Threat Hunting and Network Monitoring with NetFlow at Scale

Telesoft Telesoft

As 5G is rolled out globally, mobile carriers will benefit from significant revenue opportunities driven by growth in the mobile market, from better customer service to new 5G-enabled business models. However, the industry also recognises that 5G will dramatically raise the stakes for those who are tasked with ensuring the security and reliability of these networks. A recent report by the Business Performance Innovation (BPI) Network highlighted that 5G is driving current security investment in core network security products and DDoS protection.

Carriers understand overwhelmingly the importance of upgrading and integrating scalable security solutions, as recent increases in traffic rates and connected devices has significantly expanded the scale of the attack landscape for cyber criminals. The foundation of an effective network security strategy at this scale is visibility, but the perspective from which defenders look at a network that is hauling petabytes of traffic is different to that of someone who has for example 1Gbps traffic to process. Adding another layer of complexity at carrier scale is that the network will typically be spilt over multiple global locations, be a combination of core and edge networks and contain both legacy and new equipment.

Network visibility at this level requires a hardware solution that can be deployed at multi-100Gbps and that can scale as the network expands. Universally, flow analysis tools like NetFlow probes and sensors are the most commonly deployed network security monitoring solutions, initially developed for enterprise level security they also sometimes find themselves in the infrastructure of telecommunication, ISP and carrier networks. However, they are simply not fit for purpose and cannot handle the sheer amount of traffic at that scale and provide accurate network flow monitoring.

Talos/Cisco technical breakdown of a recent IoT botnet attack – VPNFilter

Alternatives include deep packet inspection, which can lead to bottlenecks and massive processing power requirements, and active monitoring, which as the name implies introduces an unnecessary load on the network. The biggest advantage to using flow analysis is that there is almost certainly NetFlow or IPFIX support on existing infrastructure in the carrier’s core network anyway — which makes configuration much easier.

Visibility attained via flow data which could include NetFlow, IPFIX monitoring, J-Flow, sFlow or NetStream is ideal for extracting key information that is critical to a Network Security Operations (NOC) and/or a Security Operations Centre (SOC) team’s daily functions and long term security strategy. Network visibility allows defenders to answer questions like:

  • Who or what is monopolising bandwidth and slowing down the network?
  • How can we spot botnets, APTs, zero-day malware and other threats if they bypass perimeter defences?
  • How can we identify and track which IP’s and countries the network is exchanging data with?
  • How can I detect tunnelled traffic and gain visibility into encapsulated traffic that may be carrying threats?
  • The ability to troubleshoot in real-time to ensure availability and improve user experience.

This type of granularity and behavioural analysis provides the ability to hunt for threats, which at scale can be difficult not least because of the sheer amount of data to search but also the categorisation and identification of the types of threats that are a risk to your network security. Typically a carrier network defender will not be interested in ‘Credential Stuffing’ for instance because that threat is quite specific to website security, so that attack vector is likely more important to a SecOps team within a Content Delivery Network (CDN). For a Carrier, DDoS and state-sponsored IoT botnets like the recent VPNFilter would constitute a major threat. Specific alarms or events provided by flow monitoring and meta-data security enrichment enables threat hunters to visualise, analyse, and investigate contextual data relating to every transaction and network conversation, which means that these types of attacks can be caught before they cause irrevocable damage.

Related products