Monitoring Networks for Performance and Security
Detecting and Mitigating Network Security Threats
In the never-ending struggle to secure networks against multiple threats, many tools are being employed. One of the more effective tools now coming into the fray is flow analysis.
MICHAEL PATTERSON, PLIXER INTERNATIONAL
Page 1 of 1
Most companies today are taking a layered approach to network security. These different security efforts come in many forms. There is, of course, the use of antivirus software on endpoint systems along with password management and two-factor authentication. Another widely used technique is setting up VPN access for remote users. Additional strategies include data loss prevention (DLP), intrusion prevention systems (IPS), firewalls and intrusion detection systems (IDS) signature searching, and the use of access control lists (ACLs) on routers and switches. Despite all these technologies and the billions spent by enterprises around the world to secure the network, breeches still occur.
Information security experts are turning to flow analysis as a mechanism for forensics, incident response, policy management and early threat detection. If you’re implementing a NetFlow or Internet protocol flow information export (IPFIX) mechanism into your product, be sure to consider the value the feature will provide to the security analyst as well.
Although NetFlow and IPFIX are often only thought to be useful for threat investigations, they can also be used to alert on patterns of strange network traffic. Most NetFlow technologies implemented on routers don’t inspect traffic in the same way as direct packet inspection technologies such as IDS and IPS. When the flows are forwarded to the collector, it does not have direct access to the packet details. Instead, the flow collector uses metadata about the packets such as packet length, flags set, port numbers and other characteristics to determine the presence of malicious traffic. The more stealthy and clever the attack, the harder it is to identify with any single security measure. Threat detection systems that leverage NetFlow and IPFIX can provide an approach to threat detection that is unique and different from other security technologies. They provide an excellent defense, in-depth story, and mesh well with traditional methods.
These are the top five reasons customers have said they use flows for security:
#5 - Powerful forensics and incident response capabilities
Flows provide a 24/7 account of all network activity. They are like a CCTV system for your enterprise. And given the relatively lightweight nature of flow data, customers can store weeks or months of flows without spending $100,000+ on expensive packet libraries from companies like NetWitness and Niksun. When an incident does occur, the information needed to identify the root cause and enact an orderly cleanup is in the flows (Figure 1).
Like any good detective, catching threats to the network involves gathering basic facts of “who, what, when, where” and the nature of the problem.
#4 - Deep situational awareness for the network
This point is a bit more difficult to describe given its ambiguity. But the idea is that from a tactical perspective, flows provide a “what’s happening to my network right now” view that other systems struggle to provide. While traditional IDSs and other security systems only alert when something is actively detected, flow collection systems can constantly collect information to provide a view into network happenings even when bad things don’t appear to be occurring. It’s perfect for a network or security operations center (SOC) wall.
#3 - Internal network visibility
The idea of monitoring the internal network and not just the perimeter is somewhat new. With the advent of bring your own device (BYOD) policies, Wi-Fi devices and the mobile worker, the internal network is not nearly as safe as it used to be. Many customers understand this and are looking for ways to get a better handle on traffic patterns in the network core and access layers (Figure 2).
End-to-end visibility is essential, including through the cloud. Names here have been blurred to protect actual sites.
#2 - Inexpensive to deploy and maintain
Just enter a few commands on the router and voila, you have coverage at that location. The larger and more distributed the enterprise, the more this message will resonate. “Oh, you have 500 remote sites? Don’t send out hundreds of IDSs. Enable NetFlow on the routers at each remote site instead.” Monitoring very high speed networks is also much less expensive. 10G IDSs and IPSs are very expensive—in the $100,000+ range.
#1 - Detects attacks without signatures
Without a doubt, the item that drives most sales of flow-based security is the idea that flow-based analysis relies on algorithms and behavior rather than signature matching. This gives the collector an ability to detect attacks before a signature is available. Zero-hour detection is really what a flow-based security analysis technology provides. Given the increased threat from advanced persistent threats (APTs), mobile malware, botnets, etc., security people are looking for new ways to detect and react. Flow analysis is a new and effective way.
Analyzing Flow Data
One way flow data can be used to detect traffic anomalies is through the use of Transport Control Protocol (TCP) flags. During the process of packet aggregation into flows in the router cache, a logical “OR” is performed on the TCP flags seen for an individual flow. For this reason, at a minimum, each flow is started with a SYN/ACK combination. A volume of above-threshold SYN-only flows from a host could be used to determine that the source of the flow is infected with malware and could be scanning and looking for vulnerable hosts on the network.
In addition, TCP flags are used to determine the client/server role of each side of the flow. This can be important for firewall validation and network access policy management. If you are implementing a new NetFlow export feature, be sure to include OR’ed TCP flags in your exports.
As with TCP Flags, Internet Control Message Protocol (ICMP) Type and Code can be extremely useful for security analysis. When large numbers of TTL Expired in transit occur, a Smurf Amplifier DoS attack could be in play. Large volumes of Port Unreachable ICMP messages often represent peer-to-peer file sharing or UDP port scanning. Information Element ID 32 (icmpTypeCodeIPv4) is used for this field.
It is also possible to detect potential malware by monitoring the behavior of flows. Collector vendors that monitor for security events provide canned algorithms that are applied to the incoming flow data. These flow analysis algorithms measure ICMP rates, TCP flag combinations, flow creation rates and more.
Other suspicious behaviors detectable with flow data include excessive small flows from a single host to the same destination, DoS attacks through measurement of bit rates, packet rates and other flow volume indicators, and hosts attempting to connect to numerous other hosts with a low number of flows to each destination (scanning).
Custom Flow Behavior Monitoring
In addition to canned algorithms, detecting odd behaviors can be done through the use of custom-flow behavior monitors. This tactic can also be effective at sleuthing out inappropriate connection behaviors or for monitoring acceptable use by employees and contractors. For example, DNS traffic that doesn’t involve the local DNS servers could qualify as potentially suspicious traffic. Non-HTTP traffic to a web server that isn’t from authorized hosts could also fall into the suspect category. Another example might include alerting on any connections from China to the corporate DMZ—especially if the user’s company doesn’t do business in China.
Due to the operational characteristics at most businesses, the volume of unique detection methods is nearly limitless. The more the customer knows about their business (which they will learn through the use of flows), the more powerful Custom Flow Behavior Monitors will become.
Some vendors watch end system behaviors over time and create behavior profiles of what can be considered “normal” behavior for each host that resides on the network. Once a baseline is derived, new flows from the host are compared to unique behaviors captured in the baseline. Behaviors not consistent with the baseline can trigger alarms or at the very least heighten awareness. Behavior analysis mechanisms are still fairly new and unproven.
IP Host Reputation
Comparing the source and destination IP addresses in a flow to a host reputation database is a great way to find malware infected hosts that aren’t exhibiting the behaviors outlined above. The “Internet Threats Monitor” downloads an updated list of known compromised Internet hosts every hour from Emerging Threats or Cymru.
Flow collection systems can detect if internal hosts are communicating with known botnets or Command and Control (C&C) servers. C&C hosts could be participating in an APT. By sending NetFlow and IPFIX from the Internet facing routers to a NetFlow collector that can compare all flows to the host reputation database, internal machines talking with known compromised Internet hosts can be identified. Many companies are building next-generation intrusion detection and prevention engines that include reputation lookups.
Although it is beneficial to have the source IP address when trying to track down a problem, having the user name is even better. Since many hosts leverage DHCP-acquired IP addresses, which can change over time, reporting on user name can provide more definitive evidence when trying to mitigate an issue.
As a vendor exporting user name details, there are important criteria to keep in mind. The ID used for the user name should not be reused by another host even if the flow exporting device is rebooted. Ideally, the ID used should persist over time and if possible, be consistent across flow exporting devices.
The semantics used for user name ID are important for long-term historical trending and forensic analysis. Reach out to a consultant or an experienced NetFlow developer if your company desires to export user name details. Vendors exporting user name details include Cisco, Palo Alto Networks, SonicWALL and possibly others. This highly desired element is sure to set vendors apart in a vendor comparison.
With all of these detection systems sending messages on potential malware they have detected, a central location for reviewing and sorting out the threats found becomes necessary.
One of the goals of most alarm consoles is to prioritize the alerts that could most negatively impact the business and the applications it depends on. In pursuit of this effort, some vendors have introduced a Concern or Unique Index (UI). The Unique Index can mean many things depending on the implementation. Generally, the UI is impacted by the number of unique alarm types violated by each host, the number of times each unique alarm type is violated and the severity of each alarm. By having a UI that increases based on several criteria, the intention is that the hosts exhibiting the most behaviors indicative of malware will rise to the top as shown in Figure 3.
An overview of suspicious behavior can be sorted according the Unique Index (UI) and identify such things as severity and frequency of anomalous behavior.
Most threat detection systems will forward detected messages to a central third-party alarming server. Whatever the preferred method, choosing which alarm to react to still requires consideration. When approaching the detected threats in an alarm view, use a common sense approach to remediation. Security administrators should ask themselves:
Who is being targeted? If there are 25 alarms, look at the servers first:
• Is the server a critical resource or is it a power user or executive within the company?
• Does the host have access to critical resources; if not, move on to the next alarm that could be more important.
• Check the host’s unique index and trend the volume of alarms for the host over time.
• Is the application or server involved critical to the business?
Human involvement is almost always necessary when it comes to prioritizing and taking action on the alarms. Although most systems can be set up to take action, these features should be implemented only after careful consideration of any possible consequences.
Once the alarm has been identified, it is time to take the next step toward removal of the issue. This process can be automated by automating the addition of an ACL entry on a router or firewall. Oftentimes, however, it is wise to collect additional details before making any changes. Further investigation into how a problem has impacted the network or who else may have been infected is one of the areas where flow information can shine. A flow report provides several details on which end systems were communicating with the Internet host, who was sending the most, for how long, when it started and how much. Once the problem is resolved and cleaned up, it is important to go back to the alarming console and verify that the anomaly is no longer occurring
NetFlow and IPFIX should not be the entire network security protection plan and are unlikely to replace the IDS or IPS anytime soon. However, flow-based security analysis is an excellent defense-in-depth strategy for any enterprise network that contains high-risk information. We are seeing more and more hardware (e.g., routers, switches and firewalls) implement deeper security methods and export the findings as messages using NetFlow and IPFIX.
Host reputation lookups are one of the most effective ways to defend against Internet malware, and are a wiser course of action than blocking a specific country. Many attacks are still initiated from within the United States and oftentimes from machines that were also hacked.
Safeguarding a company’s data from malware such as an APT invasion is an ongoing task. Paranoia can be considered a good defense against the possible insurgence. Many experts combating these Internet threats suggest that organizations always be on the alert, assuming that malware is always present, or already underway, and to operate defensively rather than passively. Adding a layer of security with flow analytics is one of the best ways to detect internal suspicious traffic that has circumvented the traditional firewalls and other threat detection measures. Some forms of malware (e.g., APTs) have no trouble sneaking right past even the best security appliances, but they have a habit of exhibiting the same suspicious behaviors: large transfers of data to hosts that have poor reputations.
Companies should develop an incident response guide, integrate flow analysis into the strategy and routinely test the procedure for mitigating advanced intrusions. This will help provide clear guidelines and protocols on:
• What should happen when malware is detected?
• Which individuals within the company should be mobilized?
• What information will be needed?
• What services could be disrupted by the breach and subsequent cleanup?
• What outside resources/individuals can the company tap into for additional assistance?
• How to proceed with a thorough disaster recovery plan.
Security administrators should also be aware of state and federal regulations and laws that require the disclosure of information upon detecting such threats. Regulations such as the Health Insurance Portability and Accountability Act (HIPPAA) have specific guidelines that must also be followed.
Finally, education is a major deterrent to threats such as APT invasions. Regular employee trainings must be conducted to share up-to-date knowledge on how social networking sites and email can be used to assist in the spread of malware.