Case Study: Cyber Threat Detection with IPFIX, Cisco Application Visibility & Control (AVC) and Plixer Scrutinzer
In an ongoing blog series on Cisco Application Visibility and Control and our outstanding partners, we learned how to maximize service provider revenues by detecting and applying QoS to over 1400 applications, cure Grumpy old Man Syndrome, and rule the world of application Quality of Service.
This week, I invited Mike Patterson, co-founder of Plixer to share a real-life cyber threat example that one of his customers faced. Mike and his customer were able to use Plixer Scrutinzer, Cisco AVC, and IPFIX to detect a Known Infected Bot.
Plixer is an important partner of Cisco AVC and will be certified as compatible soon.
Take it away, Mike!
Thanks, Bob! Most people think of Cisco Application Visibility and Control (AVC) as a suite of services in Cisco network devices that provides application-level classification, monitoring, and traffic control to improve business-critical application performance, facilitate capacity management and planning, and reduce network operating costs. If you are not already familiar with the Cisco AVC Solution, it basically helps you:
- Identify and classify over 1,000 layer 7 applications (E.g. Facebook, Linkedin, Skype)
- Monitor next generation flow statistics such as, response time, latency, jitter, and other performance metrics by layer 7 application (E.g. Webex packet loss)
- Export application performance metrics to your network management software using NetFlow version 9 or IP Flow Information eXport (IPFIX)
- Set different QoS priorities based on application
- Dynamically choose network paths based on performance
Normally we use this new IPFIX export from our Cisco routers for pretty much what is listed above. Details such as packet loss and retransmits can be darn good indicators of a latency issue but, this post is about investigating threats.
Cyber Threat Detection
NetFlow is well known for its value in cyber threat detection. By looking at individual host flow ratios, the TCP flags, host reputation, etc. flow data can be very effective at detecting malware. Rather than relying on deep packet inspection and signatures to identify threats, NetFlow and IPFIX can be leveraged to study network behaviors over time. Any communication considered abnormal can trigger events that increase indexes which could eventually trigger alarms and even a notification.
IP Host Reputation
Recently a customer I was working with noticed an Internet Threats alarm in Scrutinizer NetFlow and sFlow Analyzer. Internet Threats is an algorithm that compares the source and destination IP address in flows to an IP host reputation database. The host triggering the event was a conference room computer that is shared by many people in the company.
After drilling in for details we learned in the screen below that the machine was reaching out to a (Known Infected Bot).
The Internet Threats Monitor was configured to only looks at flows from internal routers and switches. When I drilled in further on the host, we noticed that the conference room PC only reached out to this Bot once and after modifying the filter we were a bit relieved when we learned that no other machine in his office appeared to be communicating with this destination.
Since we are getting ready for CiscoLive 2013 Orlando in Florida this month, I decided to show him a few Cisco AVC reports against the host in question. One of my favorite reports is HTTP hosts as this report provides the URL domain address of the transaction when HTTP is involved. I was expecting to see “no data” but, this was not the case.
After filtering on the httpHost and running a new report on a 5 day time span, we learned that 6 unique internal hosts had been communicating to a HTTP Host that apparently is utilizing a type of dynamic DNS technique such as fast flux as the host of malware seems to constantly change its IP address. Notice below that the traffic is very infrequent.
After running another report we learned that the byte count was very low. We spent a few more minutes trying to identify all of the machines reaching out to the URL in question. The customer then had to perform due diligence on the suspicious traffic to further determine if the traffic is related to an APT or another form of malware performing reconnaissance on the internal network. Although we can still only speculate, it certainly looked as though the infection had already moved laterally within his organization. I’m glad that Scrutinizer working with the new Cisco AVC exports were able to help him not only identify the Bot but, also in the investigative effort. It will take a bit more searching to make sure that he has identified all of the potentially infected internal hosts.
Come by booth #747 at CiscoLive 2013, pick up a NetFlow Knight sword and check out all that is possible with this exciting new IPFIX export.