Cyber Security: January 2017

Netflow Data Analysis
This series will cover analyzing the common data types found in cyber security incidents; Netflow, Domain(s) & IP address(es), PCAP. The format of the posts will be as follows Background information, Concepts & Techniques, Tools, and Recommended reading and/or videos.

The information in this blog is design to help people analyzing Netflow data. There are many programs which can automate the manipulation and organization of Netflow data for the end user. I believe it is always a good idea to know how to perform these task manually because every environment will be different.

Background
Having a working understanding of the Threeway Handshake, Session Flags, Port Numbers, and Domain Name System (DNS) are essential to being able to read Netflow data.

A. Threeway Handshake

Threeway Handshake is used to establish a connection between a client and a server.
Client is a device which request services.
Server is a provider of services to clients.
Threeway Handshake Process:

Client sends a "SYN" flag to the server
Server responses with "SYN-ACK"
Client sends a "ACK" flag
The connection is now complete.

B. Session Flags [1]

URG (1 bit) indicates that the Urgent pointer field is significant
ACK (1 bit) indicates that the Acknowledgment field is significant. All packets after the initial SYN packet sent by the client should have this flag set.
PSH (1 bit) Push function. Asks to push the buffered data to the receiving application.
RST (1 bit) Reset the connection SYN (1 bit) Synchronize sequence numbers. Only the first packet sent from each end should have this flag set. Some other flags change meaning based on this flag, and some are only valid for when it is set, and others when it is clear.
FIN (1 bit) No more data from sender

C. Port Numbers [2]

Port Numbers can be linked to certain applications and services to give one a better idea of the type of activity which is occurring during the communication they are observing.
Port number: 1 - 1023 well know server services.
Port numbers 1024 - 5000 ephemeral port numbers.
An ephemeral port is a short-lived transport protocol port for Internet Protocol (IP) communications allocated automatically from a predefined range by the TCP/IP software.

D. Domain Naming System (DNS)

DNS interactions are required for all internet activity.
DNS Process:

Client issues a DNS query.
A DNS Server accepts the query.
If the first DNS server does not know the answer to the query request, then it will ask additional DNS servers.
When the DNS server receives the answer to the DNS query, it returns the Domain to the client.

Concepts & Techniques
The Netflow data is used to confirm activity through correlation of information across different mediums. For example correlating network traffic with system logs to determine what the system was doing at the specific point in time. When analyzing Netflow data keep the following in mind:

Netflow data can be queried like a database.
Organize the data according to the "Time" field preferably the start time option.
You may not be able to see the complete session due to network a lack of network coverage.
Go back a week or a month from the initial date of the suspicious traffic in order to try and establish a normal behavioral pattern to compare the infected system to.
A few common attacks that can be observed in Netflow:

Beaconing
DDoS
TCP Reset attack

Tools
The list tools are free open source tools for Linux and Windows respectively:

These tools will allow you to capture Netflow data from the network interface of your PC. I recommend practicing observing the Netflow data from your PC while it is idle in order to see which services are continuously communicating with the internet and browsing the web.

Recommended Reading and/or Videos