netflow security monitoring with cisco...
TRANSCRIPT
Abstract
1. Recent trends show that the security perimeter is being eroded and attackers are getting in.
2. This session takes a look at using NetFlow to give visibility and context into the network to identify attackers and accelerate incident response.
3. We are going to take a look at how StealthWatch collects and analyze NetFlow.
4. We will also discuss some use cases.
5. Target audience for this session are network and security admins/analysts who want to learn how to add NetFlow as a component of their SOC.
3
About the Speaker
Eric Rennie
• Possesses a networking background and experience in implementing cyber security defence solutions, application performance, network performance and network management systems.
• Extensive tenure in the government, enterprise, service provider, start up, vendor and carrier company sectors.
• Recently became a CSE in GSSO after Cisco acquired Lancope.
4
“The world is full of obvious things which
nobody by any chance observes.”
Sherlock Holmes, The Hound of the Baskervilles
This session is about using network
analysis (our obvious things) to observe
and mitigate an attack.
5
Case Study: Retailer
A threat could be an authorized user with access to the network (Insider threat)……
So what threat are we trying to detect here?
6
Reference Materials for the content of this classhttp://www.cisco.com/go/threatdefense
http://www.cisco.com/go/securedatacenter
https://learningnetwork.cisco.com/community/certifications/security/cybersecurity
/scyber_exam
8
Agenda
Introduction Understanding
the Landscape
Introduction to
NetFlow
Design and
Deployment
Working with
NetFlow
Flow ExportAdding Context
Summary
DiscoveryIdentifying
IOC’s
Flow Collection
Responding
Class has three tracks :
1. The landscape and what is NetFlow?
2. How to get the data/evidence (D & D)
3. Show the value of the data/evidence (analyse NetFlow)
9
Managing the Insider Threat
Access Controls
• Control who and what is on the
network
Segmentation
• Define what they can doSGT
You are who you say
you are and these are
the resources you are
allowed access to
based on your
credentials.
10
Managing the Insider Threat
Control movement of malicious
content through inspection points
Content Controls
• Deep contextual visibility at
inspection points
This is what you are
allowed to bring into the
secure zone/network.
11
Once the walls are built monitor for security visibility
Now monitor the activity inside the
secure controlled zone.
Managing the Insider Threat
12
Introduction to NetFlow
• Developed by Cisco in 1996 as a packet forwarding mechanism
• Outdated by CEF
• Statistical Reporting became relevant to customers
• Reporting is based on Flow and not necessarily per-packet (Unsampled Flow
vs. Sampled)
• Various versions exist version 1 through 9, with 5 being the most popular and
9 being the most functional
• Traditional NetFlow (TNF) – fixed info to identify a flow
• Flexible Netflow (FNF) – user defines how to identify a flow
13
NetFlow
10.2.2.2port 1024
10.1.1.1port 80
eth
0/1
eth
0/2
Start Time Interface Src IP Src
Port
Dest IP Dest
Port
Proto Pkts
Sent
Bytes
Sent
SGT DGT TCP Flags
10:20:12.221 eth0/1 10.2.2.2 1024 10.1.1.1 80 TCP 5 1025 100 1010 SYN,ACK,PSH
10:20:12.871 eth0/2 10.1.1.1 80 10.2.2.2 1024 TCP 17 28712 1010 100 SYN,ACK,FIN
Start Time Interface Src IP Src
Port
Dest IP Dest
Port
Proto Pkts
Sent
Bytes
Sent
SGT DGT TCP Flags
10:20:12.221 eth0/1 10.2.2.2 1024 10.1.1.1 80 TCP 5 1025 100 1010 SYN,ACK,PSH
14
NetFlow - The Network Phone Bill
Monthly Statement
Bill At-A-Glance
CHADWICK Q. SULLIVAN
2259 TECHNOLOGY DR
ALPHARETTA, GA 30022
Telephone Bill
Flow Record
NetFlow = shows you the who, what, where and
when. It’s a phone bill, which we use to look for
out of the ordinary behaviour.
16
Agenda
Introduction Understanding
the Landscape
Introduction to
NetFlow
Design and
Deployment
Working with
NetFlow
Flow ExportAdding Context
Summary
DiscoveryIdentifying
IOC’s
Flow Collection
Responding
17
NetFlow Deployment Architecture
Management/Reporting Layer:• Run queries on flow data
• Centralize management and reporting
Flow Collection Layer:• Collection, storage and analysis of flow records
Flow Exporting Layer:• Enables telemetry export
• As close to the traffic source as possible
NetFlow
18
Considerations: Flow Exporting Layer
1. Which version of NetFlow to use
2. Where in the network to enable NetFlow export
3. How to configure/what to measure
19
Versions of NetFlowVersion Major Advantage Limits/Weaknesses
V5 Defines 18 exported fields
Simple and compact format
Most commonly used format
IPv4 only
Fixed fields, fixed length fields only
Single flow cache
V9 Template-based
IPv6 flows transported in IPv4 packets
MPLS and BGP nexthop supported
Defines 104 fields, including L2 fields
Reports flow direction
IPv6 flows transported in IPv4 packets
Fixed length fields only
Uses more memory
Slower performance
Single flow cache
Flexible NetFlow (FNF) Template-based flow format (built on V9
protocol)
Supports flow monitors (discrete caches)
Supports selectable key fields and IPv6
Supports NBAR data fields
Less common
Requires more sophisticated platform to produce
Requires more sophisticated system to consume
IP Flow Information Export
(IPFIX) AKA NetFlow V10
Standardized – RFC 5101, 5102, 6313
Supports variable length fields, NBAR2
Can export flows via IPv4 and IPv6 packets
Even less common
Only supported on a few Cisco platforms
NSEL (ASA only) Built on NetFlow v9 protocol
State-based flow logging (context)
Pre and Post NAT reporting
Missing many standard fields
Limited support by collectors
21
NetFlow Deployment – Where to collect?
Catalyst® 6500
Distribution
& Core
Catalyst® 4500
ASA
ISR
Edge
ASR
Each network layer offers unique NetFlow capabilities
Access
Catalyst®
3560/3750-X
Catalyst® 4500
Catalyst®
3650/3850
22
Where to collect NetFlow from?
Listed below are the typical use cases and the recommendations of where to collect the NetFlow from in the network:
1. Use case detection of security events –
a. Only need to account for the packet once.
b. Collect at the edge (access), if not 100% flow capable then distribution, if not 100% flow capable then core.
c. Enable flow on any exporter that will provide additional context like ASA FWs (provide NAT and FW actions), and
Proxy data (allow visibility into outbound traffic that has been translated)
2. Use case forensics or auditing –
a. You should be looking to account for all packets.
b. Deploy as close to the edges of the network as possible (at the access layer).
c. Enable flow on any exporter that will provide additional context like ASA FWs (provide NAT and FW actions), and
Proxy data (allow visibility into outbound traffic that has been translated).
3. Use case networking (performance) –
a. You need flow from everywhere (access, distribution and core) to help with interface utilization, QoS monitoring,
trending and capacity planning and tracking issues back to the source of the problem which could be any interface.
23
FNF Required Fields for StealthWatchThe fields marked with required below, are fields required for StealthWatch to accept and build a flow record.
27
Catalyst 3650-X,3750-X Flow Record
!
flow record CYBER_3KX_FLOW_RECORD match datalink mac source-
address
match datalink mac destination-address
match datalink mac source-vlan-id
match ipv4 tos
match ipv4 ttl
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port collect interface input snmp collect
interface output snmp collect counter bytes collect counter packets collect
timestamp sys-uptime first
collect timestamp sys-uptime last
!
28
Catalyst 4500 Flow Record
!
flow record cts-cyber-4k
match ipv4 tos
match ipv4 protocol
match ipv4 source address match ipv4 destination address
match transport source-port
match transport destination-port
match interface input
match flow direction
collect flow cts source group-tag
collect flow cts destination group-tag
collect flow cts switch derived-sgt
collect transport tcp flags
collect interface output
collect counter bytes
collect counter packets
collect timestamp sys-uptime first
collect timestamp sys-uptime last
!
29
Catalyst 3850/3650 Flow Record
!
flow record cts-cyber-3k-in match datalink mac
source address input
match datalink mac destination address input
match ipv4 tos
match ipv4 ttl
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
match interface input
match flow direction
match flow cts source group-tag
match flow cts destination group-tag
collect counter bytes long
collect counter packets long
collect timestamp absolute first
collect timestamp absolute last
!
!
flow record cts-cyber-3k-out
match ipv4 tos
match ipv4 ttl
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
match flow direction
match flow cts source group-tag
match flow cts destination group-tag
collect counter bytes long
collect counter packets long
collect timestamp absolute first
collect timestamp absolute last
!
30
Catalyst 6500 (Sup 2T) Flow Record
!
flow record cts-cyber-6k
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
match flow cts source group-tag
match flow cts destination group-tag
collect transport tcp flags
collect interface output
collect counter bytes
collect counter packets
collect timestamp sys-uptime first
collect timestamp sys-uptime last
!
31
ISR Flow Record!
flow record cts-cyber-ipv4
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
match interface input
match flow direction
match flow cts source group-tag
match flow cts destination group-tag
collect routing next-hop address ipv4
collect ipv4 dscp
collect ipv4 ttl minimum
collect ipv4 ttl maximum
collect transport tcp flags
collect interface output
collect counter bytes
collect counter packets
collect timestamp sys-uptime first
collect timestamp sys-uptime last
collect application name
!
Enable
NBAR
32
ASA NSEL Configuration
!
flow-export destination management <ip-address> 2055
!
policy-map global_policy
class class-default
flow-export event-type all destination <ip-address>
!
flow-export template timeout-rate 2
logging flow-export syslogs disable
!
NetFlow Security Event Logs (NSEL) – tracks flow create, teardown, update and denied events (only when event occurs)
33
Flow Monitor Configuration
!
flow monitor CYBER_MONITOR record CYBER_RECORD
exporter CYBER_EXPORTER
cache timeout active 60
cache timeout inactive 15
!
Active Timeout:• Longest amount of time a flow can be in cache
without exporting a Flow Record
• Recommended 60 seconds
• All exporters should have the same timeout
Inactive Timeout:• How long a flow can be inactive
before being removed from cache
• Recommended 15 seconds
• All exporters should have the same
timeout
34
Aside: Myths about NetFlow Generation
Myth #1: NetFlow impacts performance• Hardware implemented NetFlow has no
performance impact
• Software implementation is typically
significantly <15% processing overhead
Myth #2: NetFlow has bandwidth overhead• NetFlow is a summary protocol
• Traffic overhead is typically significantly <1% of total traffic per exporting device
35
Components for NetFlow Security Monitoring
Cisco Network
UDP Director
• UDP Packet copier
• Forward to multiple
collection systemsNetFlow StealthWatch FlowSensor
(VE)
• Generate NetFlow data
• Additional contextual fields
(ex. App, URL, SRT, RTT)
StealthWatch FlowCollector
• Collect and analyze
• Up to 4000 sources
• Up to sustained 240,000 fps
StealthWatch Management
Console
• Management and reporting
• Up to 25 FlowCollectors
• Up 6 million fps globally
FlowSensorUDP Director
FlowCollector
36
NetFlow Collection: Flow Stitching
10.2.2.2port 1024
10.1.1.1port 80
eth
0/1
eth
0/2
Start Time Client
IP
Client
Port
Server IP Server
Port
Proto Client
Bytes
Client
Pkts
Server
Bytes
Server
Pkts
Client
SGT
Server
SGT
Interfaces
10:20:12.221 10.2.2.2 1024 10.1.1.1 80 TCP 1025 5 28712 17 100 1010 eth0/1
eth0/2
Uni-directional flow records
Bi-directional:
• Conversation flow record
• Allows easy visualization and analysis
Start Time Interface Src IP Src
Port
Dest IP Dest
Port
Proto Pkts
Sent
Bytes
Sent
SGT DGT
10:20:12.221 eth0/1 10.2.2.2 1024 10.1.1.1 80 TCP 5 1025 100 1010
10:20:12.871 eth0/2 10.1.1.1 80 10.2.2.2 1024 TCP 17 28712 1010 100
37
NetFlow Collection: De-duplication
Router A
Router B
Router C
10.2.2.2port 1024
10.1.1.1port 80
• Without de-duplication
• Traffic volume can be misreported
• False positives would occur
• Allows for the efficient storage of flow data
• Necessary for accurate host-level reporting
Router A: 10.2.2.2:1024 10.1.1.1:80
Router B: 10.2.2.2:1024 10.1.1.1:80
Router C: 10.1.1.1:80 10.2.2.2:1024
Duplicates
38
NetFlow Collection: De-duplication flow record
Start Time Client IP Client
Port
Server
IP
Server
Port
Proto Client
Bytes
Client
Pkts
Server
Bytes
Server
Pkts
App Client
SGT
Server
SGT
Exporter, Interface,
Direction, Action
10:20:12.221 10.2.2.2 1024 10.1.1.1 80 TCP 1025 5 28712 17 HTTP 100 1010 Sw1, eth0, in
Sw1, eth1, out
Sw2, eth0, in
Sw2, eth1, out
ASA, eth1, in
ASA, eth0, out, Permitted
ASA eth0, in, Permitted
ASA, eth1, out
Sw3, eth1, in
Sw3, eth0, out
Sw1, eth1, in
Sw1, eth0, out
10.2.2.2port 1024 10.1.1.1
port 80Sw1
Sw2
Sw3
ASA
Any unique information is added to the record.
Path of the packet for example is unique.
39
How The Conversational Flow Record Looks in SW
Who WhoWhat
When
How
Where
• Highly scalable (enterprise class) collection
• High compression => long term storage
• Months of data retention
More context
40
Host Groups: Applied Situational Awareness
Virtual container of multiple
IP Addresses/ranges that
have similar attributes
Lab servers
Best Practice: classify all
known IP Addresses in one
or more host groups
41
ISE as a Telemetry Source (adding context)Monitor Mode
(visibility & discovery)
• Open Mode, Multi-Auth
(passive)
• Unobstructed Access
• No impact on productivity
• Profiling, posture assessment
Authenticated Session Table
Cisco ISE
• Maintain historical session table
• Correlate NetFlow to username
• Build User-centric reports
StealthWatch Management
Console
syslog
42
Conversational Flow Record with added context
ISE
Telemetry
NBAR
Applied situational
awareness
FlowSensor
Geo-IP mapping
Threat
feed
44
Agenda
Introduction Understanding
the Landscape
Introduction to
NetFlow
Design and
Deployment
Working with
NetFlow
Flow ExportAdding Context
Summary
DiscoveryIdentifying
IOC’s
Flow Collection
Responding
46
“There is nothing like first hand evidence”
Sherlock Holmes, A Study in Scarlett
Now, we are going to analyse all that good
NetFlow data/evidence generated by the
network.
47
NetFlow Analysis with StealthWatch can help:
Identify additional IOCs
• Policy & Segmentation
• Network Behaviour & Anomaly Detection (NBAD)
Better understand / respond to an IOC:
• Audit trail of all host-to-host communication
Discovery
• Identify business critical applications and services across the network
48
Locate Assets – Discovery
Find hosts communicating on the network
• Pivot based on transactional data
49
Policy & Segmentation with StealthWatch
PCI Zone Map
Define communication
policy between Zones
Monitor for violations
50
Host Groups – Targeted Reporting (additional IoCs)
Geo-IP-based Host Group
Summary chart of traffic
inbound and outbound from
this Host Group
51
Host Groups – Discovering Rogue Hosts (additional IoCs)
Catch All: All unclassified RFC1918 addresses
Table of all individual hosts
52
Host Groups – Discovering Rogue Hosts (additional IoCs)
Rogue Hosts
(Are IP addresses you don’t know about as they have not been classified)
53
Concept: Indicator of Compromise (respond to an IoC)
IDS/IPS Alert
Log analysis (SIEM)
Raw flow analysis
Outside notification
Behavioural analysis
Activity monitoring
IoC = is an artifact observed on a network or in an operating system that with high
confidence indicates a computer intrusion
• http://en.wikipedia.org/wiki/Indicator_of_compromise
Anomaly detection
File hashes
IP Addresses
There are many IoCs from the network which we need to piece together to solve the crime.
54
Attack Lifecycle Model
Exploratory
Actions
Footprint
ExpansionExecution
Theft
Disruption
Staging
Initial
Compromise
Initial
ReconInfiltration
(C&C)
Now we use our evidence from the IoCs
to build a model of an attack.
55
StealthWatch NBAD Model
Algorithm Security
EventAlarm
Track and/or measure behaviour/activity
Suspicious behaviour observed or anomaly detected
Notification of security event generated
This how
StealthWatch
processes all the
IoCs to make
sense of them.
This is how we make sense of all those IoCs coming in from the network (NetFlow)
56
Behavioral Detection Mode Detection ModelBehavioral Algorithms Are Applied to Build “Security Events”
57
StealthWatch: AlarmsAlarms
• Indicate significant behaviour changes and policy violations
• Known and unknown attacks generate alarms
• Activity that falls outside the baseline, acceptable behaviour
or established policies
59
Example: Concern IndexConcern Index: Track hosts that appear to compromising network integrity
Security events
60
Example: Watching for Data TheftData Exfiltration
• Identify suspect movement from Inside Network to Outside
• Single or multiple destinations from a single source
• Policy and behavioral
61
Example: Data Hoarding
Suspect Data Hoarding:
• Unusually large amount of data
inbound from other hosts
Target Data Hoarding:
• Unusually large amount of data outbound
from a host to multiple hosts
62
Example: Suspect Data Hoarding
Data Hoarding
• Unusually large amount of data inbound to a host from other hosts
• Policy and behavioral
63
“The Science of Deduction.”
Chapter 1: The Sign of the Four
Now we are going to use the evidence
generated by the network to solve our mystery.
64
Investigating a Host – tell the story
IOC: IDS Alert from FirePower provides an IP address that StealthWatch can use to investigate.
Host report for 10.201.3.59
Behavior alarms
Quick view of host
group communication
Summary
information
65
It Could Start with a User …
Alarms
Devices and
Sessions
Active Directory
Details
Username
View Flows
68
Agenda
Introduction Understanding
the Landscape
Concepts and
Attribution
NetFlow Design
and
Deployment
Working with
NetFlow
Flow ExportAdding Context
Summary
DiscoveryIdentifying
IOC’s
Flow Collection
Responding
69
Links and Recommended Reading
More about StealthWatch and the Cisco Cyber Threat Defense Solution:
http://www.cisco.com/go/threatdefense
http://www.lancope.com
Recommended ReadingCyber Threat Defense Cisco Validated Design Guide:http://www.cisco.com/en/US/solutions/collateral/ns1015/ns1238/cyber_threat_defense_design_guide.pdf
Cyber Threat Defense for the Data Center Cisco Validated Design Guide:http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/ctd-first-look-design-guide.pdf
Securing Cisco Networks with Threat Detection and Analysis (SCYBER)
https://learningnetwork.cisco.com/community/certifications/security/cybersecurity/scyber_exam
71
Key Takeaways
Insider threats are operating on the network interior
Threat detection and response requires visibility and context into network traffic
NetFlow and the StealthWatch System provide actionable security intelligence
72
Call to Action
• Visit the World of Solutions for
• Cisco Campus – Visit the Lancope/StealthWatch stand G-14 (Tuesday 1030 to Thursday 1700)
• Walk in Labs – No labs but ask at stand G-14 for a demo or attend LTRCRS-2006 Network as a Sensor and Enforcer Lab (Thursday 1400)
• Technical Solution Clinics
• Meet the Engineer – I will be available on Wednesday from 1700 to 1800 in MesseHall 2
• Lunch and Learn Topics
• LALSEC-0006 Lunch and Learn - Network as a Sensor / Enforcer (Thursday 1300)
• DevNet zone related sessions
74
Complete Your Online Session Evaluation
• Please complete your online sessionevaluations after each session.Complete 4 session evaluations& the Overall Conference Evaluation(available from Thursday)to receive your Cisco Live T-shirt.
• All surveys can be completed viathe Cisco Live Mobile App or theCommunication Stations
75