Monitoring and Threat Detection with Netflow Michael Belan Consulting Systems Engineer Cisco GSSO January 2017
AGENDA What is SW? Where does it fit in overall Cisco Security framework? What is SW? What does it do? And How does it work? Components: Netflow and Product Architecture Visibility: Host and Network Use Cases: Forensic and Insider Threat Review Demo
The Cyber Threat Defense 2.0 Model
NETWORK as a SENSOR NETFLOW NETFLOW! Anomalies Policy violations Inside the network StealthWatch High Visibility for Very Low Touch
Site C CE Internet TIC PE PE Site B CE PE MPLS CLOUD PE PE Site A CE CE Data Center
South Traffic North Internet Trusted internet connection Wide Area Network (MPLS/VPLS) Enterprise LAN User/Host User/Host User/Host Datacenter East Traffic West
Visibility Through NetFlow 172.168.134.2 10.1.8.3 Switches Routers NetFlow is Metadata, key fields describing conversations Unidirectional, two records per conversation Established, versions include v5, v9, and IPFIX Supported by open source and commercial tools NOT full packet capture Benefits include Visibility across entire network Independent of agents, sensors, signatures Lightweight vs. packet capture for storage/forensics Unhindered by encryption Flow Information Packets SOURCE ADDRESS 10.1.8.3 DESTINATION ADDRESS 172.168.134.2 SOURCE PORT 47321 DESTINATION PORT 443 INTERFACE IP TOS Gi0/0/0 0x00 IP PROTOCOL 6 NEXT HOP 172.168.25.1 TCP FLAGS 0x1A SOURCE SGT 100 APPLICATION NAME : : NBAR SECURE- HTTP Internet
Open Source Flow Tools Ntop Flowscan Flow-tools/cflowd EHNT SiLK among others
Scaling Visibility: Flow Stitching Unidirectional Flow Records 10.2.2.2 port 1024 eth0/1 eth0/2 10.1.1.1 port 80 Start Time Interface Src IP Src Port Dest IP Dest Port Proto Pkts Sent Bytes Sent 10:20:12.221 eth0/1 10.2.2.2 1024 10.1.1.1 80 TCP 5 1025 10:20:12.871 eth0/2 10.1.1.1 80 10.2.2.2 1024 TCP 17 28712 Bidirectional Flow Record Conversation flow record Allows easy visualization and analysis Start Time Client IP Client Port Server IP Server Port Proto Client Bytes Client Pkts Server Bytes Server Pkts 10:20:12.221 10.2.2.2 1024 10.1.1.1 80 TCP 1025 5 28712 17 eth0/1 eth0/2 Interfaces
Scaling Visibility: NetFlow Deduplication Router A: 10.2.2.2:1024 -> 10.1.1.1:80 Router B: 10.2.2.2:1024 -> 10.1.1.1:80 Router C: 10.1.1.1:80 -> 10.2.2.2:1024 Duplicates 10.1.1.1 port 80 Without deduplication Traffic volume can be misreported False positives would occur Allows for efficient storage of flow data Necessary for accurate host-level reporting Does not discard data Router C 10.2.2.2 port 1024 Router B Router A
Massively Scalable Architecture Stealthwatch Management Console Presentation Integration 25 Collectors per Manager 6 million flows-per-second Flow Collector Flow Collection Profiling 240,000 flows-per-second Stitching, Deduplication Unsampled flow Flow Sensor Flow Export Payload sample Certificate data URLs
Stealthwatch Architecture StealthWatch Management Console Cloud License FlowCollector Packet Analyzer Cisco ISE ISE PIC Cisco AnyConnect FlowSensor NetFlow enabled infrastructure FlowSensor Virtual User And Device Information Feeds of emerging threat information
Host Centric Visibility: Host Snapshot
Host Centric Visibility: continued User information
Regional Visibility: Relational Flow Maps
The Attack Lifecycle
Attack Lifecycle: Detecting Command & Control
Attack Lifecycle: Detecting C&C Channels with SLIC
Attack Lifecycle: Country-based Detection
Attack Lifecycle: Detecting Internal Reconnaissance
Attack Lifecycle: Detect Internal Recon with Concern Index
Attack Lifecycle: Detecting Internal Propagation
Attack Lifecycle: Detect Propagation with Host Locking Users Resources/Datacenter A A ALARM B B
Attack Lifecycle: Detect Propagation with Worm Tracker
Attack Lifecycle: Detecting Data Exfiltration
Attack Lifecycle: Detect Data Hoarding 2GB per day Resource Group A User ALARM
Attack Lifecycle: Detecting Data Exfiltration Internet Internal Network ALARM Resource Group A User
Use Cases
ALERT: Incident Response Scenario: You have been notified of an unauthorized data transfer and need to pull back historical conversations. The notification could be from: Internal auditor External authority Security response team Below is an example notification received List of infringing content ------------------------------ Taylor Swift Fearless ------------------------------ INFRINGEMENT DETAIL ------------------------------ Infringing Work : Fearless Filename : Taylor Swift - Fearless First found (UTC): 3:59:00 PM Last found (UTC): 4:24:59 PM File size : 79176908 bytes IP Address: 209.182.184.7 IP Port: 14001 Network: BitTorrent Protocol: BitTorrent Pull back all historical conversations around a host, port, application, or traffic type. 10.201.3.51.. 50.23.115.72
ALERT: Insider Threat 1.Internal user connects to Terminal Server 10.201.3.18 10.201.0.23.. Scenario: An internal user is stealing data! The user could be a: Disgruntled employee Person about to leave the company Person with privileged credentials Person stealing and selling trade secrets Security events have triggered indicating a user is connecting to a terminal server, collecting data from a sensitive database, and tunneling the traffic out of the network using P2P through UDP port 53 (DNS port). 1.Terminal server used to collect sensitive data from within the same subnet inside the datacenter. 10.201.0.23.. 10.201.0.55 1.Terminal server used to encrypt data and tunnel through DNS port to an upload server 10.201.0.23.. 74.213.99.97
NETWORK as a SENSOR NETFLOW NETFLOW! Anomalies Policy violations Inside the network StealthWatch
NETWORK as ENFORCER! Policy violation detected! PxGrid isolate host NETFLOW ISE StealthWatch
Review: It s about Visibility Flow based independent of agents, sensors, signatures Metadata Light weight, efficient, unhindered by encryption Profile Hosts based on behavior, traffic sent and received Enforce Policy Identify the known bad Detect Anomalies Find and alert on outliers High Visibility for Very Low Touch