Posted on by CERTin
By Timothy Shimeall
Senior Member of the Technical Staff
CERT Network Situational Awareness
By the close of 2016, "Annual global IP traffic will pass the zettabyte ([ZB]; 1000 exabytes [EB]) threshold and will reach 2.3 ZBs per year by 2020" according to Cisco's Visual Networking Index. The report further states that in the same time frame smartphone traffic will exceed PC traffic. While capturing and evaluating network traffic enables defenders of large-scale organizational networks to generate security alerts and identify intrusions, operators of networks with even comparatively modest size struggle with building a full, comprehensive view of network activity. To make wise security decisions, operators need to understand the mission activity on their network and the threats to that activity (referred to as network situational awareness). This blog post examines two different approaches for analyzing network security using and going beyond network flow data to gain situational awareness to improve security.
Benefits of Network Flow Analysis
Network flow data is aggregated packet header data (but no content capture) for a communication between a source and a destination. Communications are distinguished by the protocol-level information in the header and the proximity in time (i.e., a flow contains aggregated header information for all packets that use the same protocol settings within a designated time window). There are several reasons that network flow data is a useful format for analyzing network traffic:
Combining Network Flow with Other Data Sources
Although network flow is a powerful data source, it is not the only source of data that analysts and security staff should use to analyze network traffic. Content-based attacks, such as SQL injections strike through the data (dynamic database inquiries that include user supplied output) and allow attackers to execute malicious SQL statements on a web application's database server. If analysts limit their examination to network flow data after a web application attack, the lack of content in that data means that they would not be able to determine that the event was an SQL injection.
In large organizations, analysts contend with so much data traffic that network analysts need to employ a mix of methods to secure a network. Analysts must be able to, from a starting event, generalize their analysis and expand its focus so they capture all the aspects relative to understanding this unexpected change in network traffic (bottom up). These changes can be benign, for example, a new service comes out and users use this serve and security measures need to protect this new service. Analysts also need to start with a model of network behavior and then narrow the focus to specifically investigate deviations from this model that may reflect intrusions on the network (top down). Again, such deviations may be benign, for example, traffic involving a group of developers working unusually late hours and accessing sites not normally found in the network traffic.
Defenders of information networks in large-scale organizations don't just use network flow data alone. Analyses using top down or bottom up combine network flow data with other information from the network including
Building a Common Understanding of Network Security
There are two basic approaches to building a common understanding of network security:
No matter which approach a defender uses, network attackers are often good at hiding behaviors with respect to any single data source. For example, if network attackers have styled their attacks so that they can't be detected through antivirus software or common IDS rules, analysts must then rely on network flow analysis, changes in service behaviors, or log file entries. Figure 1 below shows a visualization of a fictitious attack, merging IDS alerts (which produced the attack labels on the hosts), network population information (which produced the presence or absence of hosts at an IP address) and network flow data (which produced the traffic volume timelines shown on network links). Such a visualization can aid in both understanding and responding to attacks.
Figure 1: A Situational Awareness Graphic for a Small Network Merging IDS Data, Host Inventory Data, and Network Flow Data
On a separate front, many organizations with large networks have moved to managing systems automatically. Automatic analysis of network flow can provide confirmation of services provided by systems, the operating system in use (through revealing network behaviors), as well as what known vulnerabilities as determined through responses to network scans.
If network defenders compare the snapshot view of the network from network management software with a behavioral view from network flow data, they can glean a more comprehensive look of network traffic. For example, by focusing on behavior, analysts can determine which devices respond to web connection requests; comparing this with those authorized through network management software might reveal gaps in the authorization lists.
Without knowing both sides it can be hard for network analysts to determine if this is an authorized server or a non-authorized servers. Sometimes the unauthorized server can be a printer or a wireless router that uses a web-based interface for configuration. While you might have that interface available to network personnel, you really don't want to have it available to the internet.
Wrapping Up and Looking Ahead
While network flow data has proven quite useful as a record of network traffic, there are issues that still remain when using it with other data sources. The time (and possibly the order) of events may differ between data sources (depending on the interleaving of events as observed by each data source). External-facing and internal-facing IP addresses may be different, and in the case of Network Address Translation (NAT), a single external-facing IP address (seen by the firewall or network flow data) may take the place of many internal-facing IP addresses (seen in host logs, IDS alerts, and network management data). Currently, this inconsistency of characteristics is dealt with on a case-by-case basis. Establishing a robust correspondence and using this correspondence in analysis remains an active area of research.
Achieving network situational awareness depends on an organization's ability to effectively monitor its networks and, ultimately, to analyze that data to detect malicious activity. There are several resources available to network analysts and security defenders as they contend with a rapid-fire increase in global internet protocol traffic:
We welcome your feedback about this work in the comments section below.
Learn more about FloCon