The Role of NetFlow in Digital Forensics and Incident Response by Tom Cross

Earlier this month, Lancope’s Charles Herring and I traveled to Austin, Texas to speak at the SANS Digital Forensics and Incident Response Summit. A great time was had by all, and I much enjoyed listening to the speakers there describe their approaches to analyzing malware and their thoughts about intelligence sharing. I came away with the impression that it’s important for Lancope to emphasize the role that NetFlow plays vis-à-vis other tools in an incident responder’s toolset, particularly Syslog and packet captures.

Let’s start with Syslog. Of course, everyone who has investigated a security incident knows how important it is to have good logs. There is no better way to find out what was going on inside a system or application at the time that an attack occurred. However, like all things, Syslog has limitations. You have to enable the collection of logs from each endpoint, so in many environments Syslog coverage is incomplete, and once a computer has been compromised, it’s not possible to trust the logs coming from that device anymore. So Syslog is critical, but it can’t tell you everything.

The same thing might be said for full packet capture. Many organizations are running rolling captures of their network on a 24/7 basis, and nothing beats a full capture for understanding what was going on over a network at a particular period of time. For this reason, incident responders are sometimes skeptical of the value of NetFlow. NetFlow only records the transactions that occurred over the network, and not the content of those transactions, so superficially it would seem that packet captures are preferable.

The problem is that there are practical limitations to collecting packet captures. Simply put, full packet capture is expensive. This means that organizations cannot necessarily collect captures pervasively throughout the inside of their networks – they tend to deploy packet capture devices at the Internet gateway or the data center, but not down at the access layer.

Furthermore, only so much history of the network’s activity can be affordably stored in the form of packet captures. The 2013 Verizon Data Breach Investigations Report indicated that 66% of the breaches Verizon investigated took months or more to discover. Very few organizations can afford to have months of network packet capture available for analysis in the event that they discover a breach.

NetFlow can fill in some of the gaps that packet captures can’t reach. First of all, it is economical to store large amounts of NetFlow because it’s only a transactional record, so organizations can keep a much longer history of events that occurred on their networks. That historical record can be immensely valuable when a breach is being investigated. Network transactions can show you where an initial malware infection came from, what command-and-control channel was initiated by the malware, what other computers on the internal network were accessed by that infected host, and whether other hosts in the network reached out to the same attacker or command-and-control system.

Most network infrastructure components speak some variety of NetFlow, so it’s easy to collect it not just at the gateway or network core, but all the way down at the access switches that endpoint systems are directly plugged into. By collecting NetFlow from the access layer, it is possible to capture records of all of the transactions occurring between individual systems on the internal network. This is activity that packet capture systems often aren’t positioned to record, and those records are critically important when trying to piece together what an infected system might have done during the period of time when it was infected.

Ultimately, Syslog, packet captures and NetFlow each have their place in an incident responder’s toolset. Each creates an audit trail that provides different pieces of the puzzle of what was happening while that network was infected. While most incident responders are very familiar with the power of Syslog and packet captures, many don’t have direct experience working with NetFlow. We encourage them to take a closer look. They may be surprised at the amount of visibility that NetFlow can provide.

For further details on NetFlow for network visibility, go to: http://www.lancope.com/solutions/.