Cisco Network Telemetry Against Cyber Threats
Cyber Threat Defense (CTD) is capable of detecting and blocking complex attacks, including zero-day attacks, confidential information leaks, and botnets. These are new mechanisms for dealing with advanced threats through the analysis of network activity, which will be disclosed in the article on the example of OpenSSL HeartBleed.
The solution correlates and analyzes network telemetry collected by intelligent network equipment (in particular, Cisco switches, routers and firewalls), does not require the installation of agents on workstations and servers and can scale for distributed networks of any size.
The traditional detection of attacks at the network level involves the collection and analysis of network traffic for a specific set of signatures that correspond to known attacks. This requires sensors (IDS / IPS) in key areas of the network that attempt to detect known bad patterns in network traffic. But for several reasons, this approach is no longer relevant in our time: firstly, signatures are helpless against zero-day attacks and advanced methods of masking malicious code and botnet control channels. Secondly, modern targeted attacks (APTs) are able to bypass the traditional network perimeter, on which sensors are traditionally installed, and act from within the network. Intranet communication between workstations and servers is usually outside the scope of IDS / IPS.
For about 10 years, industry has been developing new approaches to detect attacks by analyzing the behavior and anomalies of network traffic. In short, behavioral analysis systems detect the known “bad behavior” of devices on the network by analyzing network interactions. Elementary examples of this behavior are scanning a network or opening a large number of TCP sessions.
An anomaly analysis reveals significant deviations of network device traffic from the “normal” traffic profile for a given device or group of devices. Analysis of anomalies involves the availability of training and statistical analysis to build and update a “normal” traffic profile. Examples of anomalies are a sudden increase in the Internet traffic of a workstation or a change in the traffic structure (for example, an increase in encrypted SSL traffic) in comparison with the usual daily rates for a given workstation. To detect bad behavior and anomalies in most cases, it is enough to analyze the main traffic parameters (telemetry) and there is no need to closely examine the contents of each packet, as IPS does.
Each of these approaches has its advantages and limitations:
The analysis of behavior and anomalies has much in common, and often these approaches are used together. Security systems that are based on these principles are called Network Behavior Anomaly Detection (NBAD). It should be noted that NBAD systems do not replace, but complement traditional IDS / IPS in terms of detecting complex attacks and can be used together. IDS / IPS focuses on protecting the perimeter and critical points of the network. NBAD systems "penetrate" the depth of the entire network, collecting telemetry from network infrastructure devices and security devices.
NetFlow network protocol is an excellent source of information for security tasks. NetFlow was originally proposed by Cisco for network traffic monitoring and monitoring back in the 90s. NetFlow collected statistics on network flows passing through the network infrastructure. A stream is a set of packets passing in one direction and having common parameters:
Over the past twenty years, NetFlow has been standardized as the IETF standard (IPFIX protocol) and has received many versions and extensions. NetFlow learned to collect detailed granular statistics about traffic structure, packet sizes and characteristics, fragmentation, and more. Application information can be added to NetFlow if DPI (deep packet analysis) is enabled on network devices. Thus, using NetFlow, you can identify more than 1000 applications and, for example, differentiate regular web traffic from Skype or P2P file sharing services on port 80. NetFlow statistics can be supplemented by flow compliance information on the firewall, HTTP URL content, and other application layer information.
Another difference between NetFlow is the breadth of traffic coverage. NetFlow is supported on all Cisco routers (including ISR G2 and ASR), Cisco ASA firewalls, and Catalyst 2960-X, 3560, 3750-X, 3850, 4500, 6500, and Nexus 7000 switches. More recently, NetFlow support has also appeared on server network interfaces Cisco UCS, which allows you to collect telemetry server traffic and virtual machine traffic. NetFlow and IPFIX are also supported by many other vendors and Open-Source products.
Thus, the NetFlow protocol can collect telemetry and ensure the visibility of attacks on all parts of the network - from the access level and the data center to the remote branch. In fact, NetFlow allows you to look into the “behavior” of an individual workstation and server without the need to install a software agent, using only the infrastructure functionality.
NetFlow can take into account each processed packet, providing a detailed analysis of all traffic. This distinguishes NetFlow from similar protocols such as sFlow, which can only collect aggregate statistics (sampled flow) by analyzing every nth packet. Aggregated and complete NetFlow can be compared with reading each page of a book and attentive page reading. Aggregated statistics give a quick look at traffic, but are less suitable for security tasks. Full NetFlow provides a comprehensive overview of network activity in terms of security.
It is on the NetFlow protocol that Cisco’s cyber threat defense (CTD) defense solution is based. The solution consists of several components:
StealthWatch is being developed by Lancope in partnership with Cisco and is one of the oldest NBAD systems on the market. StealthWatch and ISE are available in both hardware and virtual device formats.
At the initial stage in Cyber Threat Defense, it is necessary to describe the zones that make up the organization’s network. Such zones may be:
Zones can be nested within each other - for example, a data center zone, which includes zones for applications (web, mail servers, DNS servers, ERP). The zone of web servers, in turn, is divided into zones of external and internal web servers.
The more accurately the network is segmented into zones, the more accurately the solution will be able to analyze telemetry and device behavior. CTD can suggest the likely assignment of devices and device ownership to a specific area. For example, if the server is a source of web traffic, then it will be proposed to assign this server to a group of web servers.
In the next step, CTD collects NetFlow telemetry from the network infrastructure and builds network behavior profiles for zones and individual network devices. Initial self-training and adjustment takes place in the first 7 days, over the next 28 days, a profile of normal behavior (baseline) is created. Profiles automatically adapt when the traffic structure changes gradually.
If traffic deviates significantly from normal or “bad” behavior, a notification of a potential security incident will occur. When registering an incident, the key indicators are numerical values:
These indexes are calculated for all network hosts that are monitored by CTD, taking into account dozens of traffic parameters. Indexes allow you to track how abnormal host behavior and system confidence in the seriousness and reliability of this anomaly are. Indexes also allow you to prioritize incident investigations. The higher the index value, the more dangerous the incident.
We give an example from life. If a random passerby rings the doorbell and then reports that he was mistaken for the address, then there is no particular reason to worry. But if a passerby knocked on the tenth door in the same way, then this is a cause for concern. So the concern index is 10.
The same applies to Cyber Threat Defense - in case the index exceeds the threshold value, the corresponding alarm is generated. The system has a large number of standard policies for generating alarms and it is possible to create custom policies that describe unacceptable activity from the point of view of a particular organization.
In the work of a solution, context is important. NetFlow protocol usually operates with IP addresses and port numbers. Knowing the context allows Cyber Threat Defense to understand:
Thus, it becomes possible to "colorize" the faceless information about IP addresses and ports, providing it with context, allowing more accurately and efficiently respond to security incidents.
User and device information is collected through CTD integration with the Cisco Identity Services Engine, which has intelligent mechanisms for identifying device types and usernames on the network.
Reputation data for Internet hosts is obtained in real time from a cloud-based reputation database. This database in particular has dynamic information about active botnet control centers.
When the threshold value is reached, CTD can take a predetermined action. For example, give a command to the firewall to block the suspicious activity of a particular host or block the switch port. Commands can be given in automatic or semi-automatic mode (after confirmation by the administrator). The system has pre-installed scripts for routers and firewalls of different vendors and it is also possible to create custom scripts.
Cyber Threat Defense can be used in various security scenarios to protect against more diverse attacks.
In particular, CTD can detect and help block the following types of attacks and anomalies that affect information security:
CTD is also an excellent tool for auditing information security, allowing you to check whether the network behaves as planned when setting up firewalls, IPS, and network infrastructure.
And, of course, Cyber Threat Defense can assist in the investigation of cyber incidents, studying the distribution of malicious code and attack vectors. Since information about all network flows and sessions is stored, it becomes possible to find out with whom and how the suspicious host interacted at a certain point in time in the past.
Let's look at the working mechanisms of Cyber Threat Defense using the sensational OpenSSL HeartBleed vulnerability as an example.
The difficulty in detecting HearBlead was that, if the vulnerability was correctly exploited by the attacker, no traces of the exploit remained in the web server logs. SSL encryption also makes it difficult to differentiate between normal and malicious transactions by request content and signatures. Therefore, to identify attempts to exploit the vulnerability, one has to rely on the characteristics of the size of SSL requests and web server responses.
If you look at the system report with attempts to exploit the HeartBleed vulnerability on a test system, you will notice two features of these transactions.
Firstly, the ratio of the size of the client request and response is approximately 4.8%. Secondly, attacks targeting HeartBleed are likely to create sessions with a long life. Each Heartbleed transaction returns an attacker with the contents of a small piece of memory of the attacked web server. In order to obtain the information of interest (private SSL keys or passwords), the attacker will have to repeat the transaction many times and the user session will most likely last hours. CTD has a built-in mechanism for detecting such long-lived sessions (Suspect Long Flow).
Thus, using CTD, you can identify suspicious web transactions. Since NetFlow network telemetry is usually stored for several months, it is possible to find attacks that occurred in the past before the official publication of the vulnerability. Most importantly, to detect such attacks, you do not need to update signatures and the solution is able to find attacks from the “zero” day from the appearance of a vulnerability or exploit.
NetFlow is a great source of incident information, but not the only one. The development of Cisco Cyber Threat Defense is moving towards integration into the solution of additional information sources - network IPS SourceFire, Cisco Advanced Malware Protection, email and web content filtering systems, and cloud intelligence. The breadth of coverage of events, together with advanced processing and correlation technologies, will make it possible to more accurately and quickly respond to a changing threat landscape. Due to the limited size of the article, we focused only on the security functionality of Cyber Threat Defense. In fact, the CTD solution can also be very useful for IT administrators to monitor network activity of users, monitor the use of network resources, analyze the operation of applications and QoS. More on this in the following articles.
More information about the solution can be obtained on the Cisco website:
The solution correlates and analyzes network telemetry collected by intelligent network equipment (in particular, Cisco switches, routers and firewalls), does not require the installation of agents on workstations and servers and can scale for distributed networks of any size.
New Attack Detection Approaches
The traditional detection of attacks at the network level involves the collection and analysis of network traffic for a specific set of signatures that correspond to known attacks. This requires sensors (IDS / IPS) in key areas of the network that attempt to detect known bad patterns in network traffic. But for several reasons, this approach is no longer relevant in our time: firstly, signatures are helpless against zero-day attacks and advanced methods of masking malicious code and botnet control channels. Secondly, modern targeted attacks (APTs) are able to bypass the traditional network perimeter, on which sensors are traditionally installed, and act from within the network. Intranet communication between workstations and servers is usually outside the scope of IDS / IPS.
For about 10 years, industry has been developing new approaches to detect attacks by analyzing the behavior and anomalies of network traffic. In short, behavioral analysis systems detect the known “bad behavior” of devices on the network by analyzing network interactions. Elementary examples of this behavior are scanning a network or opening a large number of TCP sessions.
An anomaly analysis reveals significant deviations of network device traffic from the “normal” traffic profile for a given device or group of devices. Analysis of anomalies involves the availability of training and statistical analysis to build and update a “normal” traffic profile. Examples of anomalies are a sudden increase in the Internet traffic of a workstation or a change in the traffic structure (for example, an increase in encrypted SSL traffic) in comparison with the usual daily rates for a given workstation. To detect bad behavior and anomalies in most cases, it is enough to analyze the main traffic parameters (telemetry) and there is no need to closely examine the contents of each packet, as IPS does.
Each of these approaches has its advantages and limitations:
The analysis of behavior and anomalies has much in common, and often these approaches are used together. Security systems that are based on these principles are called Network Behavior Anomaly Detection (NBAD). It should be noted that NBAD systems do not replace, but complement traditional IDS / IPS in terms of detecting complex attacks and can be used together. IDS / IPS focuses on protecting the perimeter and critical points of the network. NBAD systems "penetrate" the depth of the entire network, collecting telemetry from network infrastructure devices and security devices.
NetFlow - A Valuable Telemetry Source for Security
NetFlow network protocol is an excellent source of information for security tasks. NetFlow was originally proposed by Cisco for network traffic monitoring and monitoring back in the 90s. NetFlow collected statistics on network flows passing through the network infrastructure. A stream is a set of packets passing in one direction and having common parameters:
- Source / Destination Address
- Source / destination port for UDP and TCP,
- Message Type and Code for ICMP,
- IP protocol number
- Network interface
- IP Type of Service.
Over the past twenty years, NetFlow has been standardized as the IETF standard (IPFIX protocol) and has received many versions and extensions. NetFlow learned to collect detailed granular statistics about traffic structure, packet sizes and characteristics, fragmentation, and more. Application information can be added to NetFlow if DPI (deep packet analysis) is enabled on network devices. Thus, using NetFlow, you can identify more than 1000 applications and, for example, differentiate regular web traffic from Skype or P2P file sharing services on port 80. NetFlow statistics can be supplemented by flow compliance information on the firewall, HTTP URL content, and other application layer information.
Another difference between NetFlow is the breadth of traffic coverage. NetFlow is supported on all Cisco routers (including ISR G2 and ASR), Cisco ASA firewalls, and Catalyst 2960-X, 3560, 3750-X, 3850, 4500, 6500, and Nexus 7000 switches. More recently, NetFlow support has also appeared on server network interfaces Cisco UCS, which allows you to collect telemetry server traffic and virtual machine traffic. NetFlow and IPFIX are also supported by many other vendors and Open-Source products.
Thus, the NetFlow protocol can collect telemetry and ensure the visibility of attacks on all parts of the network - from the access level and the data center to the remote branch. In fact, NetFlow allows you to look into the “behavior” of an individual workstation and server without the need to install a software agent, using only the infrastructure functionality.
NetFlow can take into account each processed packet, providing a detailed analysis of all traffic. This distinguishes NetFlow from similar protocols such as sFlow, which can only collect aggregate statistics (sampled flow) by analyzing every nth packet. Aggregated and complete NetFlow can be compared with reading each page of a book and attentive page reading. Aggregated statistics give a quick look at traffic, but are less suitable for security tasks. Full NetFlow provides a comprehensive overview of network activity in terms of security.
Cisco cyber threat protection solution
It is on the NetFlow protocol that Cisco’s cyber threat defense (CTD) defense solution is based. The solution consists of several components:
- network infrastructure (switches, routers, firewalls) with support for NetFlow protocol,
- Lancope StealthWatch network traffic analysis system,
- Optional Cisco Identity Services Engine (ISE), which adds context information.
StealthWatch is being developed by Lancope in partnership with Cisco and is one of the oldest NBAD systems on the market. StealthWatch and ISE are available in both hardware and virtual device formats.
At the initial stage in Cyber Threat Defense, it is necessary to describe the zones that make up the organization’s network. Such zones may be:
- the local network,
- branches
- workstations combined by purpose or location,
- servers grouped by available services and applications, etc.
Zones can be nested within each other - for example, a data center zone, which includes zones for applications (web, mail servers, DNS servers, ERP). The zone of web servers, in turn, is divided into zones of external and internal web servers.
The more accurately the network is segmented into zones, the more accurately the solution will be able to analyze telemetry and device behavior. CTD can suggest the likely assignment of devices and device ownership to a specific area. For example, if the server is a source of web traffic, then it will be proposed to assign this server to a group of web servers.
In the next step, CTD collects NetFlow telemetry from the network infrastructure and builds network behavior profiles for zones and individual network devices. Initial self-training and adjustment takes place in the first 7 days, over the next 28 days, a profile of normal behavior (baseline) is created. Profiles automatically adapt when the traffic structure changes gradually.
If traffic deviates significantly from normal or “bad” behavior, a notification of a potential security incident will occur. When registering an incident, the key indicators are numerical values:
- Concern Index (CI) - an indicator that a particular host is a source of invalid or abnormal activity;
- Target Index - Target Index (TI) - an indicator that the host is a possible target of an attack or abnormal activity;
- File Sharing Index (FSI) - tracks potential P2P activity.
These indexes are calculated for all network hosts that are monitored by CTD, taking into account dozens of traffic parameters. Indexes allow you to track how abnormal host behavior and system confidence in the seriousness and reliability of this anomaly are. Indexes also allow you to prioritize incident investigations. The higher the index value, the more dangerous the incident.
We give an example from life. If a random passerby rings the doorbell and then reports that he was mistaken for the address, then there is no particular reason to worry. But if a passerby knocked on the tenth door in the same way, then this is a cause for concern. So the concern index is 10.
The same applies to Cyber Threat Defense - in case the index exceeds the threshold value, the corresponding alarm is generated. The system has a large number of standard policies for generating alarms and it is possible to create custom policies that describe unacceptable activity from the point of view of a particular organization.
Add context
In the work of a solution, context is important. NetFlow protocol usually operates with IP addresses and port numbers. Knowing the context allows Cyber Threat Defense to understand:
- which user and which device are hiding behind this or that IP address,
- which application uses this port,
- what is the reputation of the IP address or domain name and whether the Internet host was noticed earlier in illegal activity (for example, in the work of a botnet).
Thus, it becomes possible to "colorize" the faceless information about IP addresses and ports, providing it with context, allowing more accurately and efficiently respond to security incidents.
User and device information is collected through CTD integration with the Cisco Identity Services Engine, which has intelligent mechanisms for identifying device types and usernames on the network.
Reputation data for Internet hosts is obtained in real time from a cloud-based reputation database. This database in particular has dynamic information about active botnet control centers.
When the threshold value is reached, CTD can take a predetermined action. For example, give a command to the firewall to block the suspicious activity of a particular host or block the switch port. Commands can be given in automatic or semi-automatic mode (after confirmation by the administrator). The system has pre-installed scripts for routers and firewalls of different vendors and it is also possible to create custom scripts.
What are we protecting from
Cyber Threat Defense can be used in various security scenarios to protect against more diverse attacks.
In particular, CTD can detect and help block the following types of attacks and anomalies that affect information security:
- malicious code distribution and virus outbreaks,
- botnet activity
- DDoS attacks
- network intelligence
- attempts of unauthorized access to resources,
- unauthorized data accumulation,
- Data leak attempts
- use of prohibited applications (e.g. P2P, IP-telephony),
- unauthorized installation of services (for example, a website),
- violation of access policies and identifying gaps in the ITU configuration.
CTD is also an excellent tool for auditing information security, allowing you to check whether the network behaves as planned when setting up firewalls, IPS, and network infrastructure.
And, of course, Cyber Threat Defense can assist in the investigation of cyber incidents, studying the distribution of malicious code and attack vectors. Since information about all network flows and sessions is stored, it becomes possible to find out with whom and how the suspicious host interacted at a certain point in time in the past.
Let's look at the working mechanisms of Cyber Threat Defense using the sensational OpenSSL HeartBleed vulnerability as an example.
The difficulty in detecting HearBlead was that, if the vulnerability was correctly exploited by the attacker, no traces of the exploit remained in the web server logs. SSL encryption also makes it difficult to differentiate between normal and malicious transactions by request content and signatures. Therefore, to identify attempts to exploit the vulnerability, one has to rely on the characteristics of the size of SSL requests and web server responses.
If you look at the system report with attempts to exploit the HeartBleed vulnerability on a test system, you will notice two features of these transactions.
Firstly, the ratio of the size of the client request and response is approximately 4.8%. Secondly, attacks targeting HeartBleed are likely to create sessions with a long life. Each Heartbleed transaction returns an attacker with the contents of a small piece of memory of the attacked web server. In order to obtain the information of interest (private SSL keys or passwords), the attacker will have to repeat the transaction many times and the user session will most likely last hours. CTD has a built-in mechanism for detecting such long-lived sessions (Suspect Long Flow).
Thus, using CTD, you can identify suspicious web transactions. Since NetFlow network telemetry is usually stored for several months, it is possible to find attacks that occurred in the past before the official publication of the vulnerability. Most importantly, to detect such attacks, you do not need to update signatures and the solution is able to find attacks from the “zero” day from the appearance of a vulnerability or exploit.
NetFlow is a great source of incident information, but not the only one. The development of Cisco Cyber Threat Defense is moving towards integration into the solution of additional information sources - network IPS SourceFire, Cisco Advanced Malware Protection, email and web content filtering systems, and cloud intelligence. The breadth of coverage of events, together with advanced processing and correlation technologies, will make it possible to more accurately and quickly respond to a changing threat landscape. Due to the limited size of the article, we focused only on the security functionality of Cyber Threat Defense. In fact, the CTD solution can also be very useful for IT administrators to monitor network activity of users, monitor the use of network resources, analyze the operation of applications and QoS. More on this in the following articles.
More information about the solution can be obtained on the Cisco website: