Over the last decade, endpoint telemetry, cloud-native security tooling, and identity-driven controls have dominated defensive strategy discussions. Yet the persistence of ransomware, data exfiltration campaigns, and hybrid intrusion operations has reinforced a familiar reality: attackers still have to move data across networks.

That fact is precisely why Suricata remains strategically relevant.

Suricata has evolved from a traditional intrusion detection system into a high-performance network security platform capable of intrusion detection (IDS), intrusion prevention (IPS), network security monitoring (NSM), protocol analysis, and threat hunting support. In contemporary environments, Suricata is no longer simply a packet inspection engine sitting passively on a SPAN port. Properly deployed, it functions as a real-time telemetry layer capable of exposing adversary behaviour long before ransomware deployment or public data leakage.

The 2025 cyberattack against Kido International illustrates exactly why this matters. The attack reportedly resulted in the theft of highly sensitive information relating to thousands of children and staff, including photographs, addresses, contact details, and safeguarding information. The attackers, identified in reporting as the Radiant ransomware group, allegedly used extortion tactics that included leaking sample profiles of children online.

Although the precise technical kill chain was never fully disclosed publicly, the incident reflected a pattern now common across ransomware operations: initial compromise, lateral movement, credential abuse, data staging, exfiltration, and extortion. Suricata is particularly effective against exactly this sequence of activity.

At its core, Suricata is a multi-threaded packet processing engine designed to inspect network traffic in real time. Unlike older IDS platforms constrained by single-threaded performance limitations, Suricata was built to scale across modern multicore infrastructure. This matters operationally because contemporary enterprise traffic volumes routinely overwhelm legacy inspection architectures.

Suricata analyses packets at Layer 3 through Layer 7, reconstructing sessions and decoding application-layer protocols including HTTP, TLS, DNS, SMB, FTP, SSH, SMTP, and industrial protocols. Rather than relying purely on raw packet signatures, it can evaluate protocol behaviour, metadata, flow state, and content relationships.

In practice, Suricata operates through several complementary detection models.

Signature-based detection remains central. Rules written in the Suricata rule language identify known malicious patterns such as ransomware command-and-control traffic, exploit kit payloads, suspicious PowerShell downloads, credential harvesting behaviour, or malware beaconing intervals.

Protocol anomaly detection extends visibility further. Suricata can identify malformed requests, protocol misuse, suspicious JA3 TLS fingerprints, DNS tunnelling indicators, or irregular SMB activity that may indicate lateral movement. Its network security monitoring functionality is equally important. Even when no alert is generated, Suricata produces detailed metadata records through EVE JSON logging. These logs can be forwarded to platforms such as Elasticsearch, Logstash, Kibana, Splunk, or SIEM pipelines where analysts correlate behaviour over time.

That distinction is critical. Modern detection engineering increasingly depends not just on identifying known malware signatures but on exposing attacker tradecraft. A mature Suricata deployment, therefore, becomes less of a simple IDS and more of a network-centric detection fabric.

The Kido Attack Through a Suricata Lens

Public reporting on the Kido incident suggested that attackers gained access to sensitive records through systems associated with a third-party childcare software platform. The attackers subsequently exfiltrated personal information and used double-extortion tactics to pressure the organisation. Even without full forensic disclosure, the attack sequence aligns closely with contemporary ransomware operations.

A Suricata deployment positioned at internet ingress points, cloud transit gateways, and east-west network boundaries could have materially improved detection opportunities at multiple stages.

Initial Access Detection

Modern ransomware operators frequently exploit externally exposed applications, weak authentication workflows, VPN infrastructure vulnerabilities, or stolen credentials. Once an adversary establishes initial foothold access, command-and-control traffic typically begins almost immediately.

Suricata excels at identifying these patterns because it can inspect:

suspicious HTTP user agents;

outbound connections to known malicious infrastructure;

unusual TLS fingerprints;

exploit payload signatures;

web shell traffic;

suspicious authentication behaviour;

anomalous DNS activity.

If the Kido intrusion involved exploitation of a web-facing service or cloud-connected application, Suricata could have detected exploit attempts or malicious callback traffic before large-scale data access occurred.

For example, Suricata rulesets from Emerging Threats and commercial threat intelligence feeds routinely include indicators for ransomware affiliate infrastructure, Cobalt Strike beacons, Sliver implants, remote administration frameworks, and known malware loaders. The value here is not theoretical. Many ransomware intrusions remain undetected for days or weeks because organisations focus heavily on endpoint encryption detection while underinvesting in network telemetry.

Lateral Movement and Privilege Escalation

Ransomware groups rarely execute attacks from their initial compromise point. Instead, they move laterally through the environment using administrative protocols and credential reuse.

This phase is where Suricata becomes especially valuable. Because the engine decodes SMB, RDP, Kerberos, LDAP, and other enterprise protocols, it can reveal behavioural indicators associated with privilege escalation and lateral movement:

abnormal SMB share enumeration;

excessive failed authentication attempts;

suspicious remote service creation;

PsExec-style execution patterns;

remote PowerShell activity;

unusual Kerberos ticket behaviour;

large volumes of east-west traffic between systems.

In childcare and education environments such as Kido’s, flat network architecture and broad access privileges can significantly amplify attack impact. A properly segmented environment monitored by Suricata would likely have generated telemetry showing anomalous internal movement patterns well before mass exfiltration.

Importantly, Suricata also supports file extraction and file metadata logging. Analysts can identify suspicious executable transfers, archive creation, or staged payload movement across the network. That capability matters because ransomware operators commonly stage compressed archives prior to exfiltration.

Data Exfiltration: The Most Detectable Phase

The Kido attack became publicly visible once attackers began leaking stolen records and threatening further disclosures. By that point, the compromise had already progressed into a full extortion scenario. Ironically, data exfiltration is often one of the noisiest phases of a ransomware campaign.

Large outbound transfers, encrypted archive uploads, unusual cloud storage traffic, and abnormal DNS patterns create detectable network artefacts.

Suricata can identify these through:

outbound transfer volume anomalies;

suspicious HTTP POST requests;

rare destination domains;

cloud storage misuse;

TOR traffic detection;

DNS tunnelling signatures;

encrypted archive transfers;

command-and-control beacon intervals.

Even when payloads are encrypted, metadata analysis remains powerful. A childcare organisation does not normally transmit gigabytes of archived child records to obscure external infrastructure at unusual hours. Suricata’s flow analysis and protocol logging can expose these operational inconsistencies. Had continuous network monitoring and alert triage been aggressively implemented, defenders may have identified staging or exfiltration behaviour before public leakage occurred.

The security landscape has changed substantially.

Ten years ago, IDS deployments were often treated as compliance exercises. Alerts flooded analysts with low-confidence signatures, encrypted traffic reduced inspection visibility, and many organisations lacked the staffing to operationalise network telemetry. That environment is, simply puy, different today. Several factors have made Suricata considerably more valuable in contemporary defence architectures.

Encryption Has Increased the Importance of Metadata

TLS adoption initially appeared to weaken network detection. In reality, it shifted the focus toward behavioural analytics. Suricata’s support for JA3 and JA4 fingerprinting, TLS metadata inspection, certificate analysis, and traffic pattern monitoring allows defenders to identify suspicious encrypted sessions without decrypting payload content.

Threat actors increasingly rely on legitimate cloud infrastructure, short-lived VPS hosts, and encrypted command channels. Behavioural network analysis has therefore become essential.

Ransomware Operations Have Industrialised

Modern ransomware groups operate more like mature enterprises than isolated criminal actors. They use initial access brokers to purchase footholds into corporate environments, malware-as-a-service ecosystems to distribute tooling, automated reconnaissance frameworks to map infrastructure, and dedicated exfiltration utilities to steal data before encryption begins.

This industrialisation changes the defensive equation. Attack methodologies become repeatable. Infrastructure patterns recur across campaigns. Beaconing intervals, TLS fingerprints, DNS behaviours, and command-and-control techniques often appear across multiple victims because affiliates reuse tooling supplied by central operators.

That operational consistency creates detection opportunities. Suricata benefits directly from rapidly updated threat intelligence ecosystems. Community and commercial rulesets can identify emerging ransomware infrastructure within hours, allowing defenders to detect known malicious behaviours before encryption stages begin.

Equally important, Suricata allows analysts to build organisation-specific detections tailored to their own traffic baselines. A ransomware operator using legitimate administrative tools may evade generic malware signatures, but unusual east-west SMB traffic, abnormal PowerShell downloads, or unexplained archive transfers remain detectable through behavioural analysis.

This is one of the reasons network telemetry has regained strategic importance in ransomware defence. Attackers may rotate malware binaries constantly, but they still need to communicate, authenticate, enumerate, and exfiltrate.

And, obviously, those activities leave traces.

How could Kido have played out with Suricata in the ranks?

The 2025 Kido cyberattack demonstrated how modern extortion operations increasingly target organisations whose data carries significant emotional and reputational sensitivity. The reported exposure of information relating to children and families transformed the incident from a conventional breach into a wider safeguarding and trust crisis.

Incidents of this type reinforce an important reality for defenders: compromise prevention alone is no longer sufficient. Organisations must also focus on reducing attacker dwell time, identifying lateral movement quickly, and detecting exfiltration activity before public disclosure occurs.

This is where Suricata remains exceptionally relevant. Its ability to combine high-performance packet inspection with behavioural analysis, protocol decoding, and threat intelligence integration makes it one of the most effective open-source platforms for network-centric detection.

Suricata does not eliminate the need for endpoint protection, identity monitoring, or cloud security controls. Instead, it strengthens them by providing independent visibility into how attackers actually move through environments. In contemporary ransomware operations, that visibility can be decisive.

Whether the threat comes from commodity ransomware affiliates, cloud-focused intrusion groups, or sophisticated extortion campaigns, attackers ultimately depend on network communication to achieve their objectives. Suricata enables defenders to observe those interactions in real time, correlate them across systems, and intervene before operational disruption escalates into a full-scale crisis.

For cybersecurity specialists designing modern detection architectures, Suricata remains far more than a legacy IDS. Properly deployed and operationalised, it is a critical component of contemporary threat detection and incident response strategy.

Cloud and Hybrid Environments Need Independent Visibility

Many organisations mistakenly assume endpoint agents alone provide sufficient visibility in cloud-centric environments. However, attackers increasingly disable logging, tamper with agents, or exploit unmanaged infrastructure.

Suricata deployed in cloud VPC mirroring architectures, Kubernetes ingress paths, or hybrid transit networks provides an independent telemetry source resistant to endpoint manipulation. That independence is operationally important during incident response.

Operationalising Suricata Properly

Suricata is not a magic appliance. Poorly tuned deployments can produce overwhelming alert volumes or miss meaningful behavioural indicators. The difference between ineffective and highly effective deployments usually comes down to engineering maturity.

Successful implementations typically include:

aggressive rule tuning;

environment-specific baselining;

integration with SIEM and SOAR pipelines;

automated enrichment workflows;

threat hunting processes;

segmentation-aware deployment architecture;

continuous signature management;

performance optimisation through AF_PACKET, DPDK, or PF_RING.

Equally important is log retention and correlation.

Suricata’s EVE JSON outputs become significantly more valuable when combined with identity telemetry, endpoint logs, firewall records, cloud audit trails, and authentication events. In modern SOC operations, Suricata often acts as the connective tissue between infrastructure telemetry and adversary behaviour analysis.

Contemporary Attacks and Present-Day Relevance

The techniques observed in the Kido attack continue to appear across healthcare, education, retail, manufacturing, and local government sectors.

Attackers increasingly target organisations holding emotionally sensitive or operationally critical data because those organisations experience greater pressure to pay extortion demands. Suricata is particularly effective in these environments because it can expose the preparatory stages that occur before a catastrophic business impact.

In current attack campaigns, defenders regularly use Suricata to detect:

infostealer malware communications;

malicious OAuth token abuse;

DNS tunnelling;

encrypted malware beacons;

ransomware affiliate reconnaissance;

suspicious cloud API activity;

exploit framework traffic;

lateral movement over SMB and RDP;

large-scale data staging operations.

Critically, modern security operations increasingly rely on layered visibility. No single control reliably stops sophisticated attackers. Endpoint detection can fail. Identity controls can be bypassed. Firewalls can be misconfigured.

Network telemetry remains difficult for attackers to avoid entirely. That is where Suricata retains enduring defensive value.

How would it help?

The 2025 Kido cyberattack demonstrated the reputational, operational, and human consequences of modern ransomware and extortion campaigns. The compromise reportedly exposed deeply sensitive information relating to children and families, underscoring how cyber incidents increasingly intersect with safeguarding, privacy, and public trust. Suricata would not necessarily have prevented the initial compromise. No serious security professional should claim that any single tool can do that.

What Suricata could have done, however, is significantly compress attacker dwell time. By exposing exploit traffic, lateral movement, command-and-control communications, suspicious protocol behaviour, and exfiltration activity, Suricata provides defenders with the opportunity to detect ransomware operations before they escalate into full-scale extortion crises.

That capability is increasingly important in an era where attackers monetise not only system disruption, but also the public exposure of sensitive human data. For cybersecurity specialists building resilient detection architectures in 2026, Suricata remains one of the most operationally relevant open-source tools available.

Detection Engineering and the Shift Toward Behavioural Analysis

One of the most important developments in modern security operations is the transition away from purely signature-centric thinking. Traditional IDS deployments were frequently criticised because analysts associated them with noisy alerts and high false-positive rates. In many environments, teams deployed signatures indiscriminately without understanding normal traffic baselines or operational context.

Contemporary Suricata deployments are increasingly tied to detection engineering practices instead. Rather than asking whether a single alert proves compromise, analysts use Suricata telemetry to identify behavioural chains. A single suspicious DNS may not matter in isolation. Combined with unusual SMB traversal, outbound encrypted archive uploads, and suspicious authentication activity, however, the telemetry becomes far more meaningful.

This analytical approach mirrors how sophisticated threat actors actually operate. Modern attacks rarely involve a single obvious malware execution event. Instead, adversaries blend legitimate tooling, compromised credentials, encrypted traffic, and cloud infrastructure into campaigns designed to appear operationally normal.

Suricata’s value therefore lies not only in identifying known malware but also in exposing inconsistencies in network behaviour. That distinction is especially important in sectors handling sensitive personal data.

In the Kido incident, the reputational impact stemmed not simply from operational disruption but from the exposure of highly sensitive information relating to children and families. In similar attacks today, the exfiltration phase often creates the greatest long-term organisational damage.

Behavioural detection at the network layer provides one of the few opportunities to identify those activities before public disclosure occurs.

Suricata and Threat Hunting Operations

Another reason Suricata has retained relevance is its usefulness beyond real-time alerting. Many mature SOCs now use Suricata as a retrospective hunting platform. Because EVE JSON logging captures rich protocol metadata, analysts can search historical records for indicators discovered after an intrusion becomes known. If threat intelligence identifies a malicious JA3 fingerprint, a suspicious domain, or a particular malware communication pattern, investigators can pivot across historical telemetry to determine whether compromise activity occurred weeks earlier.

This capability substantially improves incident response. Ransomware operators frequently maintain persistence inside environments long before encryption or extortion stages begin. Retrospective network analysis allows defenders to reconstruct timelines, identify affected systems, and understand attacker movement patterns.

In practical terms, Suricata often becomes one of the primary forensic data sources during post-compromise investigations.

The Strategic Advantage of Open Source Security Tooling

Suricata’s open-source model is another reason it remains influential. Commercial network detection and response platforms can provide extensive capabilities, but they also introduce licensing costs, proprietary telemetry limitations, and vendor dependency. Suricata offers a different operational model.

Security teams can:

customise rulesets;

integrate bespoke detections;

deploy at cloud scale;

inspect proprietary protocols;

automate telemetry pipelines;

tune performance for specialised environments.

For organisations with mature engineering capability, this flexibility is strategically valuable. The rapid pace of attacker adaptation means defensive tooling must evolve continuously. Open-source ecosystems frequently respond to emerging threats faster than slower commercial release cycles.

That responsiveness has become increasingly important as ransomware groups fragment into smaller affiliate networks using rapidly changing infrastructure.

Where Suricata Fits in a Modern Defensive Stack

Suricata should not be viewed as a replacement for endpoint detection, identity monitoring, or zero-trust architecture. Its strength lies in complementing those controls.

In mature environments, Suricata commonly operates alongside:

endpoint detection and response platforms;

cloud workload protection systems;

identity threat detection tools;

network segmentation controls;

SOAR automation pipelines;

deception infrastructure;

threat intelligence platforms.

What makes Suricata uniquely valuable is its ability to observe the connective layer between systems.

Attackers ultimately have to communicate. Even sophisticated adversaries using encrypted channels, legitimate tooling, and stolen credentials generate network artefacts. Those artefacts may be subtle, but they remain observable when telemetry collection is sufficiently mature. This is precisely why network security monitoring continues to survive repeated predictions of its decline.

Final Assessment

The 2025 Kido cyberattack illustrated the evolving economics of cybercrime. Modern attackers increasingly target organisations whose data carries emotional, legal, or reputational leverage. Childcare providers, schools, healthcare organisations, and local authorities therefore face disproportionate extortion pressure.

In these environments, reducing attacker dwell time is operationally critical. Suricata directly supports that objective. Its combination of high-performance packet inspection, protocol analysis, behavioural visibility, and threat intelligence integration enables defenders to identify adversary activity across multiple stages of an intrusion lifecycle.

Most importantly, Suricata provides visibility independent of endpoint state or attacker-controlled credentials. That independence becomes invaluable once adversaries establish persistence inside an environment. The broader lesson from incidents like Kido is not that organisations need a single perfect security product. Rather, they need layered visibility capable of exposing attacker behaviour before extortion operations mature into full business crises.

Suricata remains one of the most effective open-source platforms for achieving that visibility.

In the interest of openness, the _secpro team would like to say that we have no ongoing association with Suricata or the Suricata team. Our assessment above is merely an assessment of the use of the tool, how it might have worked in the past, and how it could help today. To show that this isn’t a clever little marketing ploy, here are five other alternatives that can perform the same or a largely similar role to Suricata, and we would happily recommend them in its place as well:

Arkime

Security Onion

Snort

Wazuh (see our own assessment here: #242: Using Wazuh, Learning from 2025)

Zeek

Copyright (C) 2025 Packt Publishing. All rights reserved. 

Our mailing address is: 

Packt Publishing, Grosvenor House, 

11 St Paul's Square, Birmingham, 

West Midlands, B3 1RB, United Kingdom 

Want to change how you receive these emails? 

You can update your preferences or unsubscribe.