Detecting and Mitigating Network Security Threats
In the never-ending struggle to secure networks against multiple threats, many tools are being
employed. One of the more effective tools now coming into the fray is flow analysis.
by Michael Patterson, Plixer International
Most companies today are taking a layered approach to network security. These different
security efforts come in many forms. There is, of course, the use of antivirus software on
endpoint systems along with password management and two-factor authentication. Another
widely used technique is setting up VPN access for remote users. Additional strategies include
data loss prevention (DLP), intrusion prevention systems (IPS), firewalls and intrusion detection
systems (IDS) signature searching, and the use of access control lists (ACLs) on routers and
switches. Despite all these technologies and the billions spent by enterprises around the world to
secure the network, breeches still occur.
Information security experts are turning to flow analysis as a mechanism for forensics, incident
response, policy management and early threat detection. If you’re implementing a NetFlow or
Internet protocol flow information export (IPFIX) mechanism into your product, be sure to
consider the value the feature will provide to the security analyst as well.
Although NetFlow and IPFIX are often only thought to be useful for threat investigations, they
can also be used to alert on patterns of strange network traffic. Most NetFlow technologies
implemented on routers don’t inspect traffic in the same way as direct packet inspection
technologies such as IDS and IPS. When the flows are forwarded to the collector, it does not
have direct access to the packet details. Instead, the flow collector uses metadata about the
packets such as packet length, flags set, port numbers and other characteristics to determine the
presence of malicious traffic. The more stealthy and clever the attack, the harder it is to identify
with any single security measure. Threat detection systems that leverage NetFlow and IPFIX can
provide an approach to threat detection that is unique and different from other security
technologies. They provide an excellent defense, in-depth story, and mesh well with traditional
methods.
These are the top five reasons customers have said they use flows for security:
#5 - Powerful forensics and incident response capabilities
Flows provide a 24/7 account of all network activity. They are like a CCTV system for your
enterprise. And given the relatively lightweight nature of flow data, customers can store weeks or
months of flows without spending $100,000+ on expensive packet libraries from companies like
NetWitness and Niksun. When an incident does occur, the information needed to identify the
root cause and enact an orderly cleanup is in the flows (Figure 1).
#4 - Deep situational awareness for the network
This point is a bit more difficult to describe given its ambiguity. But the idea is that from a
tactical perspective, flows provide a "what's happening to my network right now" view that other
systems struggle to provide. While traditional IDSs and other security systems only alert when
something is actively detected, flow collection systems can constantly collect information to
provide a view into network happenings even when bad things don't appear to be occurring. It's
perfect for a network or security operations center (SOC) wall.
#3 - Internal network visibility
The idea of monitoring the internal network and not just the perimeter is somewhat new. With
the advent of bring your own device (BYOD) policies, Wi-Fi devices and the mobile worker, the
internal network is not nearly as safe as it used to be. Many customers understand this and are
looking for ways to get a better handle on traffic patterns in the network core and access layers
(Figure 2).
#2 - Inexpensive to deploy and maintain
Just enter a few commands on the router and voila, you have coverage at that location. The larger
and more distributed the enterprise, the more this message will resonate. "Oh, you have 500
remote sites? Don’t send out hundreds of IDSs. Enable NetFlow on the routers at each remote
site instead." Monitoring very high speed networks is also much less expensive. 10G IDSs and
IPSs are very expensive—in the $100,000+ range.
#1 - Detects attacks without signatures
Without a doubt, the item that drives most sales of flow-based security is the idea that flowbased analysis relies on algorithms and behavior rather than signature matching. This gives the
collector an ability to detect attacks before a signature is available. Zero-hour detection is really
what a flow-based security analysis technology provides. Given the increased threat from
advanced persistent threats (APTs), mobile malware, botnets, etc., security people are looking
for new ways to detect and react. Flow analysis is a new and effective way.
Analyzing Flow Data
One way flow data can be used to detect traffic anomalies is through the use of Transport
Control Protocol (TCP) flags. During the process of packet aggregation into flows in the router
cache, a logical “OR” is performed on the TCP flags seen for an individual flow. For this reason,
at a minimum, each flow is started with a SYN/ACK combination. A volume of above-threshold
SYN-only flows from a host could be used to determine that the source of the flow is infected
with malware and could be scanning and looking for vulnerable hosts on the network.
In addition, TCP flags are used to determine the client/server role of each side of the flow. This
can be important for firewall validation and network access policy management. If you are
implementing a new NetFlow export feature, be sure to include OR’ed TCP flags in your
exports.
As with TCP Flags, Internet Control Message Protocol (ICMP) Type and Code can be extremely
useful for security analysis. When large numbers of TTL Expired in transit occur, a Smurf
Amplifier DoS attack could be in play. Large volumes of Port Unreachable ICMP messages
often represent peer-to-peer file sharing or UDP port scanning. Information Element ID 32
(icmpTypeCodeIPv4) is used for this field.
It is also possible to detect potential malware by monitoring the behavior of flows. Collector
vendors that monitor for security events provide canned algorithms that are applied to the
incoming flow data. These flow analysis algorithms measure ICMP rates, TCP flag
combinations, flow creation rates and more.
Other suspicious behaviors detectable with flow data include excessive small flows from a single
host to the same destination, DoS attacks through measurement of bit rates, packet rates and
other flow volume indicators, and hosts attempting to connect to numerous other hosts with a
low number of flows to each destination (scanning).
Custom Flow Behavior Monitoring
In addition to canned algorithms, detecting odd behaviors can be done through the use of
custom-flow behavior monitors. This tactic can also be effective at sleuthing out inappropriate
connection behaviors or for monitoring acceptable use by employees and contractors. For
example, DNS traffic that doesn’t involve the local DNS servers could qualify as potentially
suspicious traffic. Non-HTTP traffic to a web server that isn’t from authorized hosts could also
fall into the suspect category. Another example might include alerting on any connections from
China to the corporate DMZ—especially if the user’s company doesn’t do business in China.
Due to the operational characteristics at most businesses, the volume of unique detection
methods is nearly limitless. The more the customer knows about their business (which they will
learn through the use of flows), the more powerful Custom Flow Behavior Monitors will
become.
Some vendors watch end system behaviors over time and create behavior profiles of what can be
considered “normal” behavior for each host that resides on the network. Once a baseline is
derived, new flows from the host are compared to unique behaviors captured in the baseline.
Behaviors not consistent with the baseline can trigger alarms or at the very least heighten
awareness. Behavior analysis mechanisms are still fairly new and unproven.
IP Host Reputation
Comparing the source and destination IP addresses in a flow to a host reputation database is a
great way to find malware infected hosts that aren’t exhibiting the behaviors outlined above. The
“Internet Threats Monitor” downloads an updated list of known compromised Internet hosts
every hour from Emerging Threats or Cymru.
Flow collection systems can detect if internal hosts are communicating with known botnets or
Command and Control (C&C) servers. C&C hosts could be participating in an APT. By sending
NetFlow and IPFIX from the Internet facing routers to a NetFlow collector that can compare all
flows to the host reputation database, internal machines talking with known compromised
Internet hosts can be identified. Many companies are building next-generation intrusion detection
and prevention engines that include reputation lookups.
Identity Awareness
Although it is beneficial to have the source IP address when trying to track down a problem,
having the user name is even better. Since many hosts leverage DHCP-acquired IP addresses,
which can change over time, reporting on user name can provide more definitive evidence when
trying to mitigate an issue.
As a vendor exporting user name details, there are important criteria to keep in mind. The ID
used for the user name should not be reused by another host even if the flow exporting device is
rebooted. Ideally, the ID used should persist over time and if possible, be consistent across flow
exporting devices.
The semantics used for user name ID are important for long-term historical trending and forensic
analysis. Reach out to a consultant or an experienced NetFlow developer if your company
desires to export user name details. Vendors exporting user name details include Cisco, Palo Alto
Networks, SonicWALL and possibly others. This highly desired element is sure to set vendors
apart in a vendor comparison.
Alarm Correlation
With all of these detection systems sending messages on potential malware they have detected, a
central location for reviewing and sorting out the threats found becomes necessary.
One of the goals of most alarm consoles is to prioritize the alerts that could most negatively
impact the business and the applications it depends on. In pursuit of this effort, some vendors
have introduced a Concern or Unique Index (UI). The Unique Index can mean many things
depending on the implementation. Generally, the UI is impacted by the number of unique alarm
types violated by each host, the number of times each unique alarm type is violated and the
severity of each alarm. By having a UI that increases based on several criteria, the intention is
that the hosts exhibiting the most behaviors indicative of malware will rise to the top as shown in
Figure 3.
Most threat detection systems will forward detected messages to a central third-party alarming
server. Whatever the preferred method, choosing which alarm to react to still requires
consideration. When approaching the detected threats in an alarm view, use a common sense
approach to remediation. Security administrators should ask themselves:
Who is being targeted? If there are 25 alarms, look at the servers first:

Is the server a critical resource or is it a power user or executive within the company?

Does the host have access to critical resources; if not, move on to the next alarm that
could be more important.

Check the host’s unique index and trend the volume of alarms for the host over time.

Is the application or server involved critical to the business?
Human involvement is almost always necessary when it comes to prioritizing and taking action
on the alarms. Although most systems can be set up to take action, these features should be
implemented only after careful consideration of any possible consequences.
Threat Mitigation
Once the alarm has been identified, it is time to take the next step toward removal of the issue.
This process can be automated by automating the addition of an ACL entry on a router or
firewall. Oftentimes, however, it is wise to collect additional details before making any changes.
Further investigation into how a problem has impacted the network or who else may have been
infected is one of the areas where flow information can shine. A flow report provides several
details on which end systems were communicating with the Internet host, who was sending the
most, for how long, when it started and how much. Once the problem is resolved and cleaned up,
it is important to go back to the alarming console and verify that the anomaly is no longer
occurring
NetFlow and IPFIX should not be the entire network security protection plan and are unlikely to
replace the IDS or IPS anytime soon. However, flow-based security analysis is an excellent
defense-in-depth strategy for any enterprise network that contains high-risk information. We are
seeing more and more hardware (e.g., routers, switches and firewalls) implement deeper security
methods and export the findings as messages using NetFlow and IPFIX.
Host reputation lookups are one of the most effective ways to defend against Internet malware,
and are a wiser course of action than blocking a specific country. Many attacks are still initiated
from within the United States and oftentimes from machines that were also hacked.
Safeguarding a company’s data from malware such as an APT invasion is an ongoing task.
Paranoia can be considered a good defense against the possible insurgence. Many experts
combating these Internet threats suggest that organizations always be on the alert, assuming that
malware is always present, or already underway, and to operate defensively rather than
passively. Adding a layer of security with flow analytics is one of the best ways to detect internal
suspicious traffic that has circumvented the traditional firewalls and other threat detection
measures. Some forms of malware (e.g., APTs) have no trouble sneaking right past even the best
security appliances, but they have a habit of exhibiting the same suspicious behaviors: large
transfers of data to hosts that have poor reputations.
Companies should develop an incident response guide, integrate flow analysis into the strategy
and routinely test the procedure for mitigating advanced intrusions. This will help provide clear
guidelines and protocols on:
 What should happen when malware is detected?
 Which individuals within the company should be mobilized?

What information will be needed?

What services could be disrupted by the breach and subsequent cleanup?

What outside resources/individuals can the company tap into for additional assistance?

How to proceed with a thorough disaster recovery plan.
Security administrators should also be aware of state and federal regulations and laws that
require the disclosure of information upon detecting such threats. Regulations such as the Health
Insurance Portability and Accountability Act (HIPPAA) have specific guidelines that must also
be followed.
Finally, education is a major deterrent to threats such as APT invasions. Regular employee
trainings must be conducted to share up-to-date knowledge on how social networking sites and
email can be used to assist in the spread of malware.
Plixer International, Sanford, ME. (207) 324-8805. [www.plixer.com].