StealthWatch: incident analysis and investigation. Part 3
Cisco StealthWatch is an analytic solution in the field of information security that provides comprehensive monitoring of threats in a distributed network. At the heart of StealthWatch is collecting NetFlow and IPFIX from routers, switches, and other network devices. As a result, the network becomes a sensitive sensor and allows the administrator to look where traditional methods of protecting the network, such as Next Generation Firewall, cannot reach.
In previous articles, I already wrote about StealthWatch: first presentation and features , as well as deployment and configuration . Now I propose moving on and discussing how to work with alarms and investigate the security incidents that the solution generates. There will be 6 examples that, I hope, will give a good idea of the usefulness of the product.
First, it should be said that StealthWatch has a certain distribution of responses to algorithms and feeds. The first are all kinds of alarms (notifications), when triggered, you can detect suspicious things on the network. The second is security incidents. This article will cover 4 examples of triggering algorithms and 2 examples of feeds.
1. Analysis of the most voluminous interactions within the network
The initial step in setting up StealthWatch is to identify hosts and networks by group. In the web interface, the Configure > Host Group Management should be divided networks, hosts, servers into appropriate groups. You can create your own groups. By the way, the analysis of interactions between hosts in Cisco StealthWatch is quite convenient, since you can not only save filters by stream, but also the results themselves.
First, in the web interface, go to the Analyze > Flow Search . Then you should set the following parameters:
- Search Type - Top Conversations (most popular interactions)
- Time Range - 24 hours (time span, you can use another one)
- Search Name - Top Conversations Inside-Inside (any friendly name)
- Subject - Host Groups → Inside Hosts (source - a group of internal nodes)
- Connection (you can specify ports, applications)
- Peer - Host Groups → Inside Hosts (assignment is a group of internal nodes)
- In Advanced Options, you can additionally specify the collector from which the data is viewed, sorting the output (by bytes, streams, etc.). I will leave it by default.
After clicking the Search button, a list of interactions that are already sorted by the amount of data transferred is displayed.
In my example, the host 10.150.1.201 (server) within only one stream transferred 1.5 GB of traffic to the host 10.150.1.200 (client) via the protocol mysql . The Manage Columns button allows you to add more columns to the output.
Further, at the discretion of the administrator, you can create a custom rule that will be constantly triggered on this kind of interaction and notify via SNMP, email or Syslog.
2. Analysis of the slowest client-server interactions within the network for delays
The SRT (Server Response Time) , RTT (Round Trip Time) tags allow you to find out server delays and general network delays. This tool is especially useful when you need to quickly find the cause of user complaints about a slow-running application.
Note : almost all Netflow exporters do not know how to send SRT, RTT labels, so often to see such data on FlowSensor you need to configure sending a copy of traffic from network devices. FlowSensor in turn gives advanced IPFIX to FlowCollector.
It is more convenient to carry out this analytics in the java application StealtWatch, which is installed on the administrator's computer.
Right-click on Inside Hosts and go to the Flow Table tab.
Click on Filter and set the necessary parameters. As an example:
- Date/Time - For the last 3 days
- Performance - Average Round Trip Time >=50ms
After data output it is necessary to add the RTT, SRT fields of interest to us. To do this, click on the column in the screenshot and select Manage Columns with the right mouse button. Next click on RTT, SRT parameters.
After processing the request, I sorted by RTT average and saw the slowest interactions.
To fall into the detailed information, right-click on the stream and select Quick View for Flow .
This information indicates that the host 10.201.3.59 from the group Sales and Marketing uses the NFS protocol to contact the DNS server for a minute and 23 seconds and has a terrible delay. In the Interfaces tab, you can find out from which Netflow data exporter the information was received. The Table tab displays more detailed interaction information.
Next, find out which devices send traffic to FlowSensor and the problem most likely lies there.
Moreover, StealthWatch is unique in that it performs deduplication of data (it combines the same streams). Therefore, you can collect from almost all Netflow devices and not be afraid that there will be a lot of duplicate data. On the contrary, in this scheme it will help to understand which particular hop has the most delays.
3. HTTPS cryptographic protocol audit
ETA (Encrypted Traffic Analytics) is a technology developed by Cisco that allows you to detect malicious connections in encrypted traffic without decrypting it. Moreover, this technology allows you to “parse” HTTPS into TLS versions and cryptographic protocols that are used in connections. This feature is especially useful when you need to discover network nodes that use weak crypto standards.
Note : you must first install the network app on StealthWatch - ETA Cryptographic Audit .
Go to the Dashboards → ETA Cryptographic Audit tab and select the host group that you plan to analyze. For the big picture, choose Inside Hosts .
You can see that the version of TLS and the corresponding crypto standard are being displayed. Following the familiar pattern in the Actions column, go to View Flows and start the search in a new tab.
It can be seen from the output that the host 198.19.20.136 for 12 hours used HTTPS with TLS 1.2, where the encryption algorithm AES-256 and the hash function SHA-384 . Thus, ETA allows you to find weak algorithms on the network.
4. Network Anomaly Analysis
Cisco StealthWatch can detect network traffic anomalies using three tools: Core Events (security events), Relationship Events (events of interactions between segments, network nodes) and behavioral analysis .
Behavioral analysis, in turn, allows you to build a behavior model over time for a particular host or group of hosts. The more traffic passes through StealthWatch, the more accurate the triggering will be due to this analysis. At first, the system triggers a lot of errors, so the rules should be “twisted” by hand. I recommend the first few weeks not to pay attention to such events, as the system itself will adjust, or add to the exceptions.
The following is an example of a predefined Anomaly rule, which states that an event will fire without an alarm if the host in the Inside Hosts group interacts with the Inside Hosts group and the traffic exceeds 10 megabytes in 24 hours .
For example, take the Data Hoarding alarm, which means that some source/destination host has uploaded/downloaded an abnormally large amount of data from a group of hosts or host. We click on the event and fall into the table where trigger hosts are indicated. Next, select the host that interests us in the Data Hoarding column.
An event is displayed indicating that 162k “points” have been detected, and 100k “points” are allowed by policy - these are internal StealthWatch metrics. In the Actions column, click View Flows .
We can observe that this host at night interacted with the host 10.201.3.47 from the Sales & amp; Marketing using the HTTPS protocol and downloaded 1.4 GB . This example may not be entirely successful, but the detection of interactions over several hundred gigabytes is carried out in exactly the same way. Consequently, further investigation of the anomalies may lead to interesting results.
Note : in the SMC web interface, the data in the Dashboards tabs is displayed only for the last week and in the Monitor tab for the last 2 weeks. To analyze the events of an earlier age and to generate reports, you need to work with the java console on the administrator’s computer.
5. Finding internal network scans
Now let's look at some examples of feeds - information security incidents. This functionality is more interesting to security guards.
There are several predefined types of scan events in StealthWatch:
- Port Scan — The source scans multiple ports on the destination host.
- Addr tcp scan - the source scans the entire network on the same TCP port, changing the destination IP address. At the same time, the source receives TCP Reset packets or does not receive any responses at all.
- Addr udp scan - the source scans the entire network using the same UDP port, changing the destination IP address. At the same time, the source receives ICMP Port Unreachable packets or does not receive any responses at all.
- Ping Scan - the source sends ICMP requests to the whole network in order to search for answers.
- Stealth Scan tcp/udp - the source used the same port to connect to multiple ports on the destination host at the same time.
For more convenient finding all internal scanners at once, there is a network app for StealthWatch - Visibility Assessment . By going to the Dashboards → Visibility Assessment → Internal Network Scanners tab, you will see security incidents related to scanning over the past 2 weeks.
By clicking on the Details button, you will see the start of scanning for each network, the traffic trend and the corresponding alarms.
Then you can “fail” to the host from the tab in the previous screenshot and see the security events, as well as the last week’s activity for this host.
As an example, we analyze the event Port Scan from the host 10.201.3.149 to 10.201.0.72 by clicking on Actions > Associated Flows . The search for streams is launched and relevant information is displayed.
As we can see this host from one of its ports 51508/TCP scanned 3 hours ago the destination host on ports 22, 28, 42, 41, 36, 40 (TCP) . Some fields do not display information either because not all Netflow fields are supported on the Netflow exporter.
6. Analysis of downloaded malware using CTA
CTA (Cognitive Threat Analytics) is a Cisco cloud analytics that integrates seamlessly with Cisco StealthWatch and complements signatureless analysis with signature-based analysis. Thus, it becomes possible to detect trojans, network worms, zero-day malware and other malware and spread them within the network. Also, the previously mentioned ETA technology allows you to analyze such malicious communications in encrypted traffic.
Literally on the very first tab in the web interface there is a special Cognitive Threat Analytics widget. A brief summary of the threats detected on user hosts: a trojan, fraudulent software, annoying adware. The word “Encrypted” just testifies to the work of ETA. By clicking on the host, all information, security events, including STA logs, drops out on it.
Pointing to each stage of the CTA, the event displays detailed information about the interaction. For complete analytics, click View Incident Details and you will be taken to a separate Cognitive Threat Analytics console.
In the upper right corner, the filter allows you to display events by severity level. Pointing to a specific anomaly, logs with the corresponding timeline on the right appear at the bottom of the screen. Thus, the information security department specialist clearly understands which infected host began to perform what actions after what actions.
Another example is shown below - a banking trojan that infected the host 198.19.30.36 . This host began to interact with malicious domains, and the logs show information on the flows of these interactions.
Next, one of the best solutions that could be is to quarantine the host thanks to native integration with Cisco ISE for further treatment and analysis.
The Cisco StealthWatch solution is one of the leaders among network monitoring products both in terms of network analysis and information security. Thanks to it, it is possible to detect illegitimate interactions within the network, application delays, the most active users, anomalies, malware and APT. Moreover, you can find scans, pentesters, conduct crypto audits of HTTPS traffic. You can find even more use cases here.
If you have a desire to check how smoothly and efficiently your network works, send a application .
In the near future we are planning several more technical publications on various information security products. If you are interested in this topic, then stay tuned for our channels ( Telegram , Facebook , VK , TS Solution Blog ) !.