For the first session of the morning on the last day of the TRISC 2009 Conference, I decided to attend the “Anatomy of an Attack: From Incident to Expedient Resolution” talk by Chris Smithee, a Systems Engineer at Lancope.  He talked about the different types of attacks that you see on your network and how using FLOW data can be used to monitor and eliminate some of these types of threats.  My notes from the session are below:
Types of Attacks

  • Barbarian Horde
    • Our castle walls must keep us safe
      • Script kiddies and DDoS
  • Ninjas
    • Knowledgeable “Haxx0rs” with deliberate intent
      • Social engineering to exploits
  • Vampires
    • Generally have to be “invited” in
      • Convert others to their side
      • Malware, worms, and botnets
    • Vampires are social creatures

Problems with Traditional Mechanisms

  • The Barbarian Horde
    • How do we know its working?
  • Ninjas
    • Ninjas are stealthy and think outside the box
    • Social Engineering can grant all manner of access
  • Vampires
    • What happens if you’re the first one bit?
    • Where do you have your safeguards?

How can Flow Data help? (Packet level logging for network devices – Ex: NetFlow)

  • Global Accounting
    • Who, what, where, when, how
  • Barbarians
    • Who made it through the castle wall?
  • Ninjas
    • Forensic data
    • “Soft-Firewall” like rules
  • Vampires
    • Containment is key – one hop away
    • Policy verification

Why Flow?

  • Leverage your existing network infrastructure to quickly, accurately detect, contain and remediate incidents.
  • Anywhere from a 3-10% impact on processor.  Memory impact is even smaller.

Freeware flow data

  • NMon

Behavioral Analysis?

  • Flow data is awesome.  Why the expert system?
    • Flow data is plentiful – drinking from the firehose can hurt
  • The problem of context
    • Signatures and rules may not always be appropriate
  • Bobby Sue doesn’t normally upload this many files to the Net
  • Who has staff available to constantly scrub files and graphs?