Suricata is particularly effective against exactly this sequence of activity.
How Suricata Actually Works
At its core, Suricata is a multi-threaded packet processing engine designed to inspect network traffic in real time. Unlike older IDS platforms constrained by single-threaded performance limitations, Suricata was built to scale across modern multicore infrastructure. This matters operationally because contemporary enterprise traffic volumes routinely overwhelm legacy inspection architectures.
Suricata analyses packets at Layer 3 through Layer 7, reconstructing sessions and decoding application-layer protocols including HTTP, TLS, DNS, SMB, FTP, SSH, SMTP, and industrial protocols. Rather than relying purely on raw packet signatures, it can evaluate protocol behaviour, metadata, flow state, and content relationships.
In practice, Suricata operates through several complementary detection models.
Signature-based detection remains central. Rules written in the Suricata rule language identify known malicious patterns such as ransomware command-and-control traffic, exploit kit payloads, suspicious PowerShell downloads, credential harvesting behaviour, or malware beaconing intervals.
Protocol anomaly detection extends visibility further. Suricata can identify malformed requests, protocol misuse, suspicious JA3 TLS fingerprints, DNS tunnelling indicators, or irregular SMB activity that may indicate lateral movement. Its network security monitoring functionality is equally important. Even when no alert is generated, Suricata produces detailed metadata records through EVE JSON logging. These logs can be forwarded to platforms such as Elasticsearch, Logstash, Kibana, Splunk, or SIEM pipelines where analysts correlate behaviour over time.
That distinction is critical. Modern detection engineering increasingly depends not just on identifying known malware signatures but on exposing attacker tradecraft. A mature Suricata deployment, therefore, becomes less of a simple IDS and more of a network-centric detection fabric.
The Kido Attack Through a Suricata Lens
Public reporting on the Kido incident suggested that attackers gained access to sensitive records through systems associated with a third-party childcare software platform. The attackers subsequently exfiltrated personal information and used double-extortion tactics to pressure the organisation. Even without full forensic disclosure, the attack sequence aligns closely with contemporary ransomware operations.
A Suricata deployment positioned at internet ingress points, cloud transit gateways, and east-west network boundaries could have materially improved detection opportunities at multiple stages.
Initial Access Detection
Modern ransomware operators frequently exploit externally exposed applications, weak authentication workflows, VPN infrastructure vulnerabilities, or stolen credentials. Once an adversary establishes initial foothold access, command-and-control traffic typically begins almost immediately.
Suricata excels at identifying these patterns because it can inspect:
suspicious HTTP user agents;
outbound connections to known malicious infrastructure;
unusual TLS fingerprints;
exploit payload signatures;
web shell traffic;
suspicious authentication behaviour;
anomalous DNS activity.
If the Kido intrusion involved exploitation of a web-facing service or cloud-connected application, Suricata could have detected exploit attempts or malicious callback traffic before large-scale data access occurred.
For example, Suricata rulesets from Emerging Threats and commercial threat intelligence feeds routinely include indicators for ransomware affiliate infrastructure, Cobalt Strike beacons, Sliver implants, remote administration frameworks, and known malware loaders. The value here is not theoretical. Many ransomware intrusions remain undetected for days or weeks because organisations focus heavily on endpoint encryption detection while underinvesting in network telemetry.
Lateral Movement and Privilege Escalation
Ransomware groups rarely execute attacks from their initial compromise point. Instead, they move laterally through the environment using administrative protocols and credential reuse.
This phase is where Suricata becomes especially valuable. Because the engine decodes SMB, RDP, Kerberos, LDAP, and other enterprise protocols, it can reveal behavioural indicators associated with privilege escalation and lateral movement:
abnormal SMB share enumeration;
excessive failed authentication attempts;