Session: Leverage the Network to Detect and Manage Threats Presenter: Michael Moriarta, Lancope - Technical Alliance Manager/SE Southeast US Date: October 6, 2015

1. Lancope - Technical Alliance Manager/SE Southeast US
Leverage the Network to
Detect and Manage Threats
Cisco Connect Canada 2015
Michael Moriarta
10/6/2015

2. “The world is full of obvious things which
nobody by any chance observes.”
Sherlock Holmes, The Hound of the Baskervilles

3. Evolution of Cyber Conflict
War Dialing, Phone Phreaking …
Manual Attacks (1980s)
Viruses, Worms …
Mechanized Attacks (1988)
Google, RSA …
Talented Human / Mechanized
Attackers (2009)
Cyrptocurrency Ransoms, Store-bought
Credentials ...
DIY Human / Mechanized
Attackers (2011)
Intelligence Driven
Human Defenders
Manual Defenses
Unplug
Mechanized Defenses
Firewall, IDS/IPS
Targeted
Human/Mechanized
DefendersReputation, App-aware FirewallAPT, Multi-Step Attacks…
Target, Neiman Marcus …

4. Case Study: Retailer

5. The Insider Threat
What do these stories have in common?

6. Three Kinds of Insider Threats
Negligent Insiders:
• Employees who accidentally
expose data
Malicious Insiders:
• Employees who intentionally
expose data
Compromised Insiders:
• Employees whose access credentials or devices have been
compromised by an outside attacker

7. Managing the Insider Threat
Access Controls
• Control who and what is on the
network
Segmentation
• Define what they can do
SGT

8. Managing the Insider Threat
Control movement of malicious
content through inspection points
Content Controls
• Deep contextual visibility at
inspection points

9. Once the walls are built
monitor for security visibility

10. NetFlow
10.2.2.2
port 1024
10.1.1.1
port 80
eth0/1
eth0/2
Start Time Interface Src IP Src
Port
Dest IP Dest
Port
Proto Pkts
Sent
Bytes
Sent
SGT DGT TCP Flags
10:20:12.221 eth0/1 10.2.2.2 1024 10.1.1.1 80 TCP 5 1025 100 1010 SYN,ACK,PSH
10:20:12.871 eth0/2 10.1.1.1 80 10.2.2.2 1024 TCP 17 28712 1010 100 SYN,ACK,FIN
Start Time Interface Src IP Src
Port
Dest IP Dest
Port
Proto Pkts
Sent
Bytes
Sent
SGT DGT TCP Flags
10:20:12.221 eth0/1 10.2.2.2 1024 10.1.1.1 80 TCP 5 1025 100 1010 SYN,ACK,PSH

11. NetFlow = Visibility
Router# show flow monitor CYBER-MONITOR cache
…
IPV4 SOURCE ADDRESS: 192.168.100.100
IPV4 DESTINATION ADDRESS: 192.168.20.6
TRNS SOURCE PORT: 47321
TRNS DESTINATION PORT: 443
INTERFACE INPUT: Gi0/0/0
FLOW CTS SOURCE GROUP TAG: 100
FLOW CTS DESTINATION GROUP TAG: 1010
IP TOS: 0x00
IP PROTOCOL: 6
ipv4 next hop address: 192.168.20.6
tcp flags: 0x1A
interface output: Gi0/1.20
counter bytes: 1482
counter packets: 23
timestamp first: 12:33:53.358
timestamp last: 12:33:53.370
ip dscp: 0x00
ip ttl min: 127
ip ttl max: 127
application name: nbar secure-http
…
A single NetFlow Record provides a wealth of information

12. NetFlow Version 5 Fixed format

13. Versions of NetFlow
Version Major Advantage Limits/Weaknesses
V5 Defines 18 exported fields
Simple and compact format
Most commonly used format
IPv4 only
Fixed fields, fixed length fields only
Single flow cache
V9 Template-based
IPv6 flows transported in IPv4 packets
MPLS and BGP nexthop supported
Defines 104 fields, including L2 fields
Reports flow direction
IPv6 flows transported in IPv4 packets
Fixed length fields only
Uses more memory
Slower performance
Single flow cache
Flexible NetFlow (FNF) Template-based flow format (built on V9
protocol)
Supports flow monitors (discrete caches)
Supports selectable key fields and IPv6
Supports NBAR data fields
Less common
Requires more sophisticated platform to produce
Requires more sophisticated system to consume
IP Flow Information Export
(IPFIX) AKA NetFlow V10
Standardized – RFC 5101, 5102, 6313
Supports variable length fields, NBAR2
Can export flows via IPv4 and IPv6 packets
Even less common
Only supported on a few Cisco platforms
NSEL (ASA only) Built on NetFlow v9 protocol
State-based flow logging (context)
Pre and Post NAT reporting
Missing many standard fields
Limited support by collectors

14. NetFlow Deployment Architecture
Management/Reporting Layer:
• Run queries on flow data
• Centralize management and reporting
Flow Collection Layer:
• Collection, storage and analysis of flow records
Flow Exporting Layer:
• Enables telemetry export
• As close to the traffic source as possible
NetFlow

15. NetFlow Deployment
Catalyst® 6500
Distribution
& Core
Catalyst® 4500
ASA
ISR
Edge
ASR
Each network layer offers unique NetFlow capabilities
Access
Catalyst®
3560/3750-X
Catalyst® 4500
Catalyst®
3650/3850

16. Components for NetFlow Security Monitoring
Cisco Network
UDP Director
• UDP Packet copier
• Forward to multiple
collection systems
NetFlow
StealthWatch FlowSensor (VE)
• Generate NetFlow data
• Additional contextual fields
(ex. App, URL, SRT, RTT)
StealthWatch FlowCollector
• Collect and analyze
• Up to 2000 sources
• Up to sustained 240,000 fps
StealthWatch Management
Console
• Management and reporting
• Up to 25 FlowCollectors
• Up 6 million fps globally
Best Practice: Centralize
collection globally

17. NetFlow Collection: Flow Stitching
10.2.2.2
port 1024
10.1.1.1
port 80
eth0/1
eth0/2
Start Time Client
IP
Client
Port
Server IP Server
Port
Proto Client
Bytes
Client
Pkts
Server
Bytes
Server
Pkts
Client
SGT
Server
SGT
Interfaces
10:20:12.221 10.2.2.2 1024 10.1.1.1 80 TCP 1025 5 28712 17 100 1010 eth0/1
eth0/2
Uni-directional flow records
Bi-directional:
• Conversation flow record
• Allows easy visualization and analysis
Start Time Interface Src IP Src
Port
Dest IP Dest
Port
Proto Pkts
Sent
Bytes
Sent
SGT DGT
10:20:12.221 eth0/1 10.2.2.2 1024 10.1.1.1 80 TCP 5 1025 100 1010
10:20:12.871 eth0/2 10.1.1.1 80 10.2.2.2 1024 TCP 17 28712 1010 100

18. NetFlow Collection: De-duplication
Start Time Client
IP
Client
Port
Server
IP
Server
Port
Prot
o
Client
Bytes
Client
Pkts
Server
Bytes
Server
Pkts
App Client
SGT
Server
SGT
Exporter, Interface,
Direction, Action
10:20:12.221 10.2.2.2 1024 10.1.1.1 80 TCP 1025 5 28712 17 HTTP 100 1010 Sw1, eth0, in
Sw1, eth1, out
Sw2, eth0, in
Sw2, eth1, out
ASA, eth1, in
ASA, eth0, out, Permitted
ASA eth0, in, Permitted
ASA, eth1, out
Sw3, eth1, in
Sw3, eth0, out
Sw1, eth1, in
Sw1, eth0, out
10.2.2.2
port 1024 10.1.1.1
port 80
Sw1
Sw2
Sw3
ASA

19. Conversational Flow Record
Who
WhoWhat
When
How
Where
• Highly scalable (enterprise class) collection
• High compression => long term storage
• Months of data retention
More context

20. ISE as a Telemetry Source
Monitor Mode
• Open Mode, Multi-Auth
• Unobstructed Access
• No impact on productivity
• Profiling, posture assessment
• Gain Visibility
Authenticated Session Table
Cisco ISE
• Maintain historical session table
• Correlate NetFlow to username
• Build User-centric reports
StealthWatch
Management
Console
syslog

21. NetFlow Analysis can help:
Identify Indicators of Compromise
• Policy & Segmentation
• Network Behaviour & Anomaly Detection (NBAD)
Better understand / respond to an IOC:
• Audit trail of all host-to-host communication
Discovery
• Identify business critical applications and services across the network

22. Host Groups: Applied Situational Awareness
Virtual container of multiple
IP Addresses/ranges that
have similar attributes
Lab servers
Best Practice: classify all
known IP Addresses in one
or more host groups

23. Locate Assets
Find hosts communicating on the network
• Pivot based on transactional data

24. Concept: Indicator of Compromise
IDS/IPS Alert
Log analysis (SIEM)
Raw flow analysis
Outside notification
Behavioural analysis
Activity monitoring
an artifact observed on a network or in operating system
that with high confidence indicates a computer intrusion
• http://en.wikipedia.org/wiki/Indicator_of_compromise
Anomaly detection
File hashes
IP Addresses

25. IoC’s from Traffic Analysis
Behavioural Analysis:
• Leverages knowledge of known bad behaviour
• Policy and segmentation
Anomaly Detection:
• Identify a change from “normal”

26. StealthWatch NBAD Model
Algorithm Security
Event
Alarm
Track and/or measure behaviour/activity
Suspicious behaviour observed or anomaly detected
Notification of security event generated

27. Alarm Categories
Each category accrues points.

28. Example Alarm Category: Concern Index
Concern Index: Track hosts that appear to be compromising network integrity
Security events. Over 90+ different
algorithms.

29. StealthWatch: Alarms
Alarms
• Indicate significant behaviour changes and policy violations
• Known and unknown attacks generate alarms
• Activity that falls outside the baseline, acceptable behaviour
or established policies

30. Watching for Data Theft
Data Exfiltration
• Identify suspect movement from Inside Network to Outside
• Single or multiple destinations from a single source
• Policy and behavioral

31. Data Hoarding
Suspect Data Hoarding:
• Unusually large amount of data
inbound from other hosts
Target Data Hoarding:
• Unusually large amount of data outbound
from a host to multiple hosts

32. Suspect Data Hoarding
Data Hoarding
• Unusually large amount of data inbound to a host from other hosts
• Policy and behavioral

33. “The Science of Deduction.”
Chapter 1: The Sign of the Four

34. Investigating a Host
IOC: IDS Alert indicating a known worm operating inside your network
Host report for 10.201.3.59
Behavior alarms
Quick view of host
group communication
Summary
information

35. Investigating: Host Drilldown
User
information
Applications

36. Investigating: Applications
A lot of applications.
Some suspicious!

37. Investigating: Behaviour Alarms
Significant network activity

38. It Could Start with a User …
Alarms
Devices and
Sessions
Active Directory
Details
Username
View Flows

39. Key Takeaways
Insider threats are operating on the
network interior
Threat detection and response requires
visibility and context into network traffic
NetFlow and the Lancope StealthWatch System provide actionable security intelligence

40. Links and Recommended Reading
More about the Cisco Cyber Threat Defense Solution:
http://www.cisco.com/go/threatdefense
http://www.lancope.com
Recommended Reading
Cyber Threat Defense Cisco Validated Design Guide:
http://www.cisco.com/en/US/solutions/collateral/ns1015/ns1238/cyber_threat_defense_design_guide.pdf
Cyber Threat Defense for the Data Center Cisco Validated Design Guide:
http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/ctd-first-look-design-guide.pdf
Securing Cisco Networks with Threat Detection and Analysis (SCYBER)
https://learningnetwork.cisco.com/community/certifications/security/cybersecurity/scyber_exam

41. “The game is afoot!”
Sherlock Holmes, The Adventure of the The Abbey Grange

42. Q & A