Blog :: Security Operations

Network Behavior Analysis and User Behavior


As flow data becomes a growing asset for security analysts, a question arises: “Can I get more context and how do I best leverage this data?” In the security realm, flows are best used to monitor user behavior and network traffic patterns, providing us an additional layer of security to our existing signature-based detection and prevention systems. Today, I will go over an algorithmic approach to network security.

In the last few years, the industry has seen an evolution in flow exports. In the early days when Cisco first developed the protocol, end users were restricted to a hard-coded number of information elements described in RFC 5102. But with the growing movement toward Flexible NetFlow (template-based flow exports), we’re seeing a lot more valuable data. Vendors now have the ability to pull anything from a packet and export it as flow data.

We know from previous blogs that vendors like Gigamon are exporting unique elements, including: SSL version info, DNS queries, response types, and SSL decryption. Wouldn’t it be great if we could monitor user authentication and correlate that within our flow data? Guess what—we absolutely can! Providing more context to your network behavioral analysis.

IPFIXify is an agent that converts log events into IPFIX data to be exported for archiving and analysis. Full documentation can be found here.

While IPFIXify can be used to convert any syslog into IPFIX, I want to focus today on converting user authentication logs into IPFIX. By parsing event logs on the Domain Controller and converting logon/logoff events into flow data, we can now correlate users to IP addresses in our flows, given timestamps. Not only does this let me isolate ‘users’ on the network versus just a node or workstation by layer 3 address, but I can now leverage an algorithm to alert me to a possible compromised account.

Among the latest algorithms Plixer released, we now have the ‘Credential Misuse’ algorithm. This particular algorithm monitors for one particular account that has successfully authenticated into ‘x’ number of nodes on the network, while also creating baseline of average hosts per user. Most security analysts monitor failed login attempts and alert on brute force attacks, but as we’ve seen in the past, monitoring for excessive successful logins can hold just as much value. Especially if the compromised account just so happens to be a domain admin – these types of user accounts are crucial to monitor. Before alerting on excessive successful logins, this algorithm also creates a baseline for the average number of hosts a user authenticates into daily.

Credential misuse alarm

Man-in-the-Middle Attacks

Among the security algorithms most recently released, we’ve also added algorithms aimed toward detecting common Man-in-the-Middle (MitM) attacks. In an MitM attack, an attacker secretively sits between two parties who think they are directly communicating. Of course, this presents a serious security risk and is the type of behavior analysis we definitely want to happening within our networks.

Newly added MitM algorithms include:

  • Rogue DHCP Traffic
  • Rogue DNS Traffic
  • Rogue FTP Traffic
  • Rogue NTP Traffic
  • Rogue RDP Traffic
  • Rogue SMTP Traffic
  • Rogue SSH Traffic
  • Rogue Telnet Traffic

With these algorithms running autonomously in the background, analysts are now provided with almost immediate alerts to any of this suspicious network traffic. Since flow data is such a lightweight protocol, from the initial alarm we can always pivot to the raw flows and trend these patterns over long periods of time.

Rogue SSH alarm

Pivot from the alarm to the raw flows

If you want to learn more about how flow data can help add an additional layer of security to your network as well as provide additional context to your network behavioral analysis, don’t hesitate to reach out and schedule a more in depth over view here.

Don’t forget! You can always download and test Scrutinizer for FREE!