Advanced Threat Defence Using NetFlow - A L C A T R O N . N E T
Advanced Threat Defence using NetFlowBRKSEC-2073Matthew RobertsonSecurity Technical Marketing Engineer
“The whole art of war consists of guessing atwhat is on the other side of the hill.”Arthur Wellesley, 1st Duke of WellingtonBRKSEC-2073 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public3
Evolution of Cyber ConflictManual DefencesManual Attacks (1980s)UnplugWar Dialing, Phone Phreaking Mechanised DefencesMechanised Attacks (1988)Firewall, IDS/IPSViruses, Worms Google, RSA Talented Human / MechanisedAttackers (2009)TargetedHuman/MechanisedReputation, App-aware FirewallDefendersAPT, Multi-Step Attacks Target, Neiman Marcus DIY Human / MechanisedAttackers (2011)Intelligence DrivenHuman DefendersCyrptocurrency Ransoms, Store-boughtCredentials .BRKSEC-2073 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public4
Defending against rs.htmlBRKSEC-2073 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public5
AgendaIntroductionAdding ContextWorking w CollectionOrganising the dataIntroduction toNetFlowDesign andDeploymentFlow ExportRunning Queriesand Investigations 2014 Cisco and/or its affiliates. All rights reserved.Cisco PublicSummary6
About the SpeakerMatthew Robertson Security Technical Marketing Engineer ½ year at Lancope 5½ years at Cisco– Development and Technical Marketing Focused on advanced threat detection I am Canadian!BRKSEC-2073 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public7
Thinking Beyond the PerimeterModern threats are consistentlybypassing the security perimeteras they redraw the mapXX XXOXXXOOBRKSEC-2073 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public8
Hiding in plain sightPolar BearBRKSEC-2073 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public9
Signals IntelligenceTraffic Analysis: Deduce information fromcommunication patternsBRKSEC-2073 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public10
eth0/2eth0/1NetFlow10.2.2.2port 1024Start TimeInterface10:20:12.221 eth0/110:20:12.871 eth0/2BRKSEC-2073Src IP10.1.1.1port 80SrcPort10.2.2.2 102410.1.1.1 80Dest IP10.1.1.110.2.2.2DestPort801024 2014 Cisco and/or its affiliates. All rights reserved.ProtoTCPTCPPktsSent517Cisco PublicBytesSent102528712TCP FlagsSYN,ACK,PSHSYN,ACK,FIN11
NetFlow VisibilityA single NetFlow Record provides a wealth of informationRouter# show flow monitor CYBER-MONITOR cache IPV4 SOURCE ADDRESS:192.168.100.100IPV4 DESTINATION ADDRESS: 192.168.20.6TRNS SOURCE PORT:47321TRNS DESTINATION PORT: 443INTERFACE INPUT:Gi0/0/0IP TOS:0x00IP PROTOCOL:6ipv4 next hop address: 192.168.20.6tcp flags:0x1Ainterface output:Gi0/1.20counter bytes:1482counter packets:23timestamp first:12:33:53.358timestamp last:12:33:53.370ip dscp:0x00ip ttl min:127ip ttl max:127application name:nbar secure-http BRKSEC-2073 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public12
ction toNetFlowDesign andDeploymentFlow ExportBRKSEC-2073 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public13
NetFlow Deployment ArchitectureManagement/Reporting Layer: Run queries on flow data Centralise management and reportingFlow Collection Layer: Collection, storage and analysis of flow recordsNetFlowFlow Exporting Layer: Enables telemetry export As close to the traffic source as possibleBRKSEC-2073 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public14
Considerations: Flow Exporting Layer1.2.3.4.BRKSEC-2073NetFlow supportWhich version of NetFlow to useHow to configure/what to measureWhere in the network to enable NetFlow export 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public15
Cisco NetFlow SupportCisco 2800Cisco 7200 VXRCisco 2900Cisco Catalyst 6500Cisco Nexus 1000vCisco 3560/3750-X/3850Cisco Catalyst 4500HardwareSupportedCisco NGACisco 1700Cisco XR 12000Cisco ISR G2Cisco 7600Cisco ASACisco Nexus 7000Cisco ASRBRKSEC-2073 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public16
Versions of NetFlowVersionMajor AdvantageLimits/WeaknessesV5Defines 18 exported fieldsSimple and compact formatMost commonly used formatIPv4 onlyFixed fields, fixed length fields onlySingle flow cacheV9Template-basedIPv6 flows transported in IPv4 packetsMPLS and BGP nexthop supportedDefines 104 fields, including L2 fieldsReports flow directionIPv6 flows transported in IPv4 packetsFixed length fields onlyUses more memorySlower performanceSingle flow cacheFlexible NetFlow (FNF)Template-based flow format (built on V9protocol)Supports flow monitors (discrete caches)Supports selectable key fields and IPv6Supports NBAR data fieldsLess commonRequires more sophisticated platform to produceRequires more sophisticated system to consumeIP Flow Information Export(IPFIX) AKA NetFlow V10Standardised – RFC 5101, 5102, 6313Supports variable length fields, NBAR2Can export flows via IPv4 and IPv6 packetsEven less commonOnly supported on a few Cisco platformsNSEL (ASA only)Built on NetFlow v9 protocolState-based flow logging (context)Pre and Post NAT reportingMissing many standard fieldsLimited support by collectorsBRKSEC-2073 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public17
Configuring Flexible NetFlow1. Configure the ExporterRouter(config)# flow exporter my-exporterWhere do I want my data sent?Best Practice:include all v5 fieldsRouter(config-flow-exporter)# destination 1.1.1.12. Configure the Flow RecordRouter(config)# flow record my-recordRouter(config-flow-record)#ipv4 todestinationWhat datamatchdo I wantmeter? addressRouter(config-flow-record)# match ipv4 source addressRouter(config-flow-record)# collect counter bytes3. Configure the Flow MonitorRouter(config)# flow monitor my-monitorHow do I want to ermy-exporterRouter(config-flow-monitor)# record my-record4. Apply to anRouter(config)# interface s3/0InterfaceWhich interface do I want to monitor?Router(config-if)# ip flow monitor my-monitor inputBRKSEC-2073 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public18
NetFlow DeploymentEach network layer offers unique NetFlow capabilitiesAccessDistribution& CoreEdgeISRCatalyst 3560/3750-XCatalyst 4500ASACatalyst 4500Catalyst 6500ASRBRKSEC-2073 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public19
NetFlow DeploymentAccess:AccessCatalyst 3560/3750-XCatalyst 4500BRKSEC-2073 New network edge Detect threats as the enter the network Detect threats inside the switch east-west Layer 2 traffic Fewer false positives Higher-granular visibility Identify the endpoint collect MAC Address 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public20
Catalyst 3650-X,3750-X Flow Record!flow record CYBER 3KX FLOW RECORD match datalink mac sourceaddressmatch datalink mac destination-addressmatch datalink mac source-vlan-idmatch ipv4 tosmatch ipv4 ttlmatch ipv4 protocolmatch ipv4 source addressmatch ipv4 destination addressmatch transport source-portmatch transport destination-port collect interface input snmp collectinterface output snmp collect counter bytes collect counter packets collecttimestamp sys-uptime firstcollect timestamp sys-uptime last!BRKSEC-2073 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public21
Catalyst 4500 Flow Record!flow record CYBER 4K FLOW RECORDmatch ipv4 tosmatch ipv4 protocolmatch ipv4 source address match ipv4 destination addressmatch transport source-portmatch transport destination-portcollect ipv4 dscpcollect ipv4 ttl minimumcollect ipv4 ttl maximumcollect transport tcp flagscollect interface outputcollect counter bytescollect counter packetscollect timestamp sys-uptime firstcollect timestamp sys-uptime last!BRKSEC-2073 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public22
NetFlow Deployment - Converged AccessConverged Access: NetFlow for the first time on Wireless Visibility in BYOD environments Consistent configuration for wired and wireless Single flow monitor can be applied to wiredports and SSID Natively available in the UADP ASIC Can monitor East-West and North-South flows 48k flows on the 48 port modelBRKSEC-2073 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public23
NetFlow DeploymentDistribution & Core:Distribution& CoreCatalyst 4500 Traditional deployment Minimal recommended deployment Enable at critical points/bottle necks Typically done on a Layer 3 boundary Detect threats internal to the VLAN When deployed on an SVI interface Detect threats as they traverse the internalnetwork Move between subnetsCatalyst 6500BRKSEC-2073 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public24
Catalyst 6500 (Sup 2T) Flow Record!flow record CYBER 6K FLOW RECORDmatch ipv4 tosmatch ipv4 protocolmatch ipv4 source addressmatch ipv4 destination addressmatch transport source-portmatch transport destination-portmatch interface inputcollect transport tcp flagscollect interface outputcollect counter bytescollect counter packetscollect timestamp sys-uptime firstcollect timestamp sys-uptime last!BRKSEC-2073 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public25
NetFlow DeploymentEdgeISRASAEdge: Detect threats as they enter and leave thenetwork Monitor communication between branches Gain context from edge devices Application - NBAR Events & User-ID - NSELASRBRKSEC-2073 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public26
ISR Flow Record! flow record CYBER ISR RECORDmatch ipv4 tosmatch ipv4 protocolmatch ipv4 source addressmatch ipv4 destination addressmatch transport source-portmatch transport destination-portmatch interface inputcollect routing next-hop address ipv4collect ipv4 dscpcollect ipv4 ttl minimumcollect ipv4 ttl maximumcollect transport tcp flagscollect interface outputcollect counter bytescollect counter packetscollect timestamp sys-uptime firstcollect timestamp sys-uptime lastcollect application name!BRKSEC-2073 2014 Cisco and/or its affiliates. All rights reserved.Enable NBARCisco Public27
ASA NSEL Configuration!flow-export destination management ip-address 2055!policy-map global policyclass class-defaultflow-export event-type all destination ip-address !flow-export template timeout-rate 2logging flow-export syslogs disable!BRKSEC-2073 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public28
Flow Monitor Configuration!flow monitor CYBER MONITORexporter CYBER EXPORTERcache timeout active 60cache timeout inactive 15!Active Timeout:Inactive Timeout: How long a flow can be inactivebefore being removed from cache Recommended 15 seconds All exporters should have the sametimeoutBRKSEC-2073record CYBER RECORD Longest amount of time a flow can be in cachewithout exporting a Flow Record Recommended 60 seconds All exporters should have the same timeout 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public29
Aside: Myths about NetFlow GenerationMyth #1: NetFlow impacts performance Hardware implemented NetFlow has noperformance impact Software implementation is typicallysignificantly 15% processing overheadMyth #2: NetFlow has bandwidth overhead NetFlow is a summary protocol Traffic overhead is typically significantly 1% oftotal traffic per exporting deviceBRKSEC-2073 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public30
AgendaIntroductionUnderstandingtheLandscapeFlow CollectionBRKSEC-2073Introduction toNetFlowDesign andDeploymentFlow Export 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public31
Flow Collection ConsiderationsScalability & Performance # of NetFlow sources # of users Flows per second Sustained vs. burstFeature set Reporting Drill down Retention AnalysisFlow Handling De-duplication Stitching ReplicationBRKSEC-2073Your time,resources andbudgetNetFlowNetFlowNetFlow 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public32
Components for NetFlow Security MonitoringStealthWatch ManagementConsole Management and reporting Up to 25 FlowCollectors Up 3 million fps globallyStealthWatch FlowCollector Collect and analyse Up to 2000 sources Up to sustained 120,000 fpsBest Practice: Centralisecollection globallyStealthWatch FlowReplicator UDP Packet copier Forward to multiplecollection systemsNetFlowStealthWatch FlowSensor Generate NetFlow dataStealthWatch FlowSensor VE Virtual environment Visibility into ESXCisco NetworkBRKSEC-2073 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public33
Uni-directionalflow recordseth0/2eth0/1NetFlow Collection: Flow Stitching10.2.2.2port 1024Start TimeInterface10.1.1.1port 80Src IPSrc PortDest IPDest PortProtoPkts SentBytesSent10:20:12.221 eth0/110.2.2.2102410.1.1.180TCP5102510:20:12.871 eth0/210.1.1.18010.2.2.21024TCP1728712Start TimeClient IP PktsServer Server CP1025528712eth0/1eth0/2102417Bi-directional: Conversation flow record Allows easy visualisation and analysisBRKSEC-2073 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public34
NetFlow Collection: De-duplicationDuplicatesRouter A: 10.2.2.2:1024 - 10.1.1.1:80Router B: 10.2.2.2:1024 - 10.1.1.1:80Router C: 10.1.1.1:80 - 10.2.2.2:102410.1.1.1port 80Router BRouter CRouter A Without de-duplication: Traffic volume can be misreported False positive would occur Allows for the efficient storage of flow data Necessary for accurate host-level reporting Does not discard dataBRKSEC-2073 2014 Cisco and/or its affiliates. All rights reserved.10.2.2.2port 1024Cisco Public35
Conversational Flow RecordWhoWhatHowWhoWhenMore DetailsBRKSEC-2073 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public36
Integrating with a SIEMLog alarms and summary info to SIEM Complete visibility throughout network Leverage specialty data handlingSecurity EventsSIEMAPISyslogBRKSEC-2073SDEENetFlowAPI’s to access database Directly access flow data (ex. getFlows) Improved scale - collection and retention Decreased cost 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public37
AgendaIntroductionAdding ContextBRKSEC-2073UnderstandingtheLandscapeFlow CollectionIntroduction toNetFlowDesign andDeploymentFlow Export 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public38
Context is CriticalBRKSEC-2073 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public39
ISE as a Telemetry SourceMonitor Mode Open Mode, Multi-Auth Unobstructed Access No impact on productivity Profiling, posture assessment Gain Visibility Maintain historical session tableCorrelate NetFlow to usernameBuild User-centric reportsStealthWatchManagementConsolesyslogCisco ISEAuthenticated Session TableBRKSEC-2073 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public40
Configuration: Logging on ISE1. Create Remote Logging Target on ISE2. Add Target to Logging Categories12Required Logging categories: RADIUS Accounting Profiler Administrative and Operational AuditBRKSEC-2073 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public41
Configuration: Add ISE to SMC1.2.3.4.3(Not Shown) Create Admin User on ISE(Not Shown) Configure ISE or CA certificate on SMC(Shown) Add Cisco ISE to SMC Configuration(Shown) Add additional ISE nodes34. Add additional ISE nodesBRKSEC-2073 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public42
Global IntelligenceList of known Commandand Control ServersBRKSEC-2073 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public43
Adding Situational AwarenessClient HostClient HostGroupServer HostServer HostGroupsApplicationDurationTotalTrafficStart ActiveTime10.201.3.149Sales andMarketing,End 6.56KJan 11, 2014BRKSEC-2073 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public44
Adding Situational AwarenessClientUserNameClient HostClientHostGroupServer cStartActiveTimeKen10.201.3.149Sales andMarketing,End 56.56KJan 11,2014BRKSEC-2073Zeus 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public45
AgendaIntroductionAdding ContextWorking w CollectionOrganising the dataIntroduction toNetFlowDesign andDeploymentFlow ExportRunning Queriesand Investigations 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public46
Behavioural Analysis & Anomaly DetectionBehavioural Analysis: Leverages knowledge of known bad behaviourAnomaly Detection: Identify a change from “normal”BRKSEC-2073 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public47
StealthWatch: IndicesConcern Index: Track hosts that appear to compromising network integrityTarget Index: Track hosts that appear to be victims of the suspicious behaviour of other hostsFile Sharing Index: Tracks behaviour that is indicative of peer-to-peer activityBRKSEC-2073 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public48
StealthWatch: AlarmsAlarms Indicate significant behaviour changes and policy violations Known and unknown attacks generate alarms Activity that falls outside the baseline, acceptable behaviouror established policiesBRKSEC-2073 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public49
Host GroupsVirtual container of multipleIP Addresses/ranges thathave similar attributesLab serversBest Practice: classify allknown IP Addresses in oneor more host groupsBRKSEC-2073 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public50
Policy TuningTune alarm thresholdsPolicies can be created forindividual host groupsDefault policy for Inside and Outside hostsBRKSEC-2073 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public51
Flow Query Basics – The Flow TableFilterDetailsBRKSEC-2073Filter conditionsMore details 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public52
Flow Query Basics - FilteringSelect host toinvestigateAll flows in which this host wasa client or serverBRKSEC-2073 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public53
Flow Query Basics - FilteringAll flows for 10.10.200.79 in the last hourBRKSEC-2073 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public54
Flow Table: Visibility across NATUserInside localBRKSEC-2073Outside global 2014 Cisco and/or its affiliates. All rights reserved.ServerCisco Public55
Querying Events - Leveraging NSELFlow denied events over many portsBRKSEC-2073 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public56
Flow Table – IPv6BRKSEC-2073 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public57
Host Groups – Targeted MonitoringHost Group Dashboard forEngineersSuspiciouslybehaving hostsAlarmsBRKSEC-2073 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public58
Host Groups – Application ReportApplications inboundApplications outboundBRKSEC-2073 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public59
Host Groups – Targeted ReportingGeo-IP-based Host GroupSummary chart of trafficinbound and outbound fromthis Host GroupBRKSEC-2073 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public60
Host Groups – Targeted ReportingTraffic inboundTraffic outboundBRKSEC-2073 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public61
Host Groups – Discovering Rogue HostsCatch All: All unclassified RFC1918 addressesTable of all individual hostsBRKSEC-2073 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public62
Host Groups – Discovering Rogue HostsRogue HostsBRKSEC-2073 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public63
Indicators of CompromiseRaw flow analysisOutside notificationLog analysis (SIEM)IDS AlertBehavioural analysisActivity monitoringBRKSEC-2073 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public64
Attack Lifecycle Model (AKA the Kill tePrivilegesCompleteMissionMandiant APT1 Report: http://intelreport.mandiant.com/Mandiant APT1 Report.pdfKill Chain: http://bit.ly/killchainBRKSEC-2073 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public65
Building a latePrivilegesCompleteMissionIOC Found:Investigate forwardsand backwardBRKSEC-2073 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public66
Identifying the CulpritSupplemental Information:Indicator ofCompromise Alarm Alarm TableAlarm SummaryIDS AlertOtherIs a wormindicated? Host IPAddressNoMost recent flows/Active flowsTraffic volume/typeOther AlarmsExporter interfacesActivity – scanning?ThresholdsTouchesHostSnapshotIdentity:Yes Hosts affectedHost Groups AffectedSubnets AffectedPorts UsedProtocols UsedBRKSEC-2073Is the behaviournormal orpermissible?WormTrackerYesUsernameDevice type and OSAccess locationOrganisation/GeoRole – Client or ServerNoTune 2014 Cisco and/or its affiliates. All rights reserved. RespondCisco Public67
APT1IOC: Mandiant publishes list of domain names and IP addresses known to be used by APT1IP AddressesCreate a HostGroup for APT1BRKSEC-2073 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public68
APT1 – Host Locking Violation AlarmSet client hosts to all Inside HostsCreate a Host LockViolation Alarm forcommunication to APT1Set server hosts to APT1Disallow all trafficTrigger alarm on anyunidirectional trafficBRKSEC-2073 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public69
APT1 - InvestigateYou know today what you didn’t know yesterdayRun a Flow QueryOver the last 90 daysServer or client includesthe APT1 IP Address listBRKSEC-2073 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public70
APT1 – Returned FlowsInfected hostsFTP TransfersAPT1 ServersBRKSEC-2073 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public71
Investigating Malware Spread: Worm TrackerWorm trackerInitial infectionSecondary infectionsSubnets being scannedIOC: IDS Alert indicating a known worm operating inside your networkBRKSEC-2073 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public72
Investigating Malware Spread: Host SnapshotEverything the systemknows about 10.10.200.59BRKSEC-2073Start with CI Events. We noticesignificant scanning activity 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public73
Investigating Malware Spread: IdentityTelemetry from the ISEUsernameBRKSEC-2073 2014 Cisco and/or its affiliates. All rights reserved.InfectedmachineCisco Public74
Investigating Malware Spread: Touched HostsThis infected host has established a connection with another hostBRKSEC-2073 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public75
Investigating Malware Spread: Touched HostsAll hosts touched by 10.10.200.59BRKSEC-2073 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public76
High Concern IndexBaseline deviated by 2,432%!BRKSEC-2073 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public77
What was this Host up to?Target – entire subnet?Scanning on TCP-445BRKSEC-2073 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public78
NetFlow and (D)DoS DetectionIdentify targets Target of suspicious activity Abnormal traffic volume Decrease in performanceIdentify attackersBRKSEC-2073 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public79
Volumetric DDoSTraffic SpikesBRKSEC-2073 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public80
Identifying a DDoS ParticipantIOC: Notification from 3rd party that your IP Address is participating in a DDoSPublic IP addressTime of reported attackTarget serverBRKSEC-2073 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public81
Identifying a DDoS ParticipantTime of reported attackValidate attack activityUserInside localBRKSEC-2073Outside global 2014 Cisco and/or its affiliates. All rights reserved.Target ServerCisco Public82
Identify a DDoS ParticipantHost snapshotOther suspicious activityBRKSEC-2073 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public83
AgendaIntroductionAdding ContextWorking w CollectionOrganising the dataIntroduction toNetFlowDesign andDeploymentFlow ExportRunning Queriesand Investigations 2014 Cisco and/or its affiliates. All rights reserved.Cisco PublicSummary84
Links and Recommended ReadingMore about the Cisco Cyber Threat Defence ://www.lancope.comRecommended ReadingCyber Threat Defence Cisco Validated Design ral/ns1015/ns1238/cyber threat defense design guide.pdfBRKSEC-2073 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public85
Key TakeawaysModern threats are consistentlybypassing the security perimeterThreat Detection requires visibility andcontext into network trafficNetFlow and the Lancope StealthWatch System provide actionable security intelligenceBRKSEC-2073 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public86
Q&A
Complete Your Online Session EvaluationGive us your feedback and receive aCisco Live 2014 Polo Shirt!Complete your Overall Event Survey and 5 SessionEvaluations. Directly from your mobile device on the Cisco LiveMobile App By visiting the Cisco Live Mobile Sitewww.ciscoliveaustralia.com/mobile Visit any Cisco Live Internet Station locatedthroughout the venuePolo Shirts can be collected in the World of Solutionson Friday 21 March 12:00pm - 2:00pmBRKSEC-2073Learn online with Cisco Live!Visit us online after the conference for full accessto session videos and presentations.www.CiscoLiveAPAC.com 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public
Aside: Myths about NetFlow Generation 30 Myth #1: NetFlow impacts performance Hardware implemented NetFlow has no performance impact Software implementation is typically significantly 15% processing overhead Myth #2: NetFlow has bandwidth overhead NetFlow is a summary protocol Traffic overhead is typically significantly 1% of
Cisco 3560 & 3750 NetFlow Configuration Guide Cisco Nexus 7000 NetFlow Configuration Cisco Nexus 1000v NetFlow Configuration Cisco ASR 9000 NetFlow Configuration Appendix. 3 Cisco NetFlow Configuration Cisco IOS NetFlow Configuration Guide Netflow Configuration In configuration mode issue the following to enable NetFlow Export:
Cisco 3560 & 3750 NetFlow Configuration Guide Cisco Nexus 7000 NetFlow Configuration Cisco Nexus 1000v NetFlow Configuration Cisco ASR 9000 NetFlow Configuration Appendix. 8 Cisco NetFlow Configuration Cisco 3560X & 3750X NetFlow Configuration Your software release may not support all the features documented in this module.File Size: 2MB
Example: Router enable Enteryourpasswordifprompted. configureterminal (Required)Entersglobalconfigurationmode. Example: Router# configure terminal Step 2 NetFlow Configuration Guide, Cisco IOS Release 15M&T 5 Configuring SNMP and using the NetFlow MIB to Monitor NetFlow Data How to Configure SNMP and use the NetFlow MIB to Monitor NetFlow Data
Configuring NetFlow on a Cisco 6500 Series Switch 148 Configuring NetFlow on a Cisco 6500 Series Switch 150 Configuring NetFlow on Cisco Routers 151 Contents NetFlow Configuration Guide, Cisco IOS Release 12.2SX viii . Configuring NetFlow on Cisco Routers 153 Configuring NetFlow Top Talkers 153
NetFlow-lite Aggregators and collectors can sit anywhere in the network, as long as L3 reachable NetFlow-lite Aggregators are transparent to NetFlow collector (NetFlow collectors receive aggregated flow data as if it's coming directly from the switch) NetFlow collector analyzes & correlates both NetFow and aggregated NetFlow-lite data
NetFlow-enabled device. NetFlow builds its cache by processing the first packet of a flow through the standard switching path. It maintains a flow record within the NetFlow cache for all active flows. Each flow record in the NetFlow cache contains key fields, as well as additional non-key fields, that can be used later for exporting data
Flexible NetFlow Configuration Guide, Cisco IOS Release 15.2(3)E and Later (Catalyst 3750-X and 3560-X Switches) 3 Configuring Flexible NetFlow Information About Flexible Netflow . Flexible NetFlow Configuration Guide, Cisco IOS Release 15.2(3)E and Later (Catalyst 3750-X and 3560-X Switches) 17 Configur
Often academic writing is full of technical jargon-technical jargon is an essential ‘tool of the trade’ -jargon eases communication –speeds up exchange of ideas between other professionals-BUT it can also obscure: creates ‘them’ (ordinary ‘laypeople’ culture and [implied] elite ‘professionals’) Beginners don’t always know enough to see errors. Strategies for ‘Being
