NetFlow is widely regarded as an ideal technology for acquiring summarized details on network traffic; as a result one can use NetFlow to identify network anomalies. Use of the data collected includes making bandwidth optimizations, understanding the impact of configuration changes, identifying trouble areas, usage base billing and uncovering anomalies that often fly under-the-radar. Today I want to focus on using NetFlow, or the recently ratified standard for NetFlow called IPFIX, for detecting malware.
“NetFlow is the primary network anomaly-detection technology” – Cisco Systems
While I’m not sure I agree with the word “primary“, I do agree that NetFlow and IPFIX now play a significant role in cyber threat detection. By leveraging flow data to monitor behaviors, some types of malware and other traffic anomalies can be detected.
Q: What does Cisco mean by anomalies?
A: An event or condition in the network that is identified as a statistical abnormality when compared to typical traffic patterns gleaned from previously collected profiles and baselines.
Although “gleaned from previously collected profiles and baselines” sounds a bit too limiting, I agree that existing flows should be compared to how most traffic normally behaves. For example, a series of flows from a single host with only the TCP flag SYN set could be an indicator of a network scan. This doesn’t have to be learned from a previously collected profile or baseline. The same holds true for dozens of other types of suspicious traffic patterns that could trigger alerts.
The idea of monitoring the internal network, not just the perimeter, is relatively new. With the advent of BYOD policies, MiFi devices, and the mobile worker, the internal network is not near as safe as it used to be. Many understand this and are looking for ways to get a better handle on traffic patterns in the network core and access layers. In comes NetFlow/IPFIX. One of the biggest uses of NetFlow and IPFIX is for forensic investigations. Collecting flow data from all the routers and switches (not just the perimeter) is like having distributed security cameras everywhere within your organization. Think about it, you wouldn’t only have security cameras at the front door. No, you would want them everywhere, especially on the inside. Security cameras are the first thing a department store turns to when trying to produce proof of a theft, and NetFlow provides similar evidence on end user communications; if the traffic occurred on the network, you can bet it passed through something that can export NetFlow or IPFIX.
Another great reason to trust NetFlow as a way of detecting malware is its ability to detect anomalies without the need for signatures. That’s right, flow-based analysis relies on algorithms and behavior rather than signature matching. This means that even when a signature isn’t available, NetFlow can be analyzed to detect the intrusion anyway.