Chapter 5 NetFlow and Network Security Quiz

Questions and Answers

What role does NetFlow play in detecting DDoS attacks?

• It ensures that all network devices are functioning correctly.
• It provides bandwidth utilization statistics only.
• It prevents unauthorized access to network resources.
• It is used as an anomaly-detection tool for identifying unusual traffic patterns. (correct)

Which of the following is a characteristic of a stepping-stone attack?

• It uses a botnet to distribute malicious software.
• It involves exfiltrating large amounts of data through compromised hosts. (correct)
• It primarily targets public servers for denial-of-service.
• It relies on the weakness of VPN protocols.

Which of the following traffic patterns may indicate suspicious activity according to the usage of NetFlow?

• Traffic to local banking sites during business hours.
• Large amounts of data sent to content-rich websites.
• Requests to .gov, .mil, and .edu sites when no business is conducted with those entities. (correct)
• Secure connections to known business partners.

What challenge do traditional network forensics tools face in large organizations?

They are cost-prohibitive and difficult to scale. (C)

In the context of incident response, what advantage does NetFlow provide?

It provides a high-level overview of network activity to expedite investigations. (C)

What type of sites should organizations be vigilant about in their network traffic?

Pornography sites and illegal file-sharing platforms. (B)

How can packet captures complement the usage of NetFlow in forensics?

Packet captures allow for detailed analysis after initial assessment with NetFlow. (B)

Which network components can NetFlow be deployed on?

Supported routers, switches, and Cisco security devices. (B)

What is the primary function of NetFlow in network security?

To act as an anomaly-detection tool (C)

What is a significant use of NetFlow in network security?

Detecting anomalous large amounts of data leaving the organization (B)

Which of the following describes a characteristic of DDoS attacks?

They are designed to overwhelm network resources (C)

In the context of botnet analysis, what are 'zombies'?

Compromised devices used to launch coordinated attacks (A)

How does NetFlow support incident response and forensics?

It provides information about all network activity. (B)

What might cause false positives when using NetFlow analytics?

Legitimate large data transfers or streaming (B)

How should anomaly-based detection systems initially define what is considered normal network behavior?

By analyzing traffic patterns over a significant interval (A)

Which NIST step is focused on analyzing detected security incidents?

Detection and analysis (D)

Which of the following mechanisms can complement NetFlow for threat identification?

Syslog (D)

What information does NetFlow provide that assists in attack traceback?

Indicators of compromise (IOCs) (D)

What is a key step to take before implementing anomaly-detection capabilities?

Perform traffic analysis to understand traffic rates (D)

Which phase of the NIST incident handling methodology does NetFlow significantly impact?

Preparation and detection and analysis (C)

What behavior does an anomaly-detection system typically monitor?

Sudden increase in traffic and other anomalies (A)

How can analytics software enhance the use of NetFlow?

By examining baseline behaviors to detect deviations (C)

Which attack method involves controlling multiple compromised devices to target a single victim?

Coordinated DDoS attack using bot hosts (C)

In the context of NetFlow, what does data exfiltration refer to?

Transferring sensitive data out of the network without authorization (B)

Flashcards

DDoS Attack Detection

Using NetFlow to identify unusual network traffic patterns indicative of a Distributed Denial-of-Service attack.

Stepping-Stone Attack

A cyberattack where a compromised host within a network is used to exfiltrate data to an external attacker.

NetFlow for Anomaly Detection

NetFlow aids in detecting unusual and potentially malicious network activities.

NetFlow combined with DNS

Incorporating DNS records and NetFlow data to detect suspicious Internet traffic.

Packet Capture Limitations

Packet capture tools (sniffers) are expensive and impractical for comprehensive network analysis, especially large organizations.

NetFlow for Incident Response

NetFlow quickly provides a high-level overview of network activity, allowing quick initial investigation and deployment of more focused packet captures.

Suspicious Network Traffic Example

Unusual traffic flows to non-business entities (.gov, .mil, .edu), or traffic to embargoed countries or sites with questionable content.

Network Forensics Tools

Tools for investigating and analyzing network security incidents, including NetFlow, Syslog, and packet captures.

NetFlow Analytics for Security

Using NetFlow data to detect unusual network activity, like large data transfers or unusual traffic patterns, to identify security threats.

NetFlow Data & Identity Management

Combining NetFlow data with identity information to track who initiated a data transfer, the involved hosts, data volume, services used, communication duration, and connection frequency.

False Positives in NetFlow

Errors where legitimate network activity is incorrectly flagged as suspicious.

NIST Security Incident Handling

A five-step framework for handling network security events.

Incident Response Step 1 Preparation

Getting ready for a security incident, encompassing planning, training, and establishing procedures.

Incident Response Steps 2 and 3 (Detection & Containment)

Identifying security incidents by analyzing network data (NetFlow), then controlling the spread of the threat and fixing the issue.

NetFlow & Indicator of Compromise (IOC)

NetFlow data plays a role in identifying IOCs. These signals can help organizations spot cyberattacks.

NetFlow & Attack Attribution

Use of NetFlow data to trace the source of attacks and understand who's responsible.

NetFlow Anomaly Detection

Identifying unusual network traffic patterns to detect threats like DDoS attacks.

Normal Network Behavior

The typical traffic patterns observed on a network.

DDoS Attack

A malicious attack overwhelming a network or system with excessive traffic.

Anomaly-Based Detection

Monitoring for deviations from established normal traffic patterns.

Zero-Day Outbreak

Exploitation of newly discovered vulnerabilities in software.

Botnet

A network of compromised computers used for malicious activity.

Attack Daemon

Software on a compromised host to launch attacks and communicate with attacker.

Network Security

Protecting network resources from malicious attacks and unauthorized access.

Study Notes

Chapter 5: Network Visibility and Segmentation

• Network Visibility: A critical component of any cybersecurity program, closely tied with control. Essential for managing multi-cloud environments.
• Visibility Requirements: Must be flexible and improve security without relying on a single technology. Multiple technologies are used to monitor network behavior.
• Network as a Sensor: NetFlow provides deep visibility into network traffic and unusual patterns, plus compromised device detection.
• Network as an Enforcer: Cisco TrustSec can contain attacks by enforcing segmentation and controlling user access. This limits access to only relevant segments of the network.
• Flow Definition: A unidirectional series of packets between a defined source and destination, with consistent source/destination IP addresses, source/destination ports, and IP protocol(s).
• Flow Data: Collected by netflow-enabled devices, provide nonrepudiation, anomaly detection, and investigation capabilities.
• NetFlow Uses: Measuring bandwidth, application performance, network capacity planning, and now as a network security tool, including detection of DoS attacks.
• IPFIX: An IETF standard for exporting network flow information. Common format for exchanging flow information between network devices and collectors/analyzers.
• Flexible NetFlow: Cisco's next-generation NetFlow; it can track extensive flow information and is more scalable and efficient than previous versions. Supports IPv6 and NBAR2.
• NetFlow Versions: Multiple versions exist, with v1 being a limited version for IPv4. v9 is the template-based version that is often used for IPFIX.
• NetFlow Deployment Scenarios: User Access Layer (switches), Wireless LANs (WLCs), and Internet Edge (routers). All have different consideration.
• NetFlow for Anomaly Detection and DDoS Attack Mitigation: NetFlow monitors network traffic for deviation from normal patterns, and can be used to mitigate DDoS and other attacks based on this anomaly analysis.
• NetFlow for Network Security and Visibility: Provides nonrepudiation, anomaly detection, and investigative capabilities for security threats.
• Cisco Cognitive Intelligence (CTA): Cloud-based solution using machine learning and statistical modeling, creating a baseline of network traffic and identifying anomalies.
• Cisco Encrypted Traffic Analytics (ETA): Identifies malicious communications in encrypted traffic without decryption. Uses behavioral modeling and machine learning.
• Cisco Secure Network Analytics (formerly Stealthwatch): A solution for aggregating, normalizing, and analyzing NetFlow data, offering a rich GUI for security analytics. Includes tools to monitor, analyze, and manage flows.
• Cisco Secure Cloud Analytics (formerly Stealthwatch Cloud): A cloud-native solution that provides network visibility and analysis capabilities for multiple public cloud environments (e.g., AWS, Google Cloud Platform, Azure).
• Micro-segmentation with Cisco ACI: Automatically groups endpoints into logical security zones (EPGs) for granular policies. Uses attributes like IP/MAC addresses, VM attributes.
• Segmentation with Cisco ISE: Facilitates segmentation and policy enforcement. Learns IP-to-SGT mappings for dynamic user-based segmentation policies.
• SXP (Scalable Group Tag Exchange Protocol): Enables SGT propagation even on devices lacking inline tagging. Supports complex or heterogeneous network environments.
• Data Leak Detection: NetFlow supports identifying anomalous data flows leaving an organization. Aids in understanding anomalous traffic patterns within an organization.
• Incident Response, Threat Hunting & Network Forensics: NetFlow is useful for tracking communications, suspicious activity, and exfiltration within a network.