Securing Remote Networks Against Cyber Threats: part 1

Michael Patterson : Advanced NetFlow Traffic Analysis
Michael Patterson
Founder and Product manager for Plixer's Scrutinizer NetFlow and sFlow Analyzer as well as Flow Analytics.

Securing Remote Networks Against Cyber Threats: part 1

Managed Security Service Providers (MSSP) are depending on NetFlow and IPFIX as one of the top 3 enablers for improving network threat detection for onsite as well as remote sites.  The distributed NetFlow collection nature of this technology allows IT security teams to gain threat insight into remote areas without actually visiting each location. 

Most firewalls today including those from Barracuda, Cisco ASA, Palo Alto Networks, SonicWALL and others provide NetFlow or IPFIX exports which with the right flow analytics solution, allow for several types of additional threat detection methods.

Why Companies Turn to MSSPs

With 50% of Internet thefts occurring at companies with less than 2500 employees and the cost of hiring a security expert increasing, many organizations are turning to MSSPs in hopes of gaining access to a team of security experts. In turn, MSSPs provide their customers with  services in areas such as virus blocking, IDS, VPN and firewall maintenance. Monthly fees generally include a block of hours for system changes, modifications and upgrades.  When they aren’t working on specific customer issues, they collaborate with other experts to identify the latest threats and the best security countermeasures.  Because these experts can’t wait for the next software update to fight the latest cyber battle, security teams often turn to flow technologies to monitor for the latest malware.

“IPS (or deep packet inspection) is our #1 security defense; Netflow is a very close #2  – Gavin Reid, Manager of Cisco CSIRT.

Threat Detection with NetFlow

Traditionally, NetFlow and IPFIX have been used by MSSPs to perform Network Behavior Analysis by running dozens of algorithms against the flows collected. Examples include:

  • Breach Attempts: Looks for many small flows from one source to one destination. This can indicate things such as a brute force password attack. A typical scenario would be a dictionary attack on an SSH server.
  • DDoS: Identifies a Distributed Denial of Service attack such as those that can be launched by a BOTNET.
  • DNS Violation: Alerts when a host initiates an excessive number of DNS queries. This can help to identify hosts that may be infected with a mailer worm or other issues that require an inordinate number DNS lookups.
  • FIN Scan: The FIN scan’s “stealth” frames are unusual because they are sent to a device without first going through the normal TCP handshaking routine.
  • ICMP Destination Unreachable: This is a message that comes back from the router to the requesting host stating that it doesn’t have a route to the destination network of the target host.
  • ICMP Port Unreachable: This is a message that comes back from the destination server stating that it will not open communication on the specified port requested by the host.
  • Nefarious Activity Violation: Looks for hosts communicating with many hosts with a low number of flows. An example would be a port 80 scan of an entire subnet.
  • NULL Scan: The null scan turns off all TCP flags in an attempt to open a connection with the target host. Sometimes it consists of flows where the source port is 0 with various destination ports.
  • RST/ACK: RST/ACK packets are connection denials that come back from destinations to the originating hosts. It can be caused by network scanning.
  • SYN scan/flood: SYN packets are sent out in an attempt to make a network connection with a target host. It can be caused by network scanning.
  • Unfinished Flows: Identifies hosts that have a high percentage of unfinished flows. This indicates scanning, Malware or poorly configured applications on a host.
  • XMAS Tree scan: The Xmas tree scan sends a TCP frame to a remote device with the URG, PUSH, and FIN flags set. This is called a Xmas tree scan because of the alternating bits turned on and off in the flags byte (00101001), much like the lights of a Christmas tree.

The above algorithms are an excellent step toward the automation of detecting malware that could be trying to penetrate and compromise hosts on the network.  Notice that these algorithms focus on network behavior analysis as deep packet inspection to match packets to signatures isn’t generally possible with NetFlow.  Much like a flu virus, malware can use a polymorphic technique which means it can constantly vary its structure and content in order to avoid detection.  Solutions which perform deep packet inspection in an attempt to pattern match through the use of constantly updated signatures can easily be evaded by this dynamic technique. Even with all the above, more needs to be done to detect the latest forms of malware and this means thinking outside the proverbial threat detection box.


“I am convinced that every company in every conceivable industry with significant size and valuable intellectual property and trade secrets has been compromised (or will be shortly), with the great majority of the victims rarely discovering the intrusion or its impact. In fact, I divide the entire set of Fortune Global 2,000 firms into two categories: those that know they’ve been compromised and those that don’t yet know.”Dmitri Alperovitch, former VP of Threat Research, McAfee®

Read Part 2 on IP host reputation.

Feedback for Securing Remote Networks Against Cyber Threats: part 1

Leave a comment

Featured Events