With the rise of disruptive forces such as cloud computing and mobile technology, the enterprise network has become larger and more complex than ever before. Meanwhile, sophisticated cyber-attackers are taking advantage of the expanded attack surface to gain access to internal networks and steal sensitive data. Perimeter security is no longer enough to keep threat actors out, and organizations need to be able to detect and mitigate threats operating inside the network. NetFlow, a context-rich and common source of network traffic metadata, can be utilized for heightened visibility to identify attackers and accelerate incident response. Join Richard Laval to discuss the security applications of NetFlow using StealthWatch. This session will cover: - An overview of NetFlow, what it is, how it works, and how it benefits security - Design, deployment, and operational best practices for NetFlow security monitoring - How to best utilize NetFlow and identity services for security telemetry - How to investigate and identify threats using statistical analysis of NetFlow telemetry

1. Network Visibility through
NetFlow
Richard Laval
Stealthwatch SEM, Europe
rilaval@cisco.com
30-Mar-16

2. Changing
Business Models
Dynamic
Threat Landscape
Complexity
and Fragmentation
New Networks Mean New Security Challenges
Organizations lack visibility
into which and how many
devices are on their Network
Services are moving to the
Cloud at a faster rate than IT
can keep up
Over 50 billion connected
“smart objects” by 2020.
Acquisitions, joint ventures,
and partnerships are
increasing in regularity.
ENTERPRISE
MOBILITY
ACQUISITIONS AND
PARTNERSHIPS
CLOUD INTERNET OF THINGS
It’s Not “IF” You Will Be Breached…It’s “WHEN.”
Expanded Enterprise Attack Surface

3. Partner Security Day @ Cisco Live Berlin
Lawrence Orans,
Gartner, Network and Gateway
Security Primer for 2016
January 22, 2016
“Network security architects should accept the reality
that, in 2016, it is unreasonable to expect that they can
build perimeter defenses that will block every attack
and prevent every
security breach.
Instead, they need to adopt new products and/or
services that will enable the network to be an integral
part of a strategy that focuses on detecting and
responding to security incidents.”

4. Cisco Confidential 5© 2013 2014 Cisco and/or its affiliates. All rights reserved.
You Can’t Protect What You Can’t See
The Network sees everything. Gives Deep and Broad Visibility
Answers Who, what, when, where, How did they come on network
0101
0100
1011
0101
0100
1011
0101
0100
1011
0101
0100
1011

5. The Insider Threat
About this session

6. This session is about using network
analysis or the network (our obvious
things) to mitigate an attack.
“The world is full of obvious things which
nobody by any chance observes.”
Sherlock Holmes, The Hound of the Baskervilles

7. Managing the Insider Threat
Access Controls
• Control who and what is on the
network
Segmentation
• Define what they can do
SGT
You are who you say
you are and these are
the resources you are
allowed access to
based on your
credentials.

8. Managing the Insider Threat
Control movement of malicious
content through inspection points
Content Controls
• Deep contextual visibility at
inspection points
This is what you are
allowed to bring into the
secure zone/network.

9. Once the walls are built
monitor for security visibility
10
Now monitor the activity inside the
secure controlled zone.
Managing the Insider Threat

10. Introduction to NetFlow
• Developed by Cisco in 1996 as a packet forwarding mechanism
• Statistical Reporting became relevant to customers
• Reporting is based on Flow and not necessarily per-packet (Full Flow
vs. Sampled)
• Various versions exist version 1 through 9, with 5 being the most
popular and 9 being the most functional
• Traditional NetFlow (TNF) – fixed info to identify a flow
• Flexible Netflow (FNF) – user defines how to identify a flow

11. NetFlow
10.2.2.2
port 1024
10.1.1.1
port 80
eth0/1
eth0/2
Start Time Interface Src IP Src
Port
Dest IP Dest
Port
Proto Pkts
Sent
Bytes
Sent
SGT DGT TCP Flags
10:20:12.221 eth0/1 10.2.2.2 1024 10.1.1.1 80 TCP 5 1025 100 1010 SYN,ACK,PSH
10:20:12.871 eth0/2 10.1.1.1 80 10.2.2.2 1024 TCP 17 28712 1010 100 SYN,ACK,FIN
Start Time Interface Src IP Src
Port
Dest IP Dest
Port
Proto Pkts
Sent
Bytes
Sent
SGT DGT TCP Flags
10:20:12.221 eth0/1 10.2.2.2 1024 10.1.1.1 80 TCP 5 1025 100 1010 SYN,ACK,PSH

12. NetFlow = Visibility
A single NetFlow Record provides a wealth of information

13. NetFlow Deployment Architecture
Management/Reporting Layer:
• Run queries on flow data
• Centralize management and reporting
Flow Collection Layer:
• Collection, storage and analysis of flow records
Flow Exporting Layer:
• Enables telemetry export
• As close to the traffic source as possible
NetFlow

14. Considerations: Flow Exporting Layer
1. NetFlow support
2. Which version of NetFlow to use
3. How to configure/what to measure
4. Where in the network to enable NetFlow export

15. Versions of NetFlow
Version Major Advantage Limits/Weaknesses
V5 Defines 18 exported fields
Simple and compact format
Most commonly used format
IPv4 only
Fixed fields, fixed length fields only
Single flow cache
V9 Template-based
IPv6 flows transported in IPv4 packets
MPLS and BGP nexthop supported
Defines 104 fields, including L2 fields
Reports flow direction
IPv6 flows transported in IPv4 packets
Fixed length fields only
Uses more memory
Slower performance
Single flow cache
Flexible NetFlow (FNF) Template-based flow format (built on V9
protocol)
Supports flow monitors (discrete caches)
Supports selectable key fields and IPv6
Supports NBAR data fields
Less common
Requires more sophisticated platform to produce
Requires more sophisticated system to consume
IP Flow Information Export
(IPFIX) AKA NetFlow V10
Standardized – RFC 5101, 5102, 6313
Supports variable length fields, NBAR2
Can export flows via IPv4 and IPv6 packets
Even less common
Only supported on a few Cisco platforms
NSEL (ASA only) Built on NetFlow v9 protocol
State-based flow logging (context)
Pre and Post NAT reporting
Missing many standard fields
Limited support by collectors

16. NetFlow Deployment
Catalyst® 6500
Distribution
& Core
Catalyst® 4500
ASA
ISR
Edge
ASR
Each network layer offers unique NetFlow capabilities
Access
Catalyst®
3560/3750-X
Catalyst® 4500
Catalyst®
3650/3850

17. Where to collect NetFlow from?
Listed below are the typical use cases and the recommendations of where to collect the NetFlow from in the network:
1. Use case detection of security events –
a. Only need to account for the packet once.
b. Collect at the edge, if not 100% flow capable then distribution, if not 100% flow capable then core.
c. Enable flow on any exporter that will provide additional context like ASA FWs (provide NAT and FW actions), and
Proxy data (allow visibility into outbound traffic that has been translated)
2. Use case forensics or auditing –
a. You should be looking to account for all packets.
b. Deploy as close to the edges of the network as possible.
c. Enable flow on any exporter that will provide additional context like ASA FWs (provide NAT and FW actions), and
Proxy data (allow visibility into outbound traffic that has been translated).
3. Use case networking (performance) –
a. You need flow from everywhere to help with interface utilization, QoS monitoring, trending and capacity planning and
tracking issues back to the source of the problem which could be any interface.

18. NetFlow Terminology

19. Aside: Myths about NetFlow Generation
Myth #1: NetFlow impacts performance
• Hardware implemented NetFlow has no
performance impact
• Software implementation is typically
significantly <15% processing overhead
Myth #2: NetFlow has bandwidth overhead
• NetFlow is a summary protocol
• Traffic overhead is typically significantly <1% of total traffic per exporting device

20. NetFlow Collection: Flow Stitching
10.2.2.2
port 1024
10.1.1.1
port 80
eth0/1
eth0/2
Start Time Client
IP
Client
Port
Server IP Server
Port
Proto Client
Bytes
Client
Pkts
Server
Bytes
Server
Pkts
Client
SGT
Server
SGT
Interfaces
10:20:12.221 10.2.2.2 1024 10.1.1.1 80 TCP 1025 5 28712 17 100 1010 eth0/1
eth0/2
Uni-directional flow records
Bi-directional:
• Conversation flow record
• Allows easy visualization and analysis
Start Time Interface Src IP Src
Port
Dest IP Dest
Port
Proto Pkts
Sent
Bytes
Sent
SGT DGT
10:20:12.221 eth0/1 10.2.2.2 1024 10.1.1.1 80 TCP 5 1025 100 1010
10:20:12.871 eth0/2 10.1.1.1 80 10.2.2.2 1024 TCP 17 28712 1010 100

21. NetFlow Collection: De-duplication
Start Time Client IP Client
Port
Server
IP
Server
Port
Proto Client
Bytes
Client
Pkts
Server
Bytes
Server
Pkts
App Client
SGT
Server
SGT
Exporter, Interface,
Direction, Action
10:20:12.221 10.2.2.2 1024 10.1.1.1 80 TCP 1025 5 28712 17 HTTP 100 1010 Sw1, eth0, in
Sw1, eth1, out
Sw2, eth0, in
Sw2, eth1, out
ASA, eth1, in
ASA, eth0, out, Permitted
ASA eth0, in, Permitted
ASA, eth1, out
Sw3, eth1, in
Sw3, eth0, out
Sw1, eth1, in
Sw1, eth0, out
10.2.2.2
port 1024 10.1.1.1
port 80
Sw1
Sw2
Sw3
ASA
Any unique information is added to the record.
Path of the packet for example is unique.

22. How The Conversational Flow Record Looks in SW
Where WhoWhat
When
How
Who
• Highly scalable (enterprise class) collection
• High compression => long term storage
• Months of data retention
More context

23. Host Groups: Applied Situational Awareness
Virtual container of multiple
IP Addresses/ranges that
have similar attributes
Best Practice: classify all
known IP Addresses in one
or more host groups
Lab servers

24. ISE as a Telemetry Source (adding context)
Monitor Mode
• Open Mode, Multi-Auth
• Unobstructed Access
• No impact on productivity
• Profiling, posture assessment
• Gain Visibility
Authenticated Session Table
Cisco ISE
• Maintain historical session table
• Correlate NetFlow to username
• Build User-centric reports
StealthWatch
Management
Console
syslog

25. Global Intelligence (adding more context)
• Known C&C Servers
• Tor Entrance and Exits

26. Conversational Flow Record with added context
ISE
Telemetry
NBAR
Applied situational
awareness
FlowSensor
Geo-IP mapping
Threat
feed

27. Flow Table – IPv6
StealthWatch can also display IPv6 flow records

28. “There is nothing like first hand evidence”
Sherlock Holmes, A Study in Scarlett
Now, lets analyse all that good NetFlow
data/evidence generated by the network.

29. NetFlow Analysis with StealthWatch can help:
Identify additional IOCs
• Policy & Segmentation
• Network Behaviour & Anomaly Detection (NBAD)
Better understand / respond to an IOC:
• Audit trail of all host-to-host communication
Discovery
• Identify business critical applications and services
across the network

30. Locate Assets
32
Find hosts communicating on the network
• Pivot based on transactional data

31. Host Groups – Targeted Reporting
Geo-IP-based Host Group
Summary chart of traffic
inbound and outbound from
this Host Group

32. Host Groups – Discovering Rogue Hosts
Catch All: All unclassified RFC1918 addresses
Table of all individual hosts

33. Host Groups – Discovering Rogue Hosts
Rogue Hosts
(IP addresses you don’t know about as they
have not been classified)

34. Concept: Indicator of Compromise
IDS/IPS Alert
Log analysis (SIEM)
Raw flow analysis
Outside notification
Behavioural analysis
Activity monitoring
IoC = is an artifact observed on a network or in an operating system that with high
confidence indicates a computer intrusion
• http://en.wikipedia.org/wiki/Indicator_of_compromise
Anomaly detection
File hashes
IP Addresses
There are many IoCs from the network which we need to piece together to solve the crime.

35. Attack Lifecycle Model
Exploratory
Actions
Footprint
Expansion
Execution
Theft
Disruption
Staging
Initial
Compromise
Initial
Recon
Infiltration
(C&C)
Now we use our evidence from the IoCs
to build a map/model of and attack.

36. IoC’s from Traffic Analysis
Behavioural Analysis:
• Leverages knowledge of known bad behaviour
• Policy and segmentation
Anomaly Detection:
• Identify a change from “normal”

37. StealthWatch NBAD Model
Algorithm Security
Event
Alarm
Track and/or measure behaviour/activity
Suspicious behaviour observed or anomaly detected
Notification of security event generated
This how
StealthWatch
processes all the
IoCs to make
sense of them.

38. Alarm Categories
Each category accrues points.

39. Example Alarm Category: Concern Index
Concern Index: Track hosts that appear to compromising network integrity
Security events

40. StealthWatch: Alarms
Alarms
• Indicate significant behaviour changes and policy violations
• Known and unknown attacks generate alarms
• Activity that falls outside the baseline, acceptable behaviour
or established policies

41. Watching for Data Theft
Data Exfiltration
• Identify suspect movement from Inside Network to Outside
• Single or multiple destinations from a single source
• Policy and behavioral

42. Data Hoarding
Suspect Data Hoarding:
• Unusually large amount of data
inbound from other hosts
Target Data Hoarding:
• Unusually large amount of data outbound
from a host to multiple hosts

43. Suspect Data Hoarding
Data Hoarding
• Unusually large amount of data inbound to a host from other hosts
• Policy and behavioral

44. “The Science of Deduction.”
Chapter 1: The Sign of the Four
Now we are going to use the evidence
generated by the network to solve our mystery.

45. Investigating a Host
IOC: IDS Alert from FirePower provides an IP address that
StealthWatch can use to investigate.
Host report for 10.201.3.59
Behavior alarms
Quick view of host
group communication
Summary
information

46. Investigating: Host Drilldown
User
information
Applications

47. Investigating: Applications
A lot of applications.
Some suspicious!

48. Investigating: Behaviour Alarms
Significant network activity

49. It Could Start with a User …
Alarms
Devices and
Sessions
Active Directory
Details
Username
View Flows

50. Links and Recommended Reading
More about StealthWatch and the Cisco Cyber Threat Defense Solution:
http://www.cisco.com/go/threatdefense
http://www.lancope.com
Recommended Reading
Cyber Threat Defense Cisco Validated Design Guide:
http://www.cisco.com/en/US/solutions/collateral/ns1015/ns1238/cyber_threat_defense_design_guide.pdf
Cyber Threat Defense for the Data Center Cisco Validated Design Guide:
http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/ctd-first-look-design-guide.pdf
Securing Cisco Networks with Threat Detection and Analysis (SCYBER)
https://learningnetwork.cisco.com/community/certifications/security/cybersecurity/scyber_exam

51. Key Takeaways
Insider threats are operating on the
network interior
Threat detection and response requires
visibility and context into network traffic
NetFlow and the StealthWatch System provide actionable security intelligence

52. Q & A

53. “The game is afoot!”
Sherlock Holmes, The Adventure of the The Abbey Grange

54. Thank you

55. 57