NetFlow is an important tool for incident responders, providing valuable insight into the activities that take place on organizations networks. NetFlow is capable of summarizing information about network traffic into brief records that may be maintained indefinitely, providing a running history of network connections that may be referenced during incident response.
With all the good NetFlow brings, there are still some misconceptions about NetFlow that I will dispel for you today:
On the contrary, NetFlow records are often used to identify complex attacks, allowing responders to identify indicators of compromise across a large amount of network traffic in a timely fashion. Furthermore, because NetFlow can see deep into the network, it can be used for behavioral analysis that identifies anomalous traffic patterns, network reconnaissance, policy violation, internal pivots, and more.
Full packet capture is simply not a sustainable practice. Maintaining these records for an extended period of time requires extensive deployment of probes and massive storage capacity. Furthermore, analyzing records of full packet capture is very time consuming compared to the preprocessed data available from NetFlow.
Moreover, it’s not likely that a packet capture solution will be able to monitor pervasively throughout your network. You're likely to be doing it at an access point that exists between your network and the outside world. Maybe you’ve got a little bit of packet capture scattered around within your internal environment, but it's very difficult to capture every single packet that happens everywhere.
One of the biggest mistakes made in incident response is failing to conduct sufficient monitoring and surveillance to inform the response effort. NetFlow logs every communication taking place through a monitored device and provides information essential to incident responders. In its most basic configuration, NetFlow logs timestamps, source/destination IP addresses and ports, and the amount of information exchanged. Advanced configurations may include additional information requested by incident responders.
Incident responders can rest assured that NetFlow records can indeed be admissible in court. These records, gathered during the normal course of business, are often relied on as evidence in both criminal and civil trials. Various courts have repeatedly accepted NetFlow as a valid form of evidence of network activity.
When NetFlow first came to market over 15 years ago, it had a significant impact on router and switch CPU consumption. However, NetFlow is now a core capability of network devices, which are optimized to perform NetFlow operations without significant performance impact. Generally speaking, networking devices operating under a 50 percent utilization rate should see an impact of less than 2 percent on CPU performance after NetFlow is enabled. From a bandwidth perspective, network overhead is usually between 0.1 percent and 0.3 percent of the monitored traffic.
Lancope’s StealthWatch System applies NetFlow and IPFIX to the problem of detecting sophisticated, targeted attacks and creates an audit trail of network activity enabling organizations to discover active attacks in each phase of the attacker’s “kill chain”, determine the scope of successful breaches and document the timeline of the attacks.
To learn more about leveraging NetFlow for Incident Response download your free copy of the “Incident Response with NetFlow for Dummies” ebook.