Lancope is now part of Cisco Learn MoreLancope Arrow About Cisco

The Role of NetFlow in Digital Forensics and Incident Response

Alicia Butler

When you have a sophisticated, targeted attacker who has compromised and taken over computers in your network, you may need to ask some questions about what was happening in your network on top of simply cleaning the malware up and getting the infected computers back online.

Before you can feel confident that you’ve really removed the malware from the network, you need to:

  • Understand how that attacker was able to infect your environment
  • Determine the different assets that were compromised
  • Make sure you have a comprehensive understanding of that attacker's behavior

The process of analyzing an attacker's activity in your environment and trying to create a complete picture of everything that they have attempted to do is a process we call forensics.

As we have dealt with more and more sophisticated attackers, this process has become increasingly important. It's important, first of all, because these attackers often have multiple infection points in our network. They are using multiple different kinds of malware with different command-and-control protocols. If you find one and you clean it up, you can rest assured that there are others that you haven't found. Without doing in-depth analysis, it's really difficult to piece together a comprehensive picture of the compromise and to feel confident that you’ve completely rooted it out of your environment.

Additionally, what we've learned through handling these attacks over time is that, when you analyze them and you understand how they occurred, there are pieces of information that fall out of that analysis that might help you detect future attacks by the same adversary. For example, with the Advanced Persistent Threat, determined attackers are not going to be deterred because you found some of their malware and cleaned it up. They're going to continue to target you.

The ability to learn from their techniques and to apply what you have learned to look for continued attacks by them is a critical part of how you actually protect your network again future attacks.

There are three data sources that are of critical importance for network forensics:

  • Logs: There are many different points in the network that offer log information (end points, servers, network security devices, etc.). Logs are an incredibly valuable resource; however, once a computer is compromised, you can't trust the logs coming out of it anymore. The first thing an attacker is going to do when they control a computer is to get control of the logging process so that their activities are no longer logged. Furthermore, logs have a tendency to focus on events that devices consider to be interesting. For example, an IPS system is only going to log attacks that it detected. If your network is hit with a zero-day attack that the IPS system doesn’t know how to detect, obviously, those things are not going to be logged. So, a log can miss some critical pieces of information that are part of the complete picture of what happened in your network.
  • Packet Capture: An ideal application to get a complete picture of what happened on your network would be to have packet capture happening everywhere within your environment, and then to be able to store those packets captures forever. Unfortunately, that’s not realistic. Packet captures are very powerful if you have access to them, but they're also very expensive to store. The fact is that you're likely to only store a few days or maybe a couple weeks’ worth of packet captures if you're really heavily invested in it.

    Moreover, it’s not likely that a packet capture solution will be able to monitor pervasively throughout your network. You're likely to be doing it at an access point that exists between your network and the outside world. Maybe you’ve got a little bit of packet capture scattered around within your internal environment, but it's very difficult to capture every single packet that happens everywhere.

  • NetFlow: This is where NetFlow comes in. NetFlow is a very powerful tool for collecting an audit trail of what's happened in your environment, and it's a good complement to packet capture because it can see things that packet captures aren't going to see.

    NetFlow is compressed – it's just header information regarding the transactions that happened, so it's easy to store much more NetFlow for a much longer period of time than packet capture, for the same investment in disk space.

    It really boils down to how much history you want to store. With NetFlow, you can potentially store months, whereas, with the same amount of disk space, you might have only gotten days of packet capture.

    Additionally, it's really easy to get NetFlow pervasively from your environment. You can get NetFlow from down in the access and distribution layers of your switching fabric.

    If you look at this network map, for example, if an end-user’s computer gets infected, a system up at the firewall level might be able to identify transactions that came from that computer and went out to the Internet. What you won’t see is the record transactions that happened between those end point nodes down at the access level; and those transactions may be critically important when you're putting together what happened during a security incident to understand how the attacker pivoted from his initial point of infection to other machines within your environment. 
    Netflow Forensics Map

NetFlow is a critical ingredient in the recipe of how you defend your network against attacks. It has a lot of unique value alongside Syslog and packet capture.

Learn more about how Lancope leverages NetFlow for security intelligence and forensic investigations by watching this video and this webinar.


More from this contributor:

NetFlow is an important tool for incident responders, providing valuable insight into the activities that take place on organizations networks...
As discussed in a recent webinar delivered by Lancope’s Director of Security Research, Tom Cross, Carnegie-Mellon’s CERT team published a book last...