Network Traffic Analytics and NetFlow

TK Keanini Distinguished Engineer, Cisco Security – Advanced Threat October
2019 Session 3A Network Traffic Analytics and NetFlow

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco
Public Security Analytics versus Other Analytics Security Analytics focus on augmenting or automating these functions • Incident Responder • Security Analyst • Security Operations • Threat Hunter • Compliance and Policy • Business Continuity • Cybercrime fighting Outcomes Synthesis/Analytics Telemetry

Public NETFLOW v5 ‣Fixed Content ‣IPv4 Only

Public NETFLOW V9 ‣Dynamic Content ‣Runtime “Templates” ‣100+ Cisco defined fields ‣Allows for vendor extensions

Public IPFIX (rfc 5101, 7011) ‣ Subtle structural differences with NetFlow v9 ‣ Dynamic Content ‣ Runtime “Templates” ‣ Allows for variable-length fields e.g URLs ‣ 450+ IANA defined fields ‣ Allows for vendor extensions

Public Other variations - more network infrastructure ‣ JFlow - Juniper Networks ‣ Cflowd - Juniper/Alcatel-Lucent ‣ NetStream - 3ComHP, Huawei ‣ RFlow - Ericsson ‣ AppFlow - Citrix ‣ sFlow - Many vendors ‣ VPC Flow Logs – AWS, GPC, Azure

Public SAMPLED Network Flows ‣Beware: Not Complete! ‣(1) Deterministic: One packet in every n packets or (2) Random: One packet randomly selected in an interval on n packets

Public Telemetry (changes within an observational domain) • AWS Telemetry • Google GCP Telemetry • Azure Telemtry All Telemetry is Data but not all Data is Telemetry • Catalyst • IE • ETA enabled Catalyst Web Security Appliance (WSA) ISR | CSR | ASR | WLC AnyConnect Network Visibility Module ASA | FTD | Meraki Identity Services Engine (ISE) Stealthwatch Flow Sensor Switch Router Router Firewall Server User Cisco Identity Services Engine WAN Server Device Cloud Native Switch Web Router Endpoint Firewall Policy and User Info Other

Public Popular Topics • Behavioral Analytics versus Fingerprinting/Signatures • Encrypted Traffic Analytics • Malware Detection • Cryptographic Compliance • Cloud Native Security Analytics • Serverless • Kubernetes Service Mesh

Public If you see pattern X, sound the alarm vs. A set of actions were performed, sound the alarm Signatures vs. Behavioral Detection

Public Private Hybrid Public Behavioral Telemetry The Network is Where Computers Behave

Public Used for food preparation in kitchens Sharp blade of a particular shape Has a handle used by role of kitchen worker A Chef’s Knife

Public A Chef’s Knife • Behavior 01: Monday night, the chef used it to prepare meals • Behavior 02: Tuesday day, it was used as a murder weapon • Behavior 03: Tuesday night, a passenger was removed from a flight because this object is not allowed on airplanes Behaviors

Public KNOWN NOVEL NAME Duck Quacks Waddles Eats Grass, Insects, etc. Flies Roar?! Other Behaviors Behavioral Profiles

Public Known Bad Objects & Behavior Known a priori If This Is Good, Then What Is This? Derived from first modeling the good Known Good Outliers & Novelty

Public attributed to Observable 232 Fingerprinting or “Featureprinting” Behavioral Inferences Process Clients Connect to it to print Traffic volumes have a distinct pattern Clients Connect for management Printer {Behavioral Profiles} Behavioral Analytics Connection to AWS! Any activity not yet known!

Public Classification Categorization Behavioral Modeling Behavioral Analytics Observables/Featureprint/Fingerprint Quick Summary of the Analytical Pipeline

Public Encrypted Traffic Analytics Privacy AND Security New Telemetry + Analytics Pipeline so that we infer that we can no longer directly inspect Encrypted Traffic Non-encrypted Traffic

Public Public Disclosure of Research in 2016 Known Malware Traffic Known Benign Traffic Extract Observable Features in the Data Employ Machine Learning techniques to build detectors Known Malware sessions detected in encrypted traffic with high accuracy “Identifying Encrypted Malware Traffic with Contextual Flow Data” AISec ’16 | Blake Anderson, David McGrew (Cisco Fellow) Cisco Research

Public Example: Encrypted Traffic Analytics Detection of Malware without Decryption Cryptographic Compliance Flow Start Time Sequence of Packets Lengths and Times Observables Initial Data Packet Analytics Pipeline of Diverse Methods Outcomes Synthesis /Analytics Telemetry

Public Initial Data Packet • HTTPS header contains several information-rich fields • Server name provides domain information • Crypto information educates us on client and server behavior and application identity • Certificate information is similar to whois information for a domain • And much more can be understood when we combine the information with global data Initial Data Packet IP Header TCP Header TLS Header Ciphersuites TLS version SNI (Server Name) Initial Data Packet(s) Certiﬁcate Organization Issuer Issued Expires

Public Sequence of Packet Lengths and Times (SPLT) Client Server Sent Packets Received Packets Exfiltration & Keylogging Google Search Page Download Initiate Command & Control Model Packet lengths, arrival times and durations tend to be inherently different for malware than benign traffic.

Public Cascade of specialized layers of ML & non-ML algorithms Multi-layer Analytical Pipeline • Statistical Methods • Information-Theoretical Methods • 70+ Unsupervised Anomaly Detectors • Dynamic Adaptive Ensemble Creation • Multiple-Instance Learning • Neural Networks • Rule Mining • Random Forests • Boosting • ML: Supervised Learning • Probabilistic Threat Propagation • Graph-Statistical Methods • Random Graphs • Graph Methods • Supervised Classifier Training Anomaly Detection and Trust Modeling Event Classification and Entity Modeling Relationship Modeling Billions of Connections

Public 5 5 Oct. 3 3 Spam tracking #CSPM02 New 3 Oct. 4 C&C url 8 Information Stealer #CDCH01 Oct. 15 Anomalous http 3 7 Oct. 16 Heavy uploader Dropbox.com 7 8 Oct. 25 Oct. 28 Malicious http Recurring Assertion and Entailment 8 Malware: Sality Dec. 9 | 28 days

Public

Public How Can You Secure a Server When There is No Server? Serverless Security Serverless Computing is a cloud computing execution model in which the cloud provider dynamically manages the allocation of machine resources (ie the servers)

Public What ports/protocols does the device continually access? What connections does it continually make? Does it communicate internally only? What countries does it talk to? How much data does the device normally send/receive? What is the role of the device? Dynamic Entity Modeling Dynamic Entity Modeling Collect Input Draw Conclusions Perform Analysis System Logs Security Events Passive DNS External Intel Config Changes Vulnerability Scans IP Meta Data Dynamic Entity Modeling Group Consistency Rules Forecast Role

Public Serverless Anomaly Detection Amazon Lambda function that normally connects to two internal resources connecting to an unexpected third

Public Serverless Detection of an Unusual API Call

Public Serverless Behavioral Analytics

Public Deep visibility into the Kubernetes cluster activity Stealthwatch Cloud agent deployed on each Node via Daemonset configuration file

Public • All telemetry is data but not all data is telemetry • Focus on the outcome and let that help scope telemetry requirements • Know the difference between signatures and behavioral outcomes • How will users validate your outcomes? • Assume payloads are encrypted – inference is key • Assume a Hybrid Multi-Cloud future Conclusion

Public [email protected] @tkeanini TK Keanini

Public Thank You

Network Traffic Analytics and NetFlow

Network Traffic Analytics and NetFlow

More Decks by Texas Natural Resources Information System

Other Decks in Technology

Featured

Transcript