Whether you’re working with netflow data collected from your own devices, flow logs from a cloud provider, or purchasing data from netflow providers, you may find it challenging to get immediate value out of it. Not only is there a vast amount of data to hunt through, but it can be challenging to fully understand what is happening based on netflow logs alone. While there are plenty of benefits to collecting and analyzing flow data, these challenges can make it difficult to use the data day-to-day to support investigations.
In order to start using netflow effectively in an investigation, it’s important to have a good understanding of the network and an established baseline of activity. This makes it easier to distinguish between normal traffic on the network and anomalous traffic that should trigger alerts to your team. Beyond defining these baselines, netflow data often needs to be correlated with additional sources such as alerts from the firewall and threat intelligence data to better understand particular flows and further establish patterns and relationships in the connections.
Even with these baselines defined and alerts being created using correlated data, oftentimes users still need to hunt though a massive amount of flow data to identify malicious activity that might have been missed. Outside of looking at deviations from a baseline it can be challenging to determine where to start investigating.
This is where GreyNoise can help! Filtering opportunistic and mass scan activity with data gathered from GreyNoise’s sensor network fast-forwards the process, allowing analysts and threat hunters to identify suspicious activity and find targeted threats that might have been missed by other detections . GreyNoise also provides information on infrastructure used by common business services, which can be used to filter egress netflow traffic and hunt for malicious activity leaving the network.
Taking this one step further, let’s look at organizations purchasing commercial netflow data from different sources. Oftentimes these groups combine this data with internet scanning services like Censys or Shodan in order to identify C2 beacons. While taking a proactive approach like this can help identify infrastructure and compromised systems earlier, there is still a lot of data to sift through. Instead, let’s use GreyNoise as a first pass filter to remove IP addresses that are saturating these sources and focus the investigation to find the signal in the noise.
While the volume of data may present a challenge, flow data also does not always contain all of the necessary information needed to act on. Oftentimes this data needs to be correlated with other sources of data to have a true understanding of the activity observed. Using VPC flow logs as an example, instead of just filtering out the noise, users may also want to identify malicious IP addresses accessing their assets. In this case, enriching the data with GreyNoise provides insight into how these IPs operate and highlights access attempts that may violate defined policies.
Netflow data provides a solid option for understanding who is doing what on the network but comes with an operational challenge based on the volume of traffic and the lack of details in the data. In order to address these challenges: