Detecting Advanced Persistent Threats with NetFlow and IPFIX

Michael Patterson : Advanced NetFlow Traffic Analysis
Michael Patterson
Founder and Product manager for Plixer's Scrutinizer NetFlow and sFlow Analyzer as well as Flow Analytics.

Detecting Advanced Persistent Threats with NetFlow and IPFIX

April 11, 2012

Detecting Advanced Persistent Threats and other Network Security Threats with NetFlow and IPFIX requires advanced flow analytics. For example Top hosts, top applications, top DSCP values, etc., it’s great information and these reports can be used both reactively and proactively but, it’s just the tip of the iceberg as NetFlow can tell us about all kinds of anomalous traffic that may be flying under the radar. 

For example, a host scanning the network causes lots of flows but uses little bandwidth. What if you only want TCP, UDP and ICMP protocols on your network.  Would you want an alarm if DDP, DDX, IPv6 or IGMP showed up?  Because what we want to see about the network can change per business, threat detection systems need to allow for custom algorithms (e.g. monitoring facebook traffic).

 

security-threat-detection.png

 

Below you can see a more detailed view of the outstanding alarms with additional columns.  The first and last violation time stamps are displayed as well as a way to expand and see all the hosts that have violated each algorithm.  Lets drill in on the Internet Threats Monitor.

 

internet-host-repuation-lookup.png

 

Internet threats is an IP host reputation database that is downloaded by all our NetFlow collectors every hour.  This algorithm monitors the source and destination address of each flow to see if it is on the poor reputation list. Positive matches trigger alarms. Here you can click for a menu to gain further insight into the traffic which can help admins be more effective at detecting some Advanced Persistent Threats (IPTs). 

 

ip-host-reputation-database.png

 

NetFlow and IPFIX Threat Messages

NetFlow and IPFIX are being used by Cisco's Smart Logging Telementry and SonicWALL  firewalls to send threat detected messages. Expect vendors to get on board in the coming months as although flow technologies can be used to detect some threats, the lack of the entire packet allows the IPS to maintain its primary position in threat detection and prevention. 

 

The Cisco ASA NSEL also exports messages in NetFlow related to flows violating ACLs.  Make sure your NetFlow Analyzer supports these types of exports.



Related Articles to 'Detecting Advanced Persistent Threats with NetFlow and IPFIX'
netFlowNetworkBehaviorAnalysis.png
NetFlow Behavior Analysis Systems : Limited Impact
Feedback for Detecting Advanced Persistent Threats with NetFlow and IPFIX

Leave a comment

Advanced persistent threats akcp reseller amazon ec2 monitoring analyze logs appflow reporting appflow support Application performance monitoring Application Visibility Asymmetric flow path best free netflow collector best NetFlow reporting solution best network management BitTorrent book on NetFlow and IPFIX Building a NetFlow Cache BYOD Security BYOD security BYOD strategy Cisco application visibility and control Cisco ASA NetFlow cisco asa nsel Cisco ASA Vs. Juniper SRX Cisco AVC IPFIX Cisco AVC Reporting cisco media trace distributed NetFlow solutions Flexible NetFlow flexible netflow flow analytics Incident response system ip host reputation NetFlow Netflow analyzer Netflow reporting Network monitoring network monitoring network traffic analysis network traffic monitoring Security Analytics udp forwarder

Featured Events