Software Engineering Institute

A network of any size implements many missions critical to your organization's operations and represents dozens if not hundreds of trust relationships: trusted access trusted links and trusted data. A breach that casts doubt on the integrity or confidentiality of any network component also casts doubt on anything that trusted that component.

In the aftermath of a security breach then it is vital to determine which parts of your network's missions have potentially been compromised and so should not be trusted. This includes not only those hosts that have been logged into but also those that have received adversary-influenced data (and thus potentially lost integrity) and those that have sent data to a compromised host (potentially losing confidentiality). This loss of trust propagates forward and backward in time from a breach according to the potential loss of integrity and confidentiality respectively.

In this FloCon presentation, we demonstrate the use of NetFlow to track the spread of negative trust through a network as the result of a breach. NetFlow provides sufficient information about data flow and application to make reasonable assumptions about the trust relationships being potentially exercised (or exploited) In this talk we propose a simple set of NetFlow session classification rules to minimize false positives without ignoring potential dangers and a simple heuristic by which to apply these rules in real time. By tracking this spread network operators will be able to quickly determine which business processes are affected by an attack perform triage of those systems likely affected and ultimately get back to fully-trusted operations faster.