October 21, 2013

Performing a Forensic Threat Investigation

The growing assumption these days is that malware and threats are already camped out on our networks.  The onslaught of spear phishing attempts and click jacking efforts has prevailed and infected our internal PCs.  Now what should we do about it?  Consider this….


Shop lifters walk into stores everyday with the intention of making out with goods they have no intention of paying for. Despite the successful exfiltration of merchandise that isn’t paid for, many of the stores impacted by these crimes are able to turn a profit and be successful.   This isn’t to imply that these stores don’t make efforts to capture patrons who attempt to steal.  In fact, many times they catch shop lifters in the act and confirm their suspicions by reviewing their behavior in video records or a CCTV system.  My point is, we might be able to live with infections but, we can’t ever stop looking for the perpetrators.

Every Flow Capable Switch is a Network Surveillance Camera

Observing network scans, odd flow ratios and comparison of IP addresses to host reputation lists are all methods used with flow technologies to identify infected hosts.  I’m not trying to suggest that the practice of carefully monitoring flow data can be used to catch all threats.   Rather, I want to point out that NetFlow and IPFIX are used for forensic threat investigation.  By owning Enterasys and Extreme flow capable switches, you already have an inherent network surveillance solution at your disposal.

Network Threat Surveillance

All that is needed to take advantage of the existing technology is a DVR or in the world of NetFlow and IPFIX, it’s called a flow collector.  A single flow collection system can receive over a hundred thousand flows per second from hundreds of switches and routers. When a single appliance isn’t enough, the collectors can be distributed and the reporting interface can display aggregated data across the deployed collectors.  Due to the wide availability of flow data in nearly every corner of the network, the value of a flow analysis solution for forensic threat investigation is second to none.

Only with NetFlow and IPFIX

Don’t expect to have the same insight when collecting sFlow.  SFlow isn’t a flow technology at all rather, it is a packet sampling technology that doesn’t scale as well as NetFlow or IPFIX especially when flow sampling is introduced.  Only NetFlow and IPFIX can be used to reliably display 100% of the data.

Increase your Contextual Details

Since NetFlow has long been used to gain insight into application performance issues, it’s growing popularity for forensic threat investigation is no surprise. IT Professionals are familiar with what’s possible with NetFlow and IPFIX and leverage it to investigate suspicious activities reported by other security appliances such as the IDS or firewall.  When greater contextual details surrounding the threat are necessary, flow data can be correlated with logs from other appliances.  This practice can increase your situational awareness related to the threat.  Even collecting URLs with NetFlow is possible which is useful when investigating suspicious traffic patterns such as those following a spear phishing attack.

Enterasys has a history of exporting the latest details using NetFlow.  Beyond typical NetFlow v5 details, they also include elements on IPv6 address, MAC address, VLAN, etc.  Using traditional elements as well as some of the new ones, we can correlate the flows with logs from a Mobile IAM server or the Microsoft Domain Controller to deliver details on the username.

Username with NetFlow and IPFIX

I’m excited about the recent acquisition by Extreme Networks  partly because they also support flow technologies. Both companies provide the flow data necessary to perform forensic threat investigations. Download our white paper on Successful Ways to Use NetFlow.

About The Contributor:
Mike PattersonCEO, Plixer

As one of the founders of the company, Michael has been involved in the development of Scrutinizer NetFlow and sFlow Analyzer as well as Flow Analytics at Plixer. He enjoys writing and blogging about all things NetFlow, IPFIX and sFlow related.

See My Other Posts

Leave a Reply

Your email address will not be published. Required fields are marked *