netflow security monitoring with cisco...

NetFlow Security Monitoring with Cisco

StealthWatchEric Rennie

Abstract

1. Recent trends show that the security perimeter is being eroded and attackers are getting in.

2. This session takes a look at using NetFlow to give visibility and context into the network to identify attackers and accelerate incident response.

3. We are going to take a look at how StealthWatch collects and analyze NetFlow.

4. We will also discuss some use cases.

5. Target audience for this session are network and security admins/analysts who want to learn how to add NetFlow as a component of their SOC.

3

About the Speaker

Eric Rennie

• Possesses a networking background and experience in implementing cyber security defence solutions, application performance, network performance and network management systems.

• Extensive tenure in the government, enterprise, service provider, start up, vendor and carrier company sectors.

• Recently became a CSE in GSSO after Cisco acquired Lancope.

4

“The world is full of obvious things which

nobody by any chance observes.”

Sherlock Holmes, The Hound of the Baskervilles

This session is about using network

analysis (our obvious things) to observe

and mitigate an attack.

5

Case Study: Retailer

A threat could be an authorized user with access to the network (Insider threat)……

So what threat are we trying to detect here?

6

The Insider Threat

About this session

7

Reference Materials for the content of this classhttp://www.cisco.com/go/threatdefense

http://www.cisco.com/go/securedatacenter

https://learningnetwork.cisco.com/community/certifications/security/cybersecurity

/scyber_exam

8

Agenda

Introduction Understanding

the Landscape

Introduction to

NetFlow

Design and

Deployment

Working with

NetFlow

Flow ExportAdding Context

Summary

DiscoveryIdentifying

IOC’s

Flow Collection

Responding

Class has three tracks :

1. The landscape and what is NetFlow?

2. How to get the data/evidence (D & D)

3. Show the value of the data/evidence (analyse NetFlow)

9

Managing the Insider Threat

Access Controls

• Control who and what is on the

network

Segmentation

• Define what they can doSGT

You are who you say

you are and these are

the resources you are

allowed access to

based on your

credentials.

10


Control movement of malicious

content through inspection points

Content Controls

• Deep contextual visibility at

inspection points

This is what you are

allowed to bring into the

secure zone/network.

11

Once the walls are built monitor for security visibility

Now monitor the activity inside the

secure controlled zone.


12

Introduction to NetFlow

• Developed by Cisco in 1996 as a packet forwarding mechanism

• Outdated by CEF

• Statistical Reporting became relevant to customers

• Reporting is based on Flow and not necessarily per-packet (Unsampled Flow

vs. Sampled)

• Various versions exist version 1 through 9, with 5 being the most popular and

9 being the most functional

• Traditional NetFlow (TNF) – fixed info to identify a flow

• Flexible Netflow (FNF) – user defines how to identify a flow

13

NetFlow

10.2.2.2port 1024

10.1.1.1port 80

eth

0/1

eth

0/2

Start Time Interface Src IP Src

Port

Dest IP Dest

Port

Proto Pkts

Sent

Bytes

Sent

SGT DGT TCP Flags

10:20:12.221 eth0/1 10.2.2.2 1024 10.1.1.1 80 TCP 5 1025 100 1010 SYN,ACK,PSH

10:20:12.871 eth0/2 10.1.1.1 80 10.2.2.2 1024 TCP 17 28712 1010 100 SYN,ACK,FIN


Port

Dest IP Dest

Port

Proto Pkts

Sent

Bytes

Sent

SGT DGT TCP Flags

10:20:12.221 eth0/1 10.2.2.2 1024 10.1.1.1 80 TCP 5 1025 100 1010 SYN,ACK,PSH

14

NetFlow = VisibilityA single NetFlow Record provides a wealth of information

15

NetFlow - The Network Phone Bill

Monthly Statement

Bill At-A-Glance

CHADWICK Q. SULLIVAN

2259 TECHNOLOGY DR

ALPHARETTA, GA 30022

Telephone Bill

Flow Record

NetFlow = shows you the who, what, where and

when. It’s a phone bill, which we use to look for

out of the ordinary behaviour.

16

Agenda


the Landscape

Introduction to

NetFlow

Design and

Deployment

Working with

NetFlow


Summary


IOC’s

Flow Collection

Responding

17

NetFlow Deployment Architecture

Management/Reporting Layer:• Run queries on flow data

• Centralize management and reporting

Flow Collection Layer:• Collection, storage and analysis of flow records

Flow Exporting Layer:• Enables telemetry export

• As close to the traffic source as possible

NetFlow

18

Considerations: Flow Exporting Layer

1. Which version of NetFlow to use

2. Where in the network to enable NetFlow export

3. How to configure/what to measure

19

NetFlow Version 5Fixed format

Key field

20

Versions of NetFlowVersion Major Advantage Limits/Weaknesses

V5 Defines 18 exported fields

Simple and compact format

Most commonly used format

IPv4 only

Fixed fields, fixed length fields only

Single flow cache

V9 Template-based

IPv6 flows transported in IPv4 packets

MPLS and BGP nexthop supported

Defines 104 fields, including L2 fields

Reports flow direction

IPv6 flows transported in IPv4 packets

Fixed length fields only

Uses more memory

Slower performance

Single flow cache

Flexible NetFlow (FNF) Template-based flow format (built on V9

protocol)

Supports flow monitors (discrete caches)

Supports selectable key fields and IPv6

Supports NBAR data fields

Less common

Requires more sophisticated platform to produce

Requires more sophisticated system to consume

IP Flow Information Export

(IPFIX) AKA NetFlow V10

Standardized – RFC 5101, 5102, 6313

Supports variable length fields, NBAR2

Can export flows via IPv4 and IPv6 packets

Even less common

Only supported on a few Cisco platforms

NSEL (ASA only) Built on NetFlow v9 protocol

State-based flow logging (context)

Pre and Post NAT reporting

Missing many standard fields

Limited support by collectors

21

NetFlow Deployment – Where to collect?

Catalyst® 6500

Distribution

& Core

Catalyst® 4500

ASA

ISR

Edge

ASR

Each network layer offers unique NetFlow capabilities

Access

Catalyst®

3560/3750-X

Catalyst® 4500

Catalyst®

3650/3850

22

Where to collect NetFlow from?

Listed below are the typical use cases and the recommendations of where to collect the NetFlow from in the network:

1. Use case detection of security events –

a. Only need to account for the packet once.

b. Collect at the edge (access), if not 100% flow capable then distribution, if not 100% flow capable then core.

c. Enable flow on any exporter that will provide additional context like ASA FWs (provide NAT and FW actions), and

Proxy data (allow visibility into outbound traffic that has been translated)

2. Use case forensics or auditing –

a. You should be looking to account for all packets.

b. Deploy as close to the edges of the network as possible (at the access layer).

c. Enable flow on any exporter that will provide additional context like ASA FWs (provide NAT and FW actions), and

Proxy data (allow visibility into outbound traffic that has been translated).

3. Use case networking (performance) –

a. You need flow from everywhere (access, distribution and core) to help with interface utilization, QoS monitoring,

trending and capacity planning and tracking issues back to the source of the problem which could be any interface.

23

NetFlow Terminology

24

Configuring Traditional NetFlow (TNF)

25

Configuring FNF

26

FNF Required Fields for StealthWatchThe fields marked with required below, are fields required for StealthWatch to accept and build a flow record.

27

Catalyst 3650-X,3750-X Flow Record

!

flow record CYBER_3KX_FLOW_RECORD match datalink mac source-

address

match datalink mac destination-address

match datalink mac source-vlan-id

match ipv4 tos

match ipv4 ttl

match ipv4 protocol

match ipv4 source address

match ipv4 destination address

match transport source-port

match transport destination-port collect interface input snmp collect

interface output snmp collect counter bytes collect counter packets collect

timestamp sys-uptime first

collect timestamp sys-uptime last

!

28

Catalyst 4500 Flow Record

!

flow record cts-cyber-4k

match ipv4 tos

match ipv4 protocol

match ipv4 source address match ipv4 destination address


match transport destination-port

match interface input

match flow direction

collect flow cts source group-tag

collect flow cts destination group-tag

collect flow cts switch derived-sgt

collect transport tcp flags

collect interface output

collect counter bytes

collect counter packets

collect timestamp sys-uptime first


!

29

Catalyst 3850/3650 Flow Record

!

flow record cts-cyber-3k-in match datalink mac

source address input

match datalink mac destination address input

match ipv4 tos

match ipv4 ttl

match ipv4 protocol







match flow cts source group-tag

match flow cts destination group-tag

collect counter bytes long

collect counter packets long

collect timestamp absolute first

collect timestamp absolute last

!

!

flow record cts-cyber-3k-out

match ipv4 tos

match ipv4 ttl

match ipv4 protocol








collect counter bytes long

collect counter packets long

collect timestamp absolute first

collect timestamp absolute last

!

30

Catalyst 6500 (Sup 2T) Flow Record

!

flow record cts-cyber-6k

match ipv4 protocol













!

31

ISR Flow Record!

flow record cts-cyber-ipv4

match ipv4 protocol









collect routing next-hop address ipv4

collect ipv4 dscp

collect ipv4 ttl minimum

collect ipv4 ttl maximum







collect application name

!

Enable

NBAR

32

ASA NSEL Configuration

!

flow-export destination management <ip-address> 2055

!

policy-map global_policy

class class-default

flow-export event-type all destination <ip-address>

!

flow-export template timeout-rate 2

logging flow-export syslogs disable

!

NetFlow Security Event Logs (NSEL) – tracks flow create, teardown, update and denied events (only when event occurs)

33

Flow Monitor Configuration

!

flow monitor CYBER_MONITOR record CYBER_RECORD

exporter CYBER_EXPORTER

cache timeout active 60

cache timeout inactive 15

!

Active Timeout:• Longest amount of time a flow can be in cache

without exporting a Flow Record

• Recommended 60 seconds

• All exporters should have the same timeout

Inactive Timeout:• How long a flow can be inactive

before being removed from cache

• Recommended 15 seconds

• All exporters should have the same

timeout

34

Aside: Myths about NetFlow Generation

Myth #1: NetFlow impacts performance• Hardware implemented NetFlow has no

performance impact

• Software implementation is typically

significantly <15% processing overhead

Myth #2: NetFlow has bandwidth overhead• NetFlow is a summary protocol

• Traffic overhead is typically significantly <1% of total traffic per exporting device

35

Components for NetFlow Security Monitoring

Cisco Network

UDP Director

• UDP Packet copier

• Forward to multiple

collection systemsNetFlow StealthWatch FlowSensor

(VE)

• Generate NetFlow data

• Additional contextual fields

(ex. App, URL, SRT, RTT)

StealthWatch FlowCollector

• Collect and analyze

• Up to 4000 sources

• Up to sustained 240,000 fps

StealthWatch Management

Console

• Management and reporting

• Up to 25 FlowCollectors

• Up 6 million fps globally

FlowSensorUDP Director

FlowCollector

36

NetFlow Collection: Flow Stitching

10.2.2.2port 1024

10.1.1.1port 80

eth

0/1

eth

0/2

Start Time Client

IP

Client

Port

Server IP Server

Port

Proto Client

Bytes

Client

Pkts

Server

Bytes

Server

Pkts

Client

SGT

Server

SGT

Interfaces

10:20:12.221 10.2.2.2 1024 10.1.1.1 80 TCP 1025 5 28712 17 100 1010 eth0/1

eth0/2

Uni-directional flow records

Bi-directional:

• Conversation flow record

• Allows easy visualization and analysis


Port

Dest IP Dest

Port

Proto Pkts

Sent

Bytes

Sent

SGT DGT

10:20:12.221 eth0/1 10.2.2.2 1024 10.1.1.1 80 TCP 5 1025 100 1010

10:20:12.871 eth0/2 10.1.1.1 80 10.2.2.2 1024 TCP 17 28712 1010 100

37

NetFlow Collection: De-duplication

Router A

Router B

Router C

10.2.2.2port 1024

10.1.1.1port 80

• Without de-duplication

• Traffic volume can be misreported

• False positives would occur

• Allows for the efficient storage of flow data

• Necessary for accurate host-level reporting

Router A: 10.2.2.2:1024 10.1.1.1:80

Router B: 10.2.2.2:1024 10.1.1.1:80

Router C: 10.1.1.1:80 10.2.2.2:1024

Duplicates

38

NetFlow Collection: De-duplication flow record

Start Time Client IP Client

Port

Server

IP

Server

Port

Proto Client

Bytes

Client

Pkts

Server

Bytes

Server

Pkts

App Client

SGT

Server

SGT

Exporter, Interface,

Direction, Action

10:20:12.221 10.2.2.2 1024 10.1.1.1 80 TCP 1025 5 28712 17 HTTP 100 1010 Sw1, eth0, in

Sw1, eth1, out

Sw2, eth0, in

Sw2, eth1, out

ASA, eth1, in

ASA, eth0, out, Permitted

ASA eth0, in, Permitted

ASA, eth1, out

Sw3, eth1, in

Sw3, eth0, out

Sw1, eth1, in

Sw1, eth0, out

10.2.2.2port 1024 10.1.1.1

port 80Sw1

Sw2

Sw3

ASA

Any unique information is added to the record.

Path of the packet for example is unique.

39

How The Conversational Flow Record Looks in SW

Who WhoWhat

When

How

Where

• Highly scalable (enterprise class) collection

• High compression => long term storage

• Months of data retention

More context

40

Host Groups: Applied Situational Awareness

Virtual container of multiple

IP Addresses/ranges that

have similar attributes

Lab servers

Best Practice: classify all

known IP Addresses in one

or more host groups

41

ISE as a Telemetry Source (adding context)Monitor Mode

(visibility & discovery)

• Open Mode, Multi-Auth

(passive)

• Unobstructed Access

• No impact on productivity

• Profiling, posture assessment

Authenticated Session Table

Cisco ISE

• Maintain historical session table

• Correlate NetFlow to username

• Build User-centric reports

StealthWatch Management

Console

syslog

42

Global Intelligence (adding more context)

• Known C&C Servers

• Tor Entrance and Exits

43

Conversational Flow Record with added context

ISE

Telemetry

NBAR

Applied situational

awareness

FlowSensor

Geo-IP mapping

Threat

feed

44

Flow Table – IPv6

StealthWatch can also display IPv6 flow records

45

Agenda


the Landscape

Introduction to

NetFlow

Design and

Deployment

Working with

NetFlow


Summary


IOC’s

Flow Collection

Responding

46

“There is nothing like first hand evidence”

Sherlock Holmes, A Study in Scarlett

Now, we are going to analyse all that good

NetFlow data/evidence generated by the

network.

47

NetFlow Analysis with StealthWatch can help:

Identify additional IOCs

• Policy & Segmentation

• Network Behaviour & Anomaly Detection (NBAD)

Better understand / respond to an IOC:

• Audit trail of all host-to-host communication

Discovery

• Identify business critical applications and services across the network

48

Locate Assets – Discovery

Find hosts communicating on the network

• Pivot based on transactional data

49

Policy & Segmentation with StealthWatch

PCI Zone Map

Define communication

policy between Zones

Monitor for violations

50

Host Groups – Targeted Reporting (additional IoCs)

Geo-IP-based Host Group

Summary chart of traffic

inbound and outbound from

this Host Group

51

Host Groups – Discovering Rogue Hosts (additional IoCs)

Catch All: All unclassified RFC1918 addresses

Table of all individual hosts

52

Host Groups – Discovering Rogue Hosts (additional IoCs)

Rogue Hosts

(Are IP addresses you don’t know about as they have not been classified)

53

Concept: Indicator of Compromise (respond to an IoC)

IDS/IPS Alert

Log analysis (SIEM)

Raw flow analysis

Outside notification

Behavioural analysis

Activity monitoring

IoC = is an artifact observed on a network or in an operating system that with high

confidence indicates a computer intrusion

• http://en.wikipedia.org/wiki/Indicator_of_compromise

Anomaly detection

File hashes

IP Addresses

There are many IoCs from the network which we need to piece together to solve the crime.

54

Attack Lifecycle Model

Exploratory

Actions

Footprint

ExpansionExecution

Theft

Disruption

Staging

Initial

Compromise

Initial

ReconInfiltration

(C&C)

Now we use our evidence from the IoCs

to build a model of an attack.

55

StealthWatch NBAD Model

Algorithm Security

EventAlarm

Track and/or measure behaviour/activity

Suspicious behaviour observed or anomaly detected

Notification of security event generated

This how

StealthWatch

processes all the

IoCs to make

sense of them.

This is how we make sense of all those IoCs coming in from the network (NetFlow)

56

Behavioral Detection Mode Detection ModelBehavioral Algorithms Are Applied to Build “Security Events”

57

Alarm Categories

Each category accrues points.

58

StealthWatch: AlarmsAlarms

• Indicate significant behaviour changes and policy violations

• Known and unknown attacks generate alarms

• Activity that falls outside the baseline, acceptable behaviour

or established policies

59

Example: Concern IndexConcern Index: Track hosts that appear to compromising network integrity

Security events

60

Example: Watching for Data TheftData Exfiltration

• Identify suspect movement from Inside Network to Outside

• Single or multiple destinations from a single source

• Policy and behavioral

61

Example: Data Hoarding

Suspect Data Hoarding:

• Unusually large amount of data

inbound from other hosts

Target Data Hoarding:

• Unusually large amount of data outbound

from a host to multiple hosts

62

Example: Suspect Data Hoarding

Data Hoarding

• Unusually large amount of data inbound to a host from other hosts

• Policy and behavioral

63

“The Science of Deduction.”

Chapter 1: The Sign of the Four

Now we are going to use the evidence

generated by the network to solve our mystery.

64

Investigating a Host – tell the story

IOC: IDS Alert from FirePower provides an IP address that StealthWatch can use to investigate.

Host report for 10.201.3.59

Behavior alarms

Quick view of host

group communication

Summary

information

65

Investigating: Host Drilldown

User

information

Applications66

Investigating: Applications

A lot of applications.

Some suspicious!

67

It Could Start with a User …

Alarms

Devices and

Sessions

Active Directory

Details

Username

View Flows

68

Agenda


the Landscape

Concepts and

Attribution

NetFlow Design

and

Deployment

Working with

NetFlow


Summary


IOC’s

Flow Collection

Responding

69

Related Sessions

BRKSEC-2026 Network as a Sensor and Enforcer

(Thursday 0900 to 1100)

70

Links and Recommended Reading

More about StealthWatch and the Cisco Cyber Threat Defense Solution:

http://www.cisco.com/go/threatdefense

http://www.lancope.com

Recommended ReadingCyber Threat Defense Cisco Validated Design Guide:http://www.cisco.com/en/US/solutions/collateral/ns1015/ns1238/cyber_threat_defense_design_guide.pdf

Cyber Threat Defense for the Data Center Cisco Validated Design Guide:http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/ctd-first-look-design-guide.pdf

Securing Cisco Networks with Threat Detection and Analysis (SCYBER)

https://learningnetwork.cisco.com/community/certifications/security/cybersecurity/scyber_exam

71

http://www.cisco.com/en/US/solutions/collateral/ns1015/ns1238/cyber_threat_defense_design_guide.pdf

http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/ctd-first-look-design-guide.pdf

Key Takeaways

Insider threats are operating on the network interior

Threat detection and response requires visibility and context into network traffic

NetFlow and the StealthWatch System provide actionable security intelligence

72

“The game is afoot!”

Sherlock Holmes, The Adventure of the The Abbey Grange

73

Call to Action

• Visit the World of Solutions for

• Cisco Campus – Visit the Lancope/StealthWatch stand G-14 (Tuesday 1030 to Thursday 1700)

• Walk in Labs – No labs but ask at stand G-14 for a demo or attend LTRCRS-2006 Network as a Sensor and Enforcer Lab (Thursday 1400)

• Technical Solution Clinics

• Meet the Engineer – I will be available on Wednesday from 1700 to 1800 in MesseHall 2

• Lunch and Learn Topics

• LALSEC-0006 Lunch and Learn - Network as a Sensor / Enforcer (Thursday 1300)

• DevNet zone related sessions

74

Complete Your Online Session Evaluation

• Please complete your online sessionevaluations after each session.Complete 4 session evaluations& the Overall Conference Evaluation(available from Thursday)to receive your Cisco Live T-shirt.

• All surveys can be completed viathe Cisco Live Mobile App or theCommunication Stations

75

Q & A

76

Thank you

77

netflow security monitoring with cisco...

Documents