Chapter 5 NetFlow and Network Security Quiz

Questions and Answers

What role does NetFlow play in detecting DDoS attacks?

It ensures that all network devices are functioning correctly.

It provides bandwidth utilization statistics only.

It prevents unauthorized access to network resources.

It is used as an anomaly-detection tool for identifying unusual traffic patterns. (correct)

Which of the following is a characteristic of a stepping-stone attack?

It uses a botnet to distribute malicious software.

It involves exfiltrating large amounts of data through compromised hosts. (correct)

It primarily targets public servers for denial-of-service.

It relies on the weakness of VPN protocols.

Which of the following traffic patterns may indicate suspicious activity according to the usage of NetFlow?

Traffic to local banking sites during business hours.

Large amounts of data sent to content-rich websites.

Requests to .gov, .mil, and .edu sites when no business is conducted with those entities. (correct)

Secure connections to known business partners.

What challenge do traditional network forensics tools face in large organizations?

They are cost-prohibitive and difficult to scale.

In the context of incident response, what advantage does NetFlow provide?

It provides a high-level overview of network activity to expedite investigations.

What type of sites should organizations be vigilant about in their network traffic?

Pornography sites and illegal file-sharing platforms.

How can packet captures complement the usage of NetFlow in forensics?

Packet captures allow for detailed analysis after initial assessment with NetFlow.

Which network components can NetFlow be deployed on?

Supported routers, switches, and Cisco security devices.

What is the primary function of NetFlow in network security?

To act as an anomaly-detection tool

What is a significant use of NetFlow in network security?

Detecting anomalous large amounts of data leaving the organization

Which of the following describes a characteristic of DDoS attacks?

They are designed to overwhelm network resources

In the context of botnet analysis, what are 'zombies'?

Compromised devices used to launch coordinated attacks

How does NetFlow support incident response and forensics?

It provides information about all network activity.

What might cause false positives when using NetFlow analytics?

Legitimate large data transfers or streaming

How should anomaly-based detection systems initially define what is considered normal network behavior?

By analyzing traffic patterns over a significant interval

Which NIST step is focused on analyzing detected security incidents?

Detection and analysis

Which of the following mechanisms can complement NetFlow for threat identification?

Syslog

What information does NetFlow provide that assists in attack traceback?

Indicators of compromise (IOCs)

What is a key step to take before implementing anomaly-detection capabilities?

Perform traffic analysis to understand traffic rates

Which phase of the NIST incident handling methodology does NetFlow significantly impact?

Preparation and detection and analysis

What behavior does an anomaly-detection system typically monitor?

Sudden increase in traffic and other anomalies

How can analytics software enhance the use of NetFlow?

By examining baseline behaviors to detect deviations

Which attack method involves controlling multiple compromised devices to target a single victim?

Coordinated DDoS attack using bot hosts

In the context of NetFlow, what does data exfiltration refer to?

Transferring sensitive data out of the network without authorization

Study Notes

Chapter 5: Network Visibility and Segmentation

• Network Visibility: A critical component of any cybersecurity program, closely tied with control. Essential for managing multi-cloud environments.
• Visibility Requirements: Must be flexible and improve security without relying on a single technology. Multiple technologies are used to monitor network behavior.
• Network as a Sensor: NetFlow provides deep visibility into network traffic and unusual patterns, plus compromised device detection.
• Network as an Enforcer: Cisco TrustSec can contain attacks by enforcing segmentation and controlling user access. This limits access to only relevant segments of the network.
• Flow Definition: A unidirectional series of packets between a defined source and destination, with consistent source/destination IP addresses, source/destination ports, and IP protocol(s).
• Flow Data: Collected by netflow-enabled devices, provide nonrepudiation, anomaly detection, and investigation capabilities.
• NetFlow Uses: Measuring bandwidth, application performance, network capacity planning, and now as a network security tool, including detection of DoS attacks.
• IPFIX: An IETF standard for exporting network flow information. Common format for exchanging flow information between network devices and collectors/analyzers.
• Flexible NetFlow: Cisco's next-generation NetFlow; it can track extensive flow information and is more scalable and efficient than previous versions. Supports IPv6 and NBAR2.
• NetFlow Versions: Multiple versions exist, with v1 being a limited version for IPv4. v9 is the template-based version that is often used for IPFIX.
• NetFlow Deployment Scenarios: User Access Layer (switches), Wireless LANs (WLCs), and Internet Edge (routers). All have different consideration.
• NetFlow for Anomaly Detection and DDoS Attack Mitigation: NetFlow monitors network traffic for deviation from normal patterns, and can be used to mitigate DDoS and other attacks based on this anomaly analysis.
• NetFlow for Network Security and Visibility: Provides nonrepudiation, anomaly detection, and investigative capabilities for security threats.
• Cisco Cognitive Intelligence (CTA): Cloud-based solution using machine learning and statistical modeling, creating a baseline of network traffic and identifying anomalies.
• Cisco Encrypted Traffic Analytics (ETA): Identifies malicious communications in encrypted traffic without decryption. Uses behavioral modeling and machine learning.
• Cisco Secure Network Analytics (formerly Stealthwatch): A solution for aggregating, normalizing, and analyzing NetFlow data, offering a rich GUI for security analytics. Includes tools to monitor, analyze, and manage flows.
• Cisco Secure Cloud Analytics (formerly Stealthwatch Cloud): A cloud-native solution that provides network visibility and analysis capabilities for multiple public cloud environments (e.g., AWS, Google Cloud Platform, Azure).
• Micro-segmentation with Cisco ACI: Automatically groups endpoints into logical security zones (EPGs) for granular policies. Uses attributes like IP/MAC addresses, VM attributes.
• Segmentation with Cisco ISE: Facilitates segmentation and policy enforcement. Learns IP-to-SGT mappings for dynamic user-based segmentation policies.
• SXP (Scalable Group Tag Exchange Protocol): Enables SGT propagation even on devices lacking inline tagging. Supports complex or heterogeneous network environments.
• Data Leak Detection: NetFlow supports identifying anomalous data flows leaving an organization. Aids in understanding anomalous traffic patterns within an organization.
• Incident Response, Threat Hunting & Network Forensics: NetFlow is useful for tracking communications, suspicious activity, and exfiltration within a network.

Description

Test your knowledge on the role of NetFlow in detecting DDoS attacks and identifying suspicious activities in network traffic. This quiz explores various aspects of network forensics and incident response, including the challenges faced by traditional tools and how NetFlow can enhance security measures.