For vendors, the cybersecurity landscape is a nice place to make a very lucrative business. New solutions and tools are released every day and promise you to easily detect malicious activities on your networks. And it’s a recurring story. Once they have been implemented by many customers, vendors come back again with new version flagged as “2.0”, “NG” or “Next Generation”. Is it really useful or just a hype? I won’t start the debate but keep in mind that good old tools and protocols remain still very valuable today.
I was contacted by a company which had a security incident. Apparently, they suffer from an ongoing data leak and customers’ information are leaked to the competition. If you are working in this field and you need to investigate quickly, you probably already faced the following situation. I visited them and started to grab details about the infrastructure, the architecture and the key point: logs or any kind of data that could help to spot the source of the leak. You realise quickly that nothing or only a low amount of information is available. A good point, they had a bunch of logs extracted from the local resolver. Based on the DNS queries performed by the hosts, we were able to spot a compromised one. But not all of them were using the local resolver (yes, it was possible to use any public DNS) and some hosts might communicate directly with IP addresses…
My next question to them was: “Do you know the NetFfow protocol?”. No, they did not. NetFlow is a very old protocol developed by Cisco in 1996(!). At the origin, it was developed for accounting reasons when the Internet was slow and subscription plans based on the amount of traffic you used (I’m feeling old now). A Cisco router/switch which has NetFlow enable (called an exporter) send UDP packets to a Netflow collector with the following details (resumed):
- timestamp (flow start)
- source IP /port
- destination IP / port
- number of packets
- number of bytes
This information is very useful to spot malicious activity! Once you started to collect Netflow data you can easily generate stats like:
- Top speakers on the network
- Top destinations
- Top protocols (based on the port)
- Hosts talking to suspicious hosts (ex: located in a country where you don’t have business thanks to the GeoIP)
- Hosts talking a regular interval with a low amount of traffic (typically systems phoning home to their C2)
- Hosts starting to talk at night
- And many more…
Compared to a full packet capture, you won’t see the traffic payload but the amount of data is very low and you don’t need a very powerful computer to process them.
To collect NetFlow data, you just have to install a collector (nfdump is the most known)
# apt-get install nfdump # vi /etc/default/nfdump (change the value of nfcapd_start to “yes”) # service nfdump start
Now, connect to your Cisco device and enable NetFlow:
Router(config)# ip flow-export <collector> <port>
The default port is 9996 and <collector> is the IP/FQDN of the server running the nfcapd daemon. Now, have a look at the nfdump command to extract interesting stats from the captured data. Note that many tools are able to digest NetFlow data. Logstash from the ELK stack is a good example. This setup can be deployed in a few minutes and will give you a nice visibility of your network traffic to quickly spot a malicious behaviour.
Conclusion: “Old Generation” tools remain valuable when you need to investigate security incidents.
Xavier Mertens (@xme)
Senior ISC Handler – Freelance Cyber Security Consultant
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.