If you suspect a malware breach and want to investigate the history of a specific host, how do you do it? For most of us, the turn-to technology when needing to forensically investigate nearly any type of network related traffic pattern is NetFlow or IPFIX. All major routers on the market today support one or both of these flow protocols.
Network Surveillance
True flow technologies (which sFlow is not) capture 100% of the traffic passing through the router or switch and export summarized details to a flow collector. Because of this, we can think of each flow sending device as a type of surveillance camera.
Of course, to make the information the cameras are capturing more useful, we need a way to store the data. In the CCTV world, a DVR is used. In the NetFlow and IPFIX industry, something similar to a DVR is available, which is commonly referenced as a NetFlow or IPFIX collector. Similar to the DVR, the NetFlow collector is used to store the captured flows for future reporting and analysis and First In First Out (FIFO) aging is generally used on the data.
Department Stores use Cameras
When the security team at a department suspects shoplifting, they often turn to the cameras. Using the captured video footage stored on the DVR they can follow a person from entrance to exit. They can filter down to a specific camera, individual, time frame, etc. and export the information as evidence for the police. We can do exactly the same thing with captured flows using a good, scalable NetFlow and IPFIX solution.
Packet Capture vs. Flow Technology
Inherently, most routers and switches are already deployed on your network in areas where you would want (i.e. a camera) to perform network surveillance. The question is, are they providing the details you need if you have to investigate the malware breach? Some would argue that the most granular type of network surveillance comes in the form of in-line monitoring using a packet analyzer.
Packet capture without a doubt delivers far greater details than most NetFlow and IPFIX implementations. However, the trade-offs when choosing packet capture over NetFlow or IPFIX (see NetFlow vs Packet Capture) are to be considered carefully.
- Cost
- Packet analyzers must be purchased for each location whereas NetFlow or IPFIX simply needs to be enabled
- Travel
- Enabling flow technology can be done remotely. Deploying a packet capture appliance requires that someone visit the facility and move wires.
- Generally, port spanning (i.e. mirroring) of the uplink of the switch to another interface must occur to ensure that the packet capture device can see the traffic.
- Aggregation
- The technologies for aggregating the data from hundreds or thousands of packet capturing probes into one report does not scale. This problem is easily addressed with flow technologies
- Packet capture presents a far greater storage problem than flow technologies.
- Complexity
- Viewing packet captures generally requires an advanced skill set and the learning curve for reporting on flow data is far less.
Gartner stated last year that “…flow analysis should be done 80% of the time and that packet capture with probes should be done 20% of the time.” – Source. I’m sure Gartner made this statement before they learned about next-generation flow exports such as those possible with Cisco AVC.
The Future of Flow Technologies
Flow technologies like NetFlow v9 and the IETF standard for flow technologies called IPFIX are being used by several vendors to export far greater details than we saw ten years ago with the introduction of NetFlow v5. Vendors like Cisco, Citrix, and Dell are exporting metrics on round trip time, packet loss, retransmits, caller ID, usernames, URLs and more. These richer contextual details about the connections passing through your existing routers and switches can often be captured by your network surveillance system simply by upgrading the OS of the hardware.
Investigating Malware
Although these richer details start encroaching on some of the connection forensics usually addressed through packet analysis, I doubt flow data will ever replace tools like Wireshark for looking into problems like deep application issues. It does mean however, that IT will continue to turn to flow analysis first when investigating malware as well as other potential network threats. Packet details usually aren’t necessary and this is especially true when encryption is involved.
When investigating malware, even if the traffic is encrypted, a scalable NetFlow and IPFIX analyzer allows the user to filter down to a specific host, port, timeframe, etc. What’s more, the richer contextual details being exported today by the flow capable hardware means greater situational awareness surrounding the infection. In fact, usually the network surveillance or coverage provided by packet capture can’t even compare to what is possible with flow technologies.
Check out our incident response system to start investigating malware on your network.