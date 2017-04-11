Michael Belan Consulting Systems Engineer January 2017 Monitoring and Threat Detection with Netflow Cisco GSSO
AGENDA What is SW? Where does it fit in overall Cisco Security framework? What is SW? What does it do? And How does it wor...
The Cyber Threat Defense 2.0 Model
NETWORK as a SENSOR NETFLOW NETFLOW StealthWatch ! • Anomalies • Policy violations • Inside the network "High Visibility for Very Low Touch"
Site C Site B Site A CE CE CE PE PE PE PE PE MPLS CLOUD Internet TIC CE Data Center
Datacenter User/Host User/Host User/Host Internet Trusted internet connection Wide Area Network (MPLS/VPLS) Enterprise LAN...
Visibility Through NetFlow 10.1.8.3 172.168.134.2 Internet Flow Information Packets SOURCE ADDRESS 10.1.8.3 DESTINATION AD...
• Ntop • Flowscan • Flow-tools/cflowd • EHNT • SiLK among others… Open Source Flow Tools
Scaling Visibility: Flow Stitching 10.2.2.2 port 1024 10.1.1.1 port 80 eth0/1 eth0/2 Start Time Interface Src IP Src Port ...
Scaling Visibility: NetFlow Deduplication Router A Router B Router C 10.2.2.2 port 1024 10.1.1.1 port 80 • Without dedupli...
Massively Scalable Architecture Presentation Integration Flow Collection Profiling Flow Export • 25 Collectors per Manager...
StealthWatch Management Console FlowCollector FlowSensor Cloud License Packet Analyzer Cisco AnyConnect FlowSensor Virtual...
Host Centric Visibility: Host Snapshot
Host Centric Visibility: continued User information
Regional Visibility: Relational Flow Maps
The Attack Lifecycle
Attack Lifecycle: Detecting Command & Control
Attack Lifecycle: Detecting C&C Channels with SLIC
Attack Lifecycle: Country-based Detection
Attack Lifecycle: Detecting Internal Reconnaissance
Attack Lifecycle: Detect Internal Recon with Concern Index
Attack Lifecycle: Detecting Internal Propagation
Attack Lifecycle: Detect Propagation with Host Locking A A Users Resources/Datacenter B B ALARM
Attack Lifecycle: Detect Propagation with Worm Tracker
Attack Lifecycle: Detecting Data Exfiltration
Resource Group A Attack Lifecycle: Detect Data Hoarding 2GB per day User ALARM
Attack Lifecycle: Detecting Data Exfiltration Internet Internal Network Resource Group A User ALARM
Use Cases
Scenario: You have been notified of an unauthorized data transfer and need to pull back historical conversations. The noti...
Scenario: An internal user is stealing data! The user could be a: •Disgruntled employee •Person about to leave the company...
NETWORK as a SENSOR NETFLOW NETFLOW StealthWatch ! • Anomalies • Policy violations • Inside the network
NETWORK as ENFORCER NETFLOW StealthWatchISE PxGrid ! Policy violation detected! isolate host
Review: It’s about Visibility •Flow based – independent of agents, sensors, signatures •Metadata – Light weight, efficient...
Monitoring and Threat Detection with Netflow

Presentation from the San Diego Tech Day 2017

  1. 1. Michael Belan Consulting Systems Engineer January 2017 Monitoring and Threat Detection with Netflow Cisco GSSO
  2. 2. AGENDA What is SW? Where does it fit in overall Cisco Security framework? What is SW? What does it do? And How does it work? Components: Netflow and Product Architecture Visibility: Host and Network Use Cases: Forensic and Insider Threat Review Demo
  3. 3. The Cyber Threat Defense 2.0 Model
  4. 4. NETWORK as a SENSOR NETFLOW NETFLOW StealthWatch ! • Anomalies • Policy violations • Inside the network “High Visibility for Very Low Touch”
  5. 5. Site C Site B Site A CE CE CE PE PE PE PE PE MPLS CLOUD Internet TIC CE Data Center
  6. 6. Datacenter User/Host User/Host User/Host Internet Trusted internet connection Wide Area Network (MPLS/VPLS) Enterprise LAN SouthNorthTraffic East WestTraffic
  7. 7. Visibility Through NetFlow 10.1.8.3 172.168.134.2 Internet Flow Information Packets SOURCE ADDRESS 10.1.8.3 DESTINATION ADDRESS 172.168.134.2 SOURCE PORT 47321 DESTINATION PORT 443 INTERFACE Gi0/0/0 IP TOS 0x00 IP PROTOCOL 6 NEXT HOP 172.168.25.1 TCP FLAGS 0x1A SOURCE SGT 100 : : APPLICATION NAME NBAR SECURE- HTTP RoutersSwitches NetFlow is • Metadata, key fields describing conversations • Unidirectional, two records per conversation • Established, versions include v5, v9, and IPFIX • Supported by open source and commercial tools • NOT full packet capture Benefits include • Visibility across entire network • Independent of agents, sensors, signatures • Lightweight vs. packet capture for storage/forensics • Unhindered by encryption
  8. 8. • Ntop • Flowscan • Flow-tools/cflowd • EHNT • SiLK among others… Open Source Flow Tools
  9. 9. Scaling Visibility: Flow Stitching 10.2.2.2 port 1024 10.1.1.1 port 80 eth0/1 eth0/2 Start Time Interface Src IP Src Port Dest IP Dest Port Proto Pkts Sent Bytes Sent 10:20:12.221 eth0/1 10.2.2.2 1024 10.1.1.1 80 TCP 5 1025 10:20:12.871 eth0/2 10.1.1.1 80 10.2.2.2 1024 TCP 17 28712 Bidirectional Flow Record • Conversation flow record • Allows easy visualization and analysis Unidirectional Flow Records Start Time Client IP Client Port Server IP Server Port Proto Client Bytes Client Pkts Server Bytes Server Pkts Interfaces 10:20:12.221 10.2.2.2 1024 10.1.1.1 80 TCP 1025 5 28712 17 eth0/1 eth0/2
  10. 10. Scaling Visibility: NetFlow Deduplication Router A Router B Router C 10.2.2.2 port 1024 10.1.1.1 port 80 • Without deduplication • Traffic volume can be misreported • False positives would occur • Allows for efficient storage of flow data • Necessary for accurate host-level reporting • Does not discard data Router A: 10.2.2.2:1024 -> 10.1.1.1:80 Router B: 10.2.2.2:1024 -> 10.1.1.1:80 Router C: 10.1.1.1:80 -> 10.2.2.2:1024 Duplicates
  11. 11. Massively Scalable Architecture Presentation Integration Flow Collection Profiling Flow Export • 25 Collectors per Manager • 6 million flows-per-second • 240,000 flows-per-second • Stitching, Deduplication • Unsampled flow • Payload sample • Certificate data • URLs Stealthwatch Management Console Flow Collector Flow Sensor
  12. 12. StealthWatch Management Console FlowCollector FlowSensor Cloud License Packet Analyzer Cisco AnyConnect FlowSensor Virtual NetFlow enabled infrastructure Feeds of emerging threat information Stealthwatch Architecture User And Device Information Cisco ISE ISE PIC
  13. 13. Host Centric Visibility: Host Snapshot
  14. 14. Host Centric Visibility: continued User information
  15. 15. Regional Visibility: Relational Flow Maps
  16. 16. The Attack Lifecycle
  17. 17. Attack Lifecycle: Detecting Command & Control
  18. 18. Attack Lifecycle: Detecting C&C Channels with SLIC
  19. 19. Attack Lifecycle: Country-based Detection
  20. 20. Attack Lifecycle: Detecting Internal Reconnaissance
  21. 21. Attack Lifecycle: Detect Internal Recon with Concern Index
  22. 22. Attack Lifecycle: Detecting Internal Propagation
  23. 23. Attack Lifecycle: Detect Propagation with Host Locking A A Users Resources/Datacenter B B ALARM
  24. 24. Attack Lifecycle: Detect Propagation with Worm Tracker
  25. 25. Attack Lifecycle: Detecting Data Exfiltration
  26. 26. Resource Group A Attack Lifecycle: Detect Data Hoarding 2GB per day User ALARM
  27. 27. Attack Lifecycle: Detecting Data Exfiltration Internet Internal Network Resource Group A User ALARM
  28. 28. Use Cases
  29. 29. Scenario: You have been notified of an unauthorized data transfer and need to pull back historical conversations. The notification could be from: •Internal auditor •External authority •Security response team Pull back all historical conversations around a host, port, application, or traffic type. ALERT: Incident Response 10.201.3.51 . . 50.23.115.72 Below is an example notification received List of infringing content ------------------------------ Taylor Swift Fearless ------------------------------ INFRINGEMENT DETAIL ------------------------------ Infringing Work : Fearless Filename : Taylor Swift - Fearless First found (UTC): 3:59:00 PM Last found (UTC): 4:24:59 PM File size : 79176908 bytes IP Address: 209.182.184.7 IP Port: 14001 Network: BitTorrent Protocol: BitTorrent
  30. 30. Scenario: An internal user is stealing data! The user could be a: •Disgruntled employee •Person about to leave the company •Person with privileged credentials •Person stealing and selling trade secrets Security events have triggered indicating a user is connecting to a terminal server, collecting data from a sensitive database, and tunneling the traffic out of the network using P2P through UDP port 53 (DNS port). ALERT: Insider Threat 1.Internal user connects to Terminal Server 1.Terminal server used to collect sensitive data from within the same subnet inside the datacenter. 1.Terminal server used to encrypt data and tunnel through DNS port to an upload server 10.201.3.18 10.201.0.23 . . 10.201.0.23 . . 10.201.0.55 10.201.0.23 . . 74.213.99.97
  31. 31. NETWORK as a SENSOR NETFLOW NETFLOW StealthWatch ! • Anomalies • Policy violations • Inside the network
  32. 32. NETWORK as ENFORCER NETFLOW StealthWatchISE PxGrid ! Policy violation detected! isolate host
  33. 33. Review: It’s about Visibility •Flow based – independent of agents, sensors, signatures •Metadata – Light weight, efficient, unhindered by encryption •Profile Hosts –based on behavior, traffic sent and received •Enforce Policy – Identify the known bad •Detect Anomalies – Find and alert on outliers High Visibility for Very Low Touch

