Network Visibility through NetFlow

Richard Laval

Stealthwatch SEM, Europe

rilaval@cisco.com

30-Mar-16

Changing

Business Models

Dynamic

Threat Landscape

Complexity

and Fragmentation

New Networks Mean New Security Challenges

Organizations lack visibility

into which and how many

devices are on their Network

Services are moving to the

Cloud at a faster rate than IT

can keep up

Over 50 billion connected

“smart objects” by 2020.

Acquisitions, joint ventures,

and partnerships are

increasing in regularity.

ENTERPRISE

MOBILITY

ACQUISITIONS AND

PARTNERSHIPSCLOUD INTERNET OF THINGS

It’s Not “IF” You Will Be Breached…It’s “WHEN.”

Expanded Enterprise Attack Surface

Partner Security Day @ Cisco Live Berlin

Lawrence Orans,

Gartner, Network and Gateway

Security Primer for 2016

January 22, 2016

“Network security architects should accept the reality

that, in 2016, it is unreasonable to expect that they can

build perimeter defenses that will block every attack

and prevent every

security breach.

Instead, they need to adopt new products and/or

services that will enable the network to be an integral

part of a strategy that focuses on detecting and

responding to security incidents.”

Cisco Confidential 5© 2013 2014 Cisco and/or its affiliates. All rights reserved.

You Can’t Protect What You Can’t See

The Network sees everything. Gives Deep and Broad VisibilityAnswers Who, what, when, where, How did they come on network

0101

0100

1011

0101

0100

1011

0101

0100

1011

0101

0100

1011

The Insider Threat

About this session

This session is about using network

analysis or the network (our obvious

things) to mitigate an attack.

“The world is full of obvious things which

nobody by any chance observes.”

Sherlock Holmes, The Hound of the Baskervilles

Managing the Insider Threat

Access Controls

• Control who and what is on the

network

Segmentation

• Define what they can doSGT

You are who you say

you are and these are

the resources you are

allowed access to

based on your

credentials.

Managing the Insider Threat

Control movement of malicious

content through inspection points

Content Controls

• Deep contextual visibility at

inspection points

This is what you are

allowed to bring into the

secure zone/network.

Once the walls are built monitor for security visibility

10

Now monitor the activity inside the

secure controlled zone.

Managing the Insider Threat

Introduction to NetFlow

• Developed by Cisco in 1996 as a packet forwarding mechanism

• Statistical Reporting became relevant to customers

• Reporting is based on Flow and not necessarily per-packet (Full Flow

vs. Sampled)

• Various versions exist version 1 through 9, with 5 being the most

popular and 9 being the most functional

• Traditional NetFlow (TNF) – fixed info to identify a flow

• Flexible Netflow (FNF) – user defines how to identify a flow

NetFlow

10.2.2.2port 1024

10.1.1.1port 80

eth

0/1

eth

0/2

Start Time Interface Src IP Src

Port

Dest IP Dest

Port

Proto Pkts

Sent

Bytes

Sent

SGT DGT TCP Flags

10:20:12.221 eth0/1 10.2.2.2 1024 10.1.1.1 80 TCP 5 1025 100 1010 SYN,ACK,PSH

10:20:12.871 eth0/2 10.1.1.1 80 10.2.2.2 1024 TCP 17 28712 1010 100 SYN,ACK,FIN

Start Time Interface Src IP Src

Port

Dest IP Dest

Port

Proto Pkts

Sent

Bytes

Sent

SGT DGT TCP Flags

10:20:12.221 eth0/1 10.2.2.2 1024 10.1.1.1 80 TCP 5 1025 100 1010 SYN,ACK,PSH

NetFlow = VisibilityA single NetFlow Record provides a wealth of information

NetFlow Deployment Architecture

Management/Reporting Layer:• Run queries on flow data

• Centralize management and reporting

Flow Collection Layer:• Collection, storage and analysis of flow records

Flow Exporting Layer:• Enables telemetry export

• As close to the traffic source as possible

NetFlow

Considerations: Flow Exporting Layer

1. NetFlow support

2. Which version of NetFlow to use

3. How to configure/what to measure

4. Where in the network to enable NetFlow export

Versions of NetFlow Version Major Advantage Limits/Weaknesses

V5 Defines 18 exported fields

Simple and compact format

Most commonly used format

IPv4 only

Fixed fields, fixed length fields only

Single flow cache

V9 Template-based

IPv6 flows transported in IPv4 packets

MPLS and BGP nexthop supported

Defines 104 fields, including L2 fields

Reports flow direction

IPv6 flows transported in IPv4 packets

Fixed length fields only

Uses more memory

Slower performance

Single flow cache

Flexible NetFlow (FNF) Template-based flow format (built on V9

protocol)

Supports flow monitors (discrete caches)

Supports selectable key fields and IPv6

Supports NBAR data fields

Less common

Requires more sophisticated platform to produce

Requires more sophisticated system to consume

IP Flow Information Export

(IPFIX) AKA NetFlow V10

Standardized – RFC 5101, 5102, 6313

Supports variable length fields, NBAR2

Can export flows via IPv4 and IPv6 packets

Even less common

Only supported on a few Cisco platforms

NSEL (ASA only) Built on NetFlow v9 protocol

State-based flow logging (context)

Pre and Post NAT reporting

Missing many standard fields

Limited support by collectors

NetFlow Deployment

Catalyst® 6500

Distribution

& Core

Catalyst® 4500

ASA

ISR

Edge

ASR

Each network layer offers unique NetFlow capabilities

Access

Catalyst®

3560/3750-X

Catalyst® 4500

Catalyst®

3650/3850

Where to collect NetFlow from?

Listed below are the typical use cases and the recommendations of where to collect the NetFlow from in the network:

1. Use case detection of security events –

a. Only need to account for the packet once.

b. Collect at the edge, if not 100% flow capable then distribution, if not 100% flow capable then core.

c. Enable flow on any exporter that will provide additional context like ASA FWs (provide NAT and FW actions), and

Proxy data (allow visibility into outbound traffic that has been translated)

2. Use case forensics or auditing –

a. You should be looking to account for all packets.

b. Deploy as close to the edges of the network as possible.

c. Enable flow on any exporter that will provide additional context like ASA FWs (provide NAT and FW actions), and

Proxy data (allow visibility into outbound traffic that has been translated).

3. Use case networking (performance) –

a. You need flow from everywhere to help with interface utilization, QoS monitoring, trending and capacity planning and

tracking issues back to the source of the problem which could be any interface.

NetFlow Terminology

Aside: Myths about NetFlow Generation

Myth #1: NetFlow impacts performance• Hardware implemented NetFlow has no

performance impact

• Software implementation is typically

significantly <15% processing overhead

Myth #2: NetFlow has bandwidth overhead• NetFlow is a summary protocol

• Traffic overhead is typically significantly <1% of total traffic per exporting device

NetFlow Collection: Flow Stitching

10.2.2.2port 1024

10.1.1.1port 80

eth

0/1

eth

0/2

Start Time Client

IP

Client

Port

Server IP Server

Port

Proto Client

Bytes

Client

Pkts

Server

Bytes

Server

Pkts

Client

SGT

Server

SGT

Interfaces

10:20:12.221 10.2.2.2 1024 10.1.1.1 80 TCP 1025 5 28712 17 100 1010 eth0/1

eth0/2

Uni-directional flow records

Bi-directional:

• Conversation flow record

• Allows easy visualization and analysis

Start Time Interface Src IP Src

Port

Dest IP Dest

Port

Proto Pkts

Sent

Bytes

Sent

SGT DGT

10:20:12.221 eth0/1 10.2.2.2 1024 10.1.1.1 80 TCP 5 1025 100 1010

10:20:12.871 eth0/2 10.1.1.1 80 10.2.2.2 1024 TCP 17 28712 1010 100

NetFlow Collection: De-duplication

Start Time Client IP Client

Port

Server

IP

Server

Port

Proto Client

Bytes

Client

Pkts

Server

Bytes

Server

Pkts

App Client

SGT

Server

SGT

Exporter, Interface,

Direction, Action

10:20:12.221 10.2.2.2 1024 10.1.1.1 80 TCP 1025 5 28712 17 HTTP 100 1010 Sw1, eth0, in

Sw1, eth1, out

Sw2, eth0, in

Sw2, eth1, out

ASA, eth1, in

ASA, eth0, out, Permitted

ASA eth0, in, Permitted

ASA, eth1, out

Sw3, eth1, in

Sw3, eth0, out

Sw1, eth1, in

Sw1, eth0, out

10.2.2.2port 1024 10.1.1.1

port 80Sw1

Sw2

Sw3

ASA

Any unique information is added to the record.

Path of the packet for example is unique.

How The Conversational Flow Record Looks in SW

Where WhoWhat

When

How

Who

• Highly scalable (enterprise class) collection

• High compression => long term storage

• Months of data retention

More context

Host Groups: Applied Situational Awareness

Virtual container of multiple

IP Addresses/ranges that

have similar attributes

Best Practice: classify all

known IP Addresses in one

or more host groups

Lab servers

ISE as a Telemetry Source (adding context)

Monitor Mode

• Open Mode, Multi-Auth

• Unobstructed Access

• No impact on productivity

• Profiling, posture assessment

• Gain Visibility

Authenticated Session Table

Cisco ISE

• Maintain historical session table

• Correlate NetFlow to username

• Build User-centric reports

StealthWatch Management

Console

syslog

Global Intelligence (adding more context)

• Known C&C Servers

• Tor Entrance and Exits

Conversational Flow Record with added context

ISE

Telemetry

NBAR

Applied situational

awareness

FlowSensor

Geo-IP mapping

Threat

feed

Flow Table – IPv6

StealthWatch can also display IPv6 flow records

“There is nothing like first hand evidence”

Sherlock Holmes, A Study in Scarlett

Now, lets analyse all that good NetFlow

data/evidence generated by the network.

NetFlow Analysis with StealthWatch can help:

Identify additional IOCs

• Policy & Segmentation

• Network Behaviour & Anomaly Detection (NBAD)

Better understand / respond to an IOC:

• Audit trail of all host-to-host communication

Discovery

• Identify business critical applications and services across the network

Locate Assets

32

Find hosts communicating on the network

• Pivot based on transactional data

Host Groups – Targeted Reporting

Geo-IP-based Host Group

Summary chart of traffic

inbound and outbound from

this Host Group

Host Groups – Discovering Rogue Hosts

Catch All: All unclassified RFC1918 addresses

Table of all individual hosts

Host Groups – Discovering Rogue HostsRogue Hosts

(IP addresses you don’t know about as they

have not been classified)

Concept: Indicator of Compromise

IDS/IPS Alert

Log analysis (SIEM)

Raw flow analysis

Outside notification

Behavioural analysis

Activity monitoring

IoC = is an artifact observed on a network or in an operating system that with high

confidence indicates a computer intrusion

• http://en.wikipedia.org/wiki/Indicator_of_compromise

Anomaly detection

File hashes

IP Addresses

There are many IoCs from the network which we need to piece together to solve the crime.

Attack Lifecycle Model

Exploratory

Actions

Footprint

ExpansionExecution

Theft

Disruption

Staging

Initial

Compromise

Initial

ReconInfiltration

(C&C)

Now we use our evidence from the IoCs

to build a map/model of and attack.

IoC’s from Traffic Analysis

Behavioural Analysis:

• Leverages knowledge of known bad behaviour

• Policy and segmentation

Anomaly Detection:

• Identify a change from “normal”

StealthWatch NBAD Model

Algorithm Security

EventAlarm

Track and/or measure behaviour/activity

Suspicious behaviour observed or anomaly detected

Notification of security event generated

This how

StealthWatch

processes all the

IoCs to make

sense of them.

Alarm Categories

Each category accrues points.

Example Alarm Category: Concern IndexConcern Index: Track hosts that appear to compromising network integrity

Security events

StealthWatch: AlarmsAlarms

• Indicate significant behaviour changes and policy violations

• Known and unknown attacks generate alarms

• Activity that falls outside the baseline, acceptable behaviour

or established policies

Watching for Data TheftData Exfiltration

• Identify suspect movement from Inside Network to Outside

• Single or multiple destinations from a single source

• Policy and behavioral

Data Hoarding

Suspect Data Hoarding:

• Unusually large amount of data

inbound from other hosts

Target Data Hoarding:

• Unusually large amount of data outbound

from a host to multiple hosts

Suspect Data Hoarding

Data Hoarding

• Unusually large amount of data inbound to a host from other hosts

• Policy and behavioral

“The Science of Deduction.”

Chapter 1: The Sign of the Four

Now we are going to use the evidence

generated by the network to solve our mystery.

Investigating a Host

IOC: IDS Alert from FirePower provides an IP address that StealthWatch can use to investigate.

Host report for 10.201.3.59

Behavior alarms

Quick view of host

group communication

Summary

information

Investigating: Host Drilldown

User

information

Applications

Investigating: Applications

A lot of applications.

Some suspicious!

Investigating: Behaviour Alarms

Significant network activity

It Could Start with a User …

Alarms

Devices and

Sessions

Active Directory

Details

Username

View Flows

Links and Recommended Reading

More about StealthWatch and the Cisco Cyber Threat Defense Solution:

http://www.cisco.com/go/threatdefense

http://www.lancope.com

Recommended ReadingCyber Threat Defense Cisco Validated Design Guide:http://www.cisco.com/en/US/solutions/collateral/ns1015/ns1238/cyber_threat_defense_design_guide.pdf

Cyber Threat Defense for the Data Center Cisco Validated Design Guide:http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/ctd-first-look-design-guide.pdf

Securing Cisco Networks with Threat Detection and Analysis (SCYBER)

https://learningnetwork.cisco.com/community/certifications/security/cybersecurity/scyber_exam

Key Takeaways

Insider threats are operating on the network interior

Threat detection and response requires visibility and context into network traffic

NetFlow and the StealthWatch System provide actionable security intelligence

Q & A

“The game is afoot!”

Sherlock Holmes, The Adventure of the The Abbey Grange

Thank you

57