leverage the network

Cisco Confidential© 2015 Cisco and/or its affiliates. All rights reserved. 1

Leverage the Network to Detect and Manage Threats

Matthew RobertsonTechnical Marketing Engineer

May 19, 2016


“The world is full of obvious things which nobody by any

chance observes.”

Sherlock Holmes, The Hound of the Baskervilles

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5 5

About this Session: Finding the Insider ThreatMonitoring the network interior to find the threats within


Insider Threat


Stealthwatch

About this Session: Finding the Insider ThreatMonitoring the network interior to find the threats within


NetFlow

10.2.2.2port 1024

10.1.1.1port 80

eth

0/1

eth

0/2

Start Time Interfac

e

Src IP Src

Port

Dest IP Dest

Port

Proto Pkts

Sent

Bytes

Sent

SGT DGT TCP Flags

10:20:12.22

1

eth0/1 10.2.2.

2

1024 10.1.1.

1

80 TCP 5 1025 100 1010 SYN,ACK,PSH

10:20:12.87

1

eth0/2 10.1.1.

1

80 10.2.2.

2

1024 TCP 17 28712 1010 100 SYN,ACK,FIN

Start Time Interfac

e

Src IP Src

Port

Dest IP Dest

Port

Proto Pkts

Sent

Bytes

Sent

SGT DGT TCP Flags

10:20:12.22

1

eth0/1 10.2.2.

2

1024 10.1.1.

1

80 TCP 5 1025 100 1010 SYN,ACK,PSH


NetFlow = Visibility

Router# show flow monitor CYBER-MONITOR cache

…

IPV4 SOURCE ADDRESS: 192.168.100.100

IPV4 DESTINATION ADDRESS: 192.168.20.6

TRNS SOURCE PORT: 47321

TRNS DESTINATION PORT: 443

INTERFACE INPUT: Gi0/0/0

FLOW CTS SOURCE GROUP TAG: 100

FLOW CTS DESTINATION GROUP TAG: 1010

IP TOS: 0x00

IP PROTOCOL: 6

ipv4 next hop address: 192.168.20.6

tcp flags: 0x1A

interface output: Gi0/1.20

counter bytes: 1482

counter packets: 23

timestamp first: 12:33:53.358

timestamp last: 12:33:53.370

ip dscp: 0x00

ip ttl min: 127

ip ttl max: 127

application name: nbar secure-http

…

A single NetFlow Record provides a wealth of information


NetFlow Deployment

Catalyst® 6500

Distribution

& Core

Catalyst® 4500

ASA

ISR

Edge

ASR

Each network layer offers unique NetFlow capabilities

Access

Catalyst®

3560/3750-X

Catalyst® 4500

Catalyst®

3650/3850

Endpoint

AnyconnectNetwork Visibility Module


Stealthwatch System Components

Cisco Network

UDP Director

• UDP Packet copier

• Forward to multiple

collection systems

NetFlowStealthwatch Flow Sensor (VE)

• Generate NetFlow data

• Additional contextual fields

(ex. App, URL, SRT, RTT)

Stealthwatch Flow Collector

• Collect and analyze

• Up to 2000 sources

• Up to sustained 240,000

fps

Stealthwatch Management

Console

• Management and reporting

• Up to 25 Flow Collectors

• Up 6 million fps globally

Best Practice: Centralize

collection globally


NetFlow Collection: Flow Stitching

10.2.2.2port 1024

10.1.1.1port 80

eth

0/1

eth

0/2

Start Time Client IP Client

Port

Server IP Server

Port

Proto Client

Bytes

Client

Pkts

Server

Bytes

Server

Pkts

Client

SGT

Server

SGT

Interfaces

10:20:12.221 10.2.2.2 1024 10.1.1.1 80 TCP 1025 5 28712 17 100 1010 eth0/1

eth0/2

Uni-directional flow records

Bi-directional:

• Conversation flow record

• Allows easy visualization and analysis

Start Time Interface Src IP Src

Port

Dest IP Dest

Port

Proto Pkts

Sent

Bytes

Sent

SGT DGT

10:20:12.221 eth0/1 10.2.2.2 1024 10.1.1.1 80 TCP 5 1025 100 1010

10:20:12.871 eth0/2 10.1.1.1 80 10.2.2.2 1024 TCP 17 28712 1010 100


NetFlow Collection: De-duplication

Start Time Client

IP

Client

Port

Server

IP

Server

Port

Proto Client

Bytes

Client

Pkts

Server

Bytes

Server

Pkts

App Client

SGT

Server

SGT

Exporter, Interface,

Direction, Action

10:20:12.221 10.2.2.2 1024 10.1.1.1 80 TCP 1025 5 28712 17 HTTP 100 1010 Sw1, eth0, in

Sw1, eth1, out

Sw2, eth0, in

Sw2, eth1, out

ASA, eth1, in

ASA, eth0, out, Permitted

ASA eth0, in, Permitted

ASA, eth1, out

Sw3, eth1, in

Sw3, eth0, out

Sw1, eth1, in

Sw1, eth0, out

10.2.2.2port 1024 10.1.1.1

port 80Sw1

Sw2

Sw3

ASA


Host Groups

• Virtual Container of IP Addresses

• User defined

• Similar attributes

• Model any Process/Application


ISE as a Telemetry SourceMonitor Mode

• Open Mode, Multi-Auth

• Unobstructed Access

• No impact on productivity

• Profiling, posture

assessment

• Gain Visibility

Authenticated Session Table

Cisco ISE

• Maintain historical session table

• Correlate NetFlow to username

• Build User-centric reports

StealthwatchManagement

Console

syslog


Global Intelligence

Stealthwatch

Threat

Intelligence

License

• Known C&C Servers

• Tor Entrance and Exits


Conversational Flow Record

WhoWhoWhat

When

How

Where

• Stitched and de-duplicated

• Conversational representation

• Highly scalable data collection and compression• Months of data retention

More context


Conversational Flow Record

ISE

Telemetry

NBAR

Applied situational

awareness

Flow Sensor

Geo-IP

mapping

Threat

Intelligence


Conversational Flow Record: Exporters

Path the flow is taking through the network


NetFlow Analysis with Stealthwatch:

Identify additional Indicators of Compromise (IOCs)

• Policy & Segmentation

• Network Behaviour & Anomaly Detection (NBAD)

Better understand / respond to an IOC:

• Audit trail of all host-to-host communication

Discovery

• Identify business critical applications and services across the network


“There is nothing like first hand evidence”

Sherlock Holmes, A Study in Scarlett


Flow Query Basics – The Flow Table

FilterFilter conditions

Details More details


Flow Query Basics - Filtering

Select host to

investigate

All flows in which this host was

a client or server


Hunting


Host groups and reports make it

easier to hunt


Types of Host Groups

• Inside Hosts:

• All Hosts specifically defined as part

of the network

• By Default – “Catch All” • Outside Hosts

• All Hosts not specifically defined as

part of the network

• Countries – GEO-IP

• SLIC Created

• Bogon

• Command & Control Servers

• Tor


Inside Host Groups

Default Host Groups

• Catch All

• RFC 1918 Space

• By Function

• By Location

Include public IP space


Host Groups: Parent-Child Relationship

Configuration trickles downInformation reports up


Host Groups – Targeted Reporting

Geo-IP-based Host Group

Summary chart of traffic

inbound and outbound from

this Host Group


Host Groups – Targeted Reporting

Traffic inbound

Traffic outbound


Host Groups – Application Report

Applications outbound

Applications inbound


Concept: Indicator of Compromise

IDS/IPS Alert

Log analysis (SIEM)

Raw flow analysis

Outside notification

Behavioural analysis

Activity monitoring

an artifact observed on a network or in operating system

that with high confidence indicates a computer intrusion• http://en.wikipedia.org/wiki/Indicator_of_compromise

Anomaly detection

File hashes

IP Addresses


IoC’s from Traffic Analysis

Behavioural Analysis:

• Leverages knowledge of known bad behaviour

• Policy and segmentation

Anomaly Detection:

• Identify a change from “normal”


Stealthwatch NBAD Model

Algorithm Security

EventAlarm

Track and/or measure behaviour/activity

Suspicious behaviour observed or anomaly detected

Notification of security event generated


Alarm Categories

Each category accrues points.


Stealthwatch: Alarms

Alarms

• Indicate significant behaviour changes and policy violations

• Known and unknown attacks generate alarms

• Activity that falls outside the baseline, acceptable behaviour

or established policies


Behavioural AnalysisLeverages knowledge of known bad behaviour

Mouse


Segmentation Monitoring

Host Groups

Relationship

Forbidden relationship


Policy Violation: Host Locking

Client groupServer group

Client traffic

conditions

Server traffic

conditions

Successful or

unsucessful


Policy Violation: Host Locking

Communication in violation of policy

• Active alarm monitoring adherence to policy


Policy Violation: Custom Security Events

Custom event

triggers on traffic

condition

Source Tag

Destination Tag

Rule name and

description

Object conditionsPeer conditions

Connection

conditions


Policy Violation: Custom Security Events

Alarm dashboard showing all Policy alarms

Details of “Employee to Productions

Servers” alarm occurrences


Anomaly DetectionIdentify a change from “normal”

Suit?


Example Alarm Category: Concern IndexConcern Index: Track hosts that appear to compromising network integrity

66 different algorithms as of

v6.7.1.


High Concern IndexBaseline deviated by 2,432%!


Identifying Internal Reconnaissance from CI

Scanning on TCP-445

across multiple subnets

Concern Index Events


Example Event: Suspect Quiet Long Flow

An IP communication between an Inside and Outside host (with traffic in both directions)

that exceeds the “Seconds required to qualify a flow as long” duration and is suspiciously

small

Default Policy


Watching for Data Theft

Data Exfiltration

• Identify suspect movement from Inside Network to Outside

• Single or multiple destinations from a single source

• Policy and behavioral


Data Hoarding

Suspect Data Hoarding:

• Unusually large amount of data

inbound from other hosts

Target Data Hoarding:

• Unusually large amount of data outbound

from a host to multiple hosts


Suspect Data Hoarding

Data Hoarding

• Unusually large amount of data inbound to a host from other hosts

• Policy and behavioral


“The Science of Deduction.”

Chapter 1: The Sign of the Four


The Science of Deduction Gathering Evidence

Data Element

What did they get?

When did they get it?

Where did they go?

Are they still here?

Who is they?

IOC


Investigating a Host Host report for 10.201.3.59

Behavior alarms

Quick view of host

group communication

Summary

information


Investigating: Host Drilldown

User

informationApplications


Investigating: Applications

A lot of applications. Some

suspicious!


Investigating: Audit Trails

Network behavior retroactively analyzed


It Could Start with a User …

Alarms

Devices and

Sessions

Active Directory

Details

Username

View Flows


Adaptive Network Control

Quarantine/Unquarantine via pxGrid

Identity Services Engine

StealthwatchManagement

Console


Key Takeaways

Insider threats are operating on the network interiorThreat detection and response requires visibility and

context into network traffic

NetFlow and the Cisco Stealthwatch System provide actionable security intelligence

Thank you.

leverage the network

Technology