Lancope is now part of Cisco Learn MoreLancope Arrow About Cisco
5 Myths Of Netflow For Incident Response

5 Myths of NetFlow for Incident Response

Alicia Butler

NetFlow is an important tool for incident responders, providing valuable insight into the activities that take place on organizations networks. NetFlow is capable of summarizing information about network traffic into brief records that may be maintained indefinitely, providing a running history of network connections that may be referenced during incident response.

With all the good NetFlow brings, there are still some misconceptions about NetFlow that I will dispel for you today:

Myth 1: Complex Attacks Can’t Be Detected with NetFlow

On the contrary, NetFlow records are often used to identify complex attacks, allowing responders to identify indicators of compromise across a large amount of network traffic in a timely fashion. Furthermore, because NetFlow can see deep into the network, it can be used for behavioral analysis that identifies anomalous traffic patterns, network reconnaissance, policy violation, internal pivots, and more.

Myth 2: Full Packet Capture Makes NetFlow Irrelevant

Full packet capture is simply not a sustainable practice. Maintaining these records for an extended period of time requires extensive deployment of probes and massive storage capacity. Furthermore, analyzing records of full packet capture is very time consuming compared to the preprocessed data available from NetFlow.  

Moreover, it’s not likely that a packet capture solution will be able to monitor pervasively throughout your network. You're likely to be doing it at an access point that exists between your network and the outside world. Maybe you’ve got a little bit of packet capture scattered around within your internal environment, but it's very difficult to capture every single packet that happens everywhere.

Myth 3: NetFlow Provides Insufficient Information

One of the biggest mistakes made in incident response is failing to conduct sufficient monitoring and surveillance to inform the response effort. NetFlow logs every communication taking place through a monitored device and provides information essential to incident responders. In its most basic configuration, NetFlow logs timestamps, source/destination IP addresses and ports, and the amount of information exchanged. Advanced configurations may include additional information requested by incident responders.

Myth 4: NetFlow Is Not Admissible Evidence

Incident responders can rest assured that NetFlow records can indeed be admissible in court. These records, gathered during the normal course of business, are often relied on as evidence in both criminal and civil trials. Various courts have repeatedly accepted NetFlow as a valid form of evidence of network activity.

Myth 5: NetFlow Degrades Performance

When NetFlow first came to market over 15 years ago, it had a significant impact on router and switch CPU consumption. However, NetFlow is now a core capability of network devices, which are optimized to perform NetFlow operations without significant performance impact. Generally speaking, networking devices operating under a 50 percent utilization rate should see an impact of less than 2 percent on CPU performance after NetFlow is enabled. From a bandwidth perspective, network overhead is usually between 0.1 percent and 0.3 percent of the monitored traffic.

Lancope’s StealthWatch System applies NetFlow and IPFIX to the problem of detecting sophisticated, targeted attacks and creates an audit trail of network activity enabling organizations to discover active attacks in each phase of the attacker’s “kill chain”, determine the scope of successful breaches and document the timeline of the attacks.

To learn more about leveraging NetFlow for Incident Response download your free copy of the “Incident Response with NetFlow for Dummies” ebook.


More from this contributor:

As discussed in a recent webinar delivered by Lancope’s Director of Security Research, Tom Cross, Carnegie-Mellon’s CERT team published a book last...
When you have a sophisticated, targeted attacker who has compromised and taken over computers in your network, you may need to ask some questions...