The Report "Network Profiling Using Flow" Released
Hi, this is Austin Whisnant of the CERT Network Situational Awareness Team (NetSA). After a long time in the making, NetSA has published an SEI technical report on how to inventory assets on a network using network flow data. Knowing what assets are on your network, especially those visible to outsiders, is an important step in gaining network situational awareness.
The report, Network Profiling Using Flow, maps out the steps to take to discover and classify assets, when given only network flow data. The report provides thorough explanations of why each step is taken, and examples of actual commands for those who just want to get things done. The end goal of network profiling using these steps is a list of externally visible hosts, what they do, who they talk to, and their possible security issues.
I authored the report under the guidance of Sid Faber who is also a member of the NetSA team. The approach described in this report represents a necessary first step toward understanding how your network connects to the global internet.