Session: Leverage the Network to Detect and Manage Threats
Presenter: Michael Moriarta, Lancope - Technical Alliance Manager/SE Southeast US
Date: October 6, 2015
2024: Domino Containers - The Next Step. News from the Domino Container commu...
Leverage the Network to Detect and Manage Threats
1. Lancope - Technical Alliance Manager/SE Southeast US
Leverage the Network to
Detect and Manage Threats
Cisco Connect Canada 2015
Michael Moriarta
10/6/2015
2. “The world is full of obvious things which
nobody by any chance observes.”
Sherlock Holmes, The Hound of the Baskervilles
6. Three Kinds of Insider Threats
Negligent Insiders:
• Employees who accidentally
expose data
Malicious Insiders:
• Employees who intentionally
expose data
Compromised Insiders:
• Employees whose access credentials or devices have been
compromised by an outside attacker
7. Managing the Insider Threat
Access Controls
• Control who and what is on the
network
Segmentation
• Define what they can do
SGT
8. Managing the Insider Threat
Control movement of malicious
content through inspection points
Content Controls
• Deep contextual visibility at
inspection points
10. NetFlow
10.2.2.2
port 1024
10.1.1.1
port 80
eth0/1
eth0/2
Start Time Interface Src IP Src
Port
Dest IP Dest
Port
Proto Pkts
Sent
Bytes
Sent
SGT DGT TCP Flags
10:20:12.221 eth0/1 10.2.2.2 1024 10.1.1.1 80 TCP 5 1025 100 1010 SYN,ACK,PSH
10:20:12.871 eth0/2 10.1.1.1 80 10.2.2.2 1024 TCP 17 28712 1010 100 SYN,ACK,FIN
Start Time Interface Src IP Src
Port
Dest IP Dest
Port
Proto Pkts
Sent
Bytes
Sent
SGT DGT TCP Flags
10:20:12.221 eth0/1 10.2.2.2 1024 10.1.1.1 80 TCP 5 1025 100 1010 SYN,ACK,PSH
11. NetFlow = Visibility
Router# show flow monitor CYBER-MONITOR cache
…
IPV4 SOURCE ADDRESS: 192.168.100.100
IPV4 DESTINATION ADDRESS: 192.168.20.6
TRNS SOURCE PORT: 47321
TRNS DESTINATION PORT: 443
INTERFACE INPUT: Gi0/0/0
FLOW CTS SOURCE GROUP TAG: 100
FLOW CTS DESTINATION GROUP TAG: 1010
IP TOS: 0x00
IP PROTOCOL: 6
ipv4 next hop address: 192.168.20.6
tcp flags: 0x1A
interface output: Gi0/1.20
counter bytes: 1482
counter packets: 23
timestamp first: 12:33:53.358
timestamp last: 12:33:53.370
ip dscp: 0x00
ip ttl min: 127
ip ttl max: 127
application name: nbar secure-http
…
A single NetFlow Record provides a wealth of information
13. Versions of NetFlow
Version Major Advantage Limits/Weaknesses
V5 Defines 18 exported fields
Simple and compact format
Most commonly used format
IPv4 only
Fixed fields, fixed length fields only
Single flow cache
V9 Template-based
IPv6 flows transported in IPv4 packets
MPLS and BGP nexthop supported
Defines 104 fields, including L2 fields
Reports flow direction
IPv6 flows transported in IPv4 packets
Fixed length fields only
Uses more memory
Slower performance
Single flow cache
Flexible NetFlow (FNF) Template-based flow format (built on V9
protocol)
Supports flow monitors (discrete caches)
Supports selectable key fields and IPv6
Supports NBAR data fields
Less common
Requires more sophisticated platform to produce
Requires more sophisticated system to consume
IP Flow Information Export
(IPFIX) AKA NetFlow V10
Standardized – RFC 5101, 5102, 6313
Supports variable length fields, NBAR2
Can export flows via IPv4 and IPv6 packets
Even less common
Only supported on a few Cisco platforms
NSEL (ASA only) Built on NetFlow v9 protocol
State-based flow logging (context)
Pre and Post NAT reporting
Missing many standard fields
Limited support by collectors
14. NetFlow Deployment Architecture
Management/Reporting Layer:
• Run queries on flow data
• Centralize management and reporting
Flow Collection Layer:
• Collection, storage and analysis of flow records
Flow Exporting Layer:
• Enables telemetry export
• As close to the traffic source as possible
NetFlow
15. NetFlow Deployment
Catalyst® 6500
Distribution
& Core
Catalyst® 4500
ASA
ISR
Edge
ASR
Each network layer offers unique NetFlow capabilities
Access
Catalyst®
3560/3750-X
Catalyst® 4500
Catalyst®
3650/3850
16. Components for NetFlow Security Monitoring
Cisco Network
UDP Director
• UDP Packet copier
• Forward to multiple
collection systems
NetFlow
StealthWatch FlowSensor (VE)
• Generate NetFlow data
• Additional contextual fields
(ex. App, URL, SRT, RTT)
StealthWatch FlowCollector
• Collect and analyze
• Up to 2000 sources
• Up to sustained 240,000 fps
StealthWatch Management
Console
• Management and reporting
• Up to 25 FlowCollectors
• Up 6 million fps globally
Best Practice: Centralize
collection globally
17. NetFlow Collection: Flow Stitching
10.2.2.2
port 1024
10.1.1.1
port 80
eth0/1
eth0/2
Start Time Client
IP
Client
Port
Server IP Server
Port
Proto Client
Bytes
Client
Pkts
Server
Bytes
Server
Pkts
Client
SGT
Server
SGT
Interfaces
10:20:12.221 10.2.2.2 1024 10.1.1.1 80 TCP 1025 5 28712 17 100 1010 eth0/1
eth0/2
Uni-directional flow records
Bi-directional:
• Conversation flow record
• Allows easy visualization and analysis
Start Time Interface Src IP Src
Port
Dest IP Dest
Port
Proto Pkts
Sent
Bytes
Sent
SGT DGT
10:20:12.221 eth0/1 10.2.2.2 1024 10.1.1.1 80 TCP 5 1025 100 1010
10:20:12.871 eth0/2 10.1.1.1 80 10.2.2.2 1024 TCP 17 28712 1010 100
18. NetFlow Collection: De-duplication
Start Time Client
IP
Client
Port
Server
IP
Server
Port
Prot
o
Client
Bytes
Client
Pkts
Server
Bytes
Server
Pkts
App Client
SGT
Server
SGT
Exporter, Interface,
Direction, Action
10:20:12.221 10.2.2.2 1024 10.1.1.1 80 TCP 1025 5 28712 17 HTTP 100 1010 Sw1, eth0, in
Sw1, eth1, out
Sw2, eth0, in
Sw2, eth1, out
ASA, eth1, in
ASA, eth0, out, Permitted
ASA eth0, in, Permitted
ASA, eth1, out
Sw3, eth1, in
Sw3, eth0, out
Sw1, eth1, in
Sw1, eth0, out
10.2.2.2
port 1024 10.1.1.1
port 80
Sw1
Sw2
Sw3
ASA
20. ISE as a Telemetry Source
Monitor Mode
• Open Mode, Multi-Auth
• Unobstructed Access
• No impact on productivity
• Profiling, posture assessment
• Gain Visibility
Authenticated Session Table
Cisco ISE
• Maintain historical session table
• Correlate NetFlow to username
• Build User-centric reports
StealthWatch
Management
Console
syslog
21. NetFlow Analysis can help:
Identify Indicators of Compromise
• Policy & Segmentation
• Network Behaviour & Anomaly Detection (NBAD)
Better understand / respond to an IOC:
• Audit trail of all host-to-host communication
Discovery
• Identify business critical applications and services across the network
22. Host Groups: Applied Situational Awareness
Virtual container of multiple
IP Addresses/ranges that
have similar attributes
Lab servers
Best Practice: classify all
known IP Addresses in one
or more host groups
24. Concept: Indicator of Compromise
IDS/IPS Alert
Log analysis (SIEM)
Raw flow analysis
Outside notification
Behavioural analysis
Activity monitoring
an artifact observed on a network or in operating system
that with high confidence indicates a computer intrusion
• http://en.wikipedia.org/wiki/Indicator_of_compromise
Anomaly detection
File hashes
IP Addresses
25. IoC’s from Traffic Analysis
Behavioural Analysis:
• Leverages knowledge of known bad behaviour
• Policy and segmentation
Anomaly Detection:
• Identify a change from “normal”
26. StealthWatch NBAD Model
Algorithm Security
Event
Alarm
Track and/or measure behaviour/activity
Suspicious behaviour observed or anomaly detected
Notification of security event generated
28. Example Alarm Category: Concern Index
Concern Index: Track hosts that appear to be compromising network integrity
Security events. Over 90+ different
algorithms.
29. StealthWatch: Alarms
Alarms
• Indicate significant behaviour changes and policy violations
• Known and unknown attacks generate alarms
• Activity that falls outside the baseline, acceptable behaviour
or established policies
30. Watching for Data Theft
Data Exfiltration
• Identify suspect movement from Inside Network to Outside
• Single or multiple destinations from a single source
• Policy and behavioral
31. Data Hoarding
Suspect Data Hoarding:
• Unusually large amount of data
inbound from other hosts
Target Data Hoarding:
• Unusually large amount of data outbound
from a host to multiple hosts
32. Suspect Data Hoarding
Data Hoarding
• Unusually large amount of data inbound to a host from other hosts
• Policy and behavioral
34. Investigating a Host
IOC: IDS Alert indicating a known worm operating inside your network
Host report for 10.201.3.59
Behavior alarms
Quick view of host
group communication
Summary
information
38. It Could Start with a User …
Alarms
Devices and
Sessions
Active Directory
Details
Username
View Flows
39. Key Takeaways
Insider threats are operating on the
network interior
Threat detection and response requires
visibility and context into network traffic
NetFlow and the Lancope StealthWatch System provide actionable security intelligence
40. Links and Recommended Reading
More about the Cisco Cyber Threat Defense Solution:
http://www.cisco.com/go/threatdefense
http://www.lancope.com
Recommended Reading
Cyber Threat Defense Cisco Validated Design Guide:
http://www.cisco.com/en/US/solutions/collateral/ns1015/ns1238/cyber_threat_defense_design_guide.pdf
Cyber Threat Defense for the Data Center Cisco Validated Design Guide:
http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/ctd-first-look-design-guide.pdf
Securing Cisco Networks with Threat Detection and Analysis (SCYBER)
https://learningnetwork.cisco.com/community/certifications/security/cybersecurity/scyber_exam
41. “The game is afoot!”
Sherlock Holmes, The Adventure of the The Abbey Grange
I like to start my presentations with a quote and end with a quote. This quote was from Sherlock Holmes, in Hound of the Baskervilles. (Quote) What's "obvious" or should be obvious is not always what people are paying attention to. In the security arena, we need to be paying more attention to the obvious.
An entity, person and or persons were able to infiltrate the exterior or perimeter of a network, gather information, escalate privileges and pivot to data exfiltration.
Built into the fabric of a Cisco infrastructure is this concept of NetFlow.