is an analytical solution in the field of information security, which provides comprehensive monitoring of threats in a distributed network. StealthWatch is based on the collection of NetFlow and IPFIX from routers, switches and other network devices. As a result, the network becomes a sensitive sensor and allows the administrator to see where traditional network protection methods, such as the Next Generation Firewall, cannot reach.
In past articles, I have already written about StealthWatch: and . Now I propose to move on and discuss how to deal with alarms and investigate security incidents that the solution generates. 6 examples will be given which I hope will give a good idea of the usefulness of the product.
First, it should be said that in StealthWatch there is some distribution of alerts for algorithms and feeds. The first are all kinds of alarms (notifications), when triggered, you can detect suspicious things on the network. The second is security incidents. This article will consider 4 examples of algorithm triggers and 2 examples of feeds.
1. Analysis of the most voluminous interactions within the network
The initial step in configuring StealthWatch is to define hosts and networks by groups. In the web interface tab Configure > Host Group Management networks, hosts, servers should be divided into appropriate groups. You can also create your own groups. By the way, the analysis of interactions between hosts in Cisco StealthWatch is quite convenient, since you can not only save search filters by streams, but also the results themselves.
To get started, go to the tab in the web interface Analyze > Flow Search. Then you should set the following parameters:
- Search Type - Top Conversations (most popular interactions)
- Time Range - 24 hours (time interval, you can use another)
- Search Name - Top Conversations Inside-Inside (any friendly name)
- Subject - Host Groups → Inside Hosts (source - a group of internal hosts)
- Connection (you can specify ports, applications)
- Peer - Host Groups → Inside Hosts (assignment - a group of internal nodes)
- In Advanced Options, you can additionally specify the collector from which the data is viewed, sorting the output (by bytes, streams, etc.). I will leave the default.
After pressing the button Search a list of interactions is displayed, which are already sorted by the amount of data transferred.
In my example host 10.150.1.201 (server) within only one thread transmitted 1.5 GB traffic per host 10.150.1.200 (client) by protocol mysql... Button Manage Columns allows you to add more columns to the output.
Further, at the discretion of the administrator, you can create a custom rule that will constantly work on such interactions and notify via SNMP, email or Syslog.
2. Analysis of the slowest client-server interactions within the network for delays
Tags SRT (Server Response Time), RTT (Round Trip Time) allow you to find out server delays and general network delays. This tool is especially useful when you need to quickly find the cause of user complaints about a slow application.
Note: almost all Netflow exporters do not know how send SRT, RTT tags, so often, in order to see such data on the FlowSensor, you need to configure sending a copy of traffic from network devices. The FlowSensor, in turn, gives the extended IPFIX to the FlowCollector.
It is more convenient to carry out this analytics in the StealtWatch java application, which is installed on the administrator's computer.
Right click on Inside Hosts and go to tab Flow Table.
Click on Filter and set the required parameters. As an example:
- Date/Time - For the last 3 days
- Performance - Average Round Trip Time >=50ms
After displaying the data, we should add the RTT, SRT fields of interest to us. To do this, click on the column in the screenshot and right-click to select Manage Columns. Next, click RTT, SRT parameters.
After processing the request, I sorted by RTT average and saw the slowest interactions.
To drop into detailed information, right-click on the stream and select Quick View for Flow.
This information indicates that the host 10.201.3.59 from the group Sales and Marketing according to the protocol NFS appeals to DNS server for a minute and 23 seconds and has just a terrible delay. In the tab Interfaces you can find out from which Netflow data exporter the information was received. In the tab Table more detailed information about the interaction is shown.
Next, you should find out which devices send traffic to the FlowSensor and the problem most likely lies there.
Moreover, StealthWatch is unique in that it conducts deduplication data (combines the same streams). Therefore, you can collect from almost all Netflow devices and not be afraid that there will be a lot of duplicate data. On the contrary, in this scheme it will help to understand which hop has the greatest delays.
3. Audit of HTTPS cryptographic protocols
ETA (Encrypted Traffic Analytics) - A technology developed by Cisco that allows you to detect malicious connections in encrypted traffic without decrypting it. Moreover, this technology allows you to “parse” HTTPS into TLS versions and cryptographic protocols that are used in connections. This functionality is especially useful when you need to detect network nodes that use weak cryptostandards.
Note: you must first install the network app on StealthWatch - ETA Cryptographic Audit.
Go to the tab Dashboards → ETA Cryptographic Audit and select the host group to be analyzed. For the overall picture, we choose Inside Hosts.
You can observe that the TLS version and the corresponding crypto standard are output. According to the usual scheme in the column Actions go to View Flows and the search starts in a new tab.
It can be seen from the output that the host 198.19.20.136 for 12 hours used HTTPS with TLS 1.2 where the encryption algorithm AES-256 and hash function SHA-384. Thus, ETA allows you to find weak algorithms in the network.
4. Analysis of anomalies in the network
Cisco StealthWatch is able to recognize network traffic anomalies using three tools: Core Events (security events), Relationship Events (events of interactions between segments, network nodes) and behavioral analysis.
Behavioral analysis, in turn, allows you to build a behavior model for a particular host or group of hosts over time. The more traffic that passes through StealthWatch, the more accurate the alerts will be due to this analysis. At first, the system triggers a lot incorrectly, so the rules should be “twisted” by hand. I recommend not paying attention to such events for the first few weeks, as the system will adjust itself, or add them to exceptions.
Below is an example of a predefined rule Anomaly, which says that the event will fire without an alarm if a host in the Inside Hosts group interacts with the Inside Hosts group and in 24 hours the traffic will exceed 10 megabytes.
Let's take an alarm as an example. Data Hoarding, which means that some source/destination host has downloaded/downloaded an abnormally large amount of data from a host group or host. We click on the event and fall into the table where the trigger hosts are indicated. Next, select the host we are interested in in the column Data Hoarding.
An event is displayed indicating that 162k “points” were detected, and 100k “points” are allowed according to the policy - these are internal StealthWatch metrics. In a collumn Actions push View Flows.
We can observe that given host interacted with the host at night 10.201.3.47 from the department Sales & Marketing according to the protocol HTTPS and downloaded 1.4 GB. Maybe this example is not entirely successful, but the detection of interactions for several hundred gigabytes is carried out in exactly the same way. Therefore, further investigation of the anomalies may lead to interesting results.
Note: in the SMC web interface, tabbed data Dashboards are displayed only for the last week and in the tab Monitor over the last 2 weeks. To analyze older events and to generate reports, you need to work with the java console on the administrator's computer.
5. Finding internal network scans
Now let's look at a few examples of feeds - information security incidents. This functionality is more interesting for security people.
There are several preset types of scan events in StealthWatch:
- Port Scan - The source scans multiple ports on the destination host.
- Addr tcp scan - the source scans the entire network on the same TCP port, while changing the destination IP address. In this case, the source receives TCP Reset packets or does not receive responses at all.
- Addr udp scan - the source scans the entire network on the same UDP port, while changing the destination IP address. In this case, the source receives ICMP Port Unreachable packets or does not receive responses at all.
- Ping Scan - the source sends ICMP requests to the entire network in order to search for answers.
- Stealth Scan tсp / udp - the source used the same port to connect to multiple ports on the destination host at the same time.
For a more convenient location of all internal scanners at once, there is a network app for StealthWatch - Visibility Assessment. By going to the tab Dashboards → Visibility Assessment → Internal Network Scanners you will see security incidents related to scanning in the last 2 weeks.
By clicking on the button Details, you will see the start of scanning each network, the traffic trend and the corresponding alarms.
Next, you can “fall through” into the host from the tab in the previous screenshot and see the security events, as well as the activity for the last week for this host.
As an example, consider the event Port Scan from the host 10.201.3.149 on 10.201.0.72, Pressing Actions > Associated Flows. A stream search is launched and relevant information is displayed.
How we see this host from one of its ports 51508 / TCP scanned 3 hours ago destination host by ports 22, 28, 42, 41, 36, 40 (TCP). Some fields do not display information either because not all Netflow fields are supported on the Netflow exporter.
6. Analysis of downloaded malware using CTA
CTA (Cognitive Threat Analytics) - Cisco cloud analytics, which perfectly integrates with Cisco StealthWatch and allows you to complement signatureless analysis with signature analysis. This makes it possible to detect Trojans, network worms, zero-day malware and other malware and distribute them within the network. Also, the previously mentioned ETA technology allows you to analyze such malicious communications in encrypted traffic.
Literally on the very first tab in the web interface there is a special widget Cognitive Threat Analytics. The summary tells about detected threats on user hosts: trojan, rogueware, annoying adware. The word "Encrypted" is just the evidence of the work of ETA. By clicking on the host, all information drops out on it, security events, including logs on CTA.
Hovering over each stage of the CTA event displays detailed information about the interaction. Click here for full analytics View Incident Details, and you will be taken to a separate console Cognitive Threat Analytics.
In the upper right corner, the filter allows you to display events by severity level. Pointing at a specific anomaly, logs appear at the bottom of the screen with the corresponding timeline on the right. Thus, the specialist of the information security department clearly understands which infected host, after which actions, began to perform which actions.
Below is another example - a banking trojan that infected a host 198.19.30.36. This host began to interact with malicious domains, and the logs show information on the flows of these interactions.
Next, one of the best solutions that can be is to quarantine the host thanks to the native with Cisco ISE for further treatment and analysis.
Conclusion
The Cisco StealthWatch solution is one of the leading network monitoring products in terms of both network analysis and information security. Thanks to it, you can detect illegitimate interactions within the network, application delays, the most active users, anomalies, malware and APT. Moreover, you can find scans, pentesters, conduct a crypto audit of HTTPS traffic. More use cases can be found at .
If you have a desire to check how smooth and efficient your network is, send .
In the near future, we are planning several more technical publications on various information security products. If you are interested in this topic, then stay tuned in our channels (, , , )!
Source: habr.com