Threat Hunting and Network Monitoring with NetFlow at Scale

Telesoft Telesoft

Updated July 2021

The Changing Threat Landscape

Over the past year the security industry has seen a change in the threat landscape. Attacks are being targeted more towards smaller organisations with lower security budgets which offer an opportunity for threat actors to gain initial access. They then move laterally through the network and connected third parties to find an alternative means of entry into the network of their primary target. This is known as a supply chain attack and has resulted in several high-profile attacks in recent months, including the attacks against SolarWinds in 2020 and the more recent exploit of the vulnerability within Kaseyas’ Virtual System Administrator (VSA) solution.

Both attacks have been widely reported and have shown the reach and potential impact that threat actors can have by successfully exploiting the supply chain, with many organisations and some legislation now seeking to address this challenge.

One way in which organisations can help to identify potential supply chain attacks is through network visibility, enabling a comprehensive understanding of the communications happening on a network. By understanding these communications, or the communications which appear to be normal network activity, security and network operations teams can more readily identify the anomalous, suspicious, or malicious activity. By identifying this activity earlier, organisations and network providers can put mitigations into action at the earliest opportunity, reducing the potential damage and disruption caused.

This visibility is key to protecting IP and mobile networks of today, embracing the challenges that come with the increasing data rates associated with a rise in IoT devices and the rollout of 5G, whilst simultaneously ensuring protection is considered for legacy signalling networks.

5G is Driving Further Investment in Core Network Security

As 5G is rolled out globally, mobile carriers will benefit from significant revenue opportunities driven by growth in the mobile market, from better customer service to new 5G-enabled business models. However, the industry also recognises that 5G will dramatically raise the stakes for those who are tasked with ensuring the security and reliability of these networks. A recent report by the Business Performance Innovation (BPI) Network highlighted that 5G is driving current security investment in core network security products and DDoS protection.

Carriers understand overwhelmingly the importance of upgrading and integrating scalable security solutions, as recent increases in traffic rates and connected devices has significantly expanded the scale of the attack landscape for cyber criminals. The foundation of an effective network security strategy at this scale is visibility, but the perspective from which defenders look at a network that is hauling petabytes of traffic is different to that of someone who has for example 1Gbps traffic to process. Adding another layer of complexity at carrier scale is that the network will typically be spilt over multiple global locations, be a combination of core and edge networks and contain both legacy and new equipment.

Scaling Network Visibility With Netoflow Security Monitoring

Network visibility at this level requires a hardware solution that can be deployed at multi-100Gbps and that can scale as the network expands. Universally, flow analysis tools like NetFlow probes and sensors are the most commonly deployed network security monitoring solutions, initially developed for enterprise-level security they also sometimes find themselves in the infrastructure of telecommunication, ISP and carrier networks. However, they are simply not fit for purpose and cannot handle the sheer amount of traffic at that scale and provide accurate network flow monitoring.

Talos/Cisco technical breakdown of a recent IoT botnet attack – VPNFilter

Alternatives include:

  • Deep packet inspection, which can lead to bottlenecks and massive processing power requirements
  • Active monitoring, which as the name implies introduces an unnecessary load on the network
  • Sampled data, which can result in threats being missed.

The biggest advantage to using flow analysis is that there is almost certainly NetFlow or IPFIX support on existing infrastructure in the carrier’s core network anyway — which makes configuration much easier.

Visibility attained via flow data which could include NetFlow, IPFIX monitoring, J-Flow, sFlow or NetStream is ideal for extracting key information that is critical to a Network Security Operations (NOC) and/or a Security Operations Centre (SOC) team’s daily functions and long-term security strategy. Network visibility allows defenders to answer questions like:

  • Who or what is monopolising bandwidth and slowing down the network?
  • How can we spot botnets, APTs, zero-day malware, SS7 attacks, and other threats if they bypass perimeter defences?
  • How can we identify and track which IP’s and countries the network is exchanging data with?
  • How can I detect tunnelled traffic and gain visibility into encapsulated traffic that may be carrying threats?
  • How can I identify malicious activity within encrypted traffic such as TLS 1.3?
  • The ability to troubleshoot in real-time to ensure availability and improve user experience.

This type of granularity and behavioural analysis provides the ability to hunt for threats, which at scale can be difficult not least because of the sheer amount of data to search but also the categorisation and identification of the types of threats that are a risk to your network security. Typically, a carrier network defender will not be interested in ‘Credential Stuffing’ for instance because that threat is quite specific to website security, so that attack vector is likely more important to a SecOps team within a Content Delivery Network (CDN).

For a Carrier, DDoS and large scale IoT botnets like the recent Prometei and Flubot would constitute a significant threat. Specific alarms or events provided by flow monitoring and meta-data security enrichment enables threat hunters to visualise, analyse, and investigate contextual data relating to every transaction and network conversation, which means that these types of attacks can be caught before they cause irrevocable damage.

Related products