NetFlow is Key to Stopping Criminals and Making a More Secure Internet
Team Cymru was founded in 2005 by Internet experts who designed and managed networks and the routers that make them function. Today, our team comprises former Internet Service Provider (ISP) engineers, enterprise network engineers, analysts, investigators, and other technical specialists.
Network defenders need the insight provided by a type of data called “NetFlow” and rely on us to help keep Internet users and private citizens safe from malicious activity. We have a long-established reputation in the InfoSec community as ethical experts on NetFlow and the malevolent infrastructures used to compromise devices. As custodians of Pure Signal, the world’s largest data ocean of cyber threat intelligence and digital risks, we are uniquely qualified to explain all aspects of NetFlow.
NetFlow is a fundamental part of how the Internet works, providing insights into traffic volume and flow. It is important to understand what it is so that you can become better informed about this fundamental part of everyday digital communications.
The Internet is a massive network of interconnected routing devices that manage internet “traffic,” ultimately guiding the traffic to its destination. For example, a webpage (considered a type of internet “traffic”) is not transmitted simultaneously because of its relatively massive size. Instead, it gets chopped into thousands of pieces called “packets.” NetFlow is the record keeper of those “packets” passing through a router. Frequently, NetFlow is sampled by the network device, meaning that typically only 1 out of every 3000 to 10,000 packets are recorded.
NetFlow records contain the source IP address, destination IP address, protocols, ports, packet counts that a network device has seen, and the timestamp of when the traffic passes. NetFlow data does not contain information about the connection’s actual message content.
How is NetFlow Used?
​NetFlow is used for specific purposes in managing and maintaining network performance, including billing, traffic engineering, troubleshooting, cyber security incident response, and threat intelligence. NetFlow also has a unique role and value in detecting threats. It provides detailed information about network traffic, including the source and destination of packets, the types of protocols being used, and the amount of data being transferred. By analyzing this data, security teams can gain insights into network behavior that can be used to identify potential security threats. NetFlow is uniquely suited to illuminate and map malicious network devices so one can block the infected computers to defend one’s own network. The reason malicious actors are so challenged by NetFlow data when they try to hide these malicious network devices is because they can’t hide from it. NetFlow data is unlike other records and logs, which hackers and viruses can alter or delete after their intrusion. NetFlow has been used for decades and remains a valuable tool to thwart malicious activity such as ransomware, hacking, and other internet-based criminality. It doesn’t track humans, but it’s perfect for mapping common and advanced threats: from Phishers to Nation States.
Why is NetFlow Critical for Monitoring Malicious Activity and Stopping Criminals?
NetFlow does not indicate the nature of the communication or provide information about the content, geography, or user. NetFlow is an indicator of IP-to-IP communications, which is essential to understand how a virus interacts within or between networks. That knowledge, combined with other data, enables analysts to have visibility of the malicious computer controlling the virus. It leaves criminals and their activity fully exposed.
-
Importantly, NetFlow does not need to be collected on an infected system, so it can’t be deleted when hackers clean up logs to hide their activities. This makes NetFlow a powerful tool when investigating breaches. Malicious traffic generated by malware, botnets, viruses, spyware, etc., has periodicity and persistence characteristics, allowing an analyst to identify it among non-malicious traffic, making it very useful for defending networks and systems.
As powerful as NetFlow is for network defense and cyber threat intelligence, it cannot be used in isolation because it needs a starting point. Analysts need to first determine specific items of interest via some other mechanism, such as IP addresses identified by incident responders or through malware sandboxing. Only once they have this starting point can they utilize effective NetFlow as part of their investigation.
What Can NetFlow Do, and What it Can't Do with Information Gathered?
Nothing in NetFlow data relates to a person, content, or geography. It includes an indicator of the packet size and count, yet it doesn’t contain any details about the content of the packets. This means NetFlow does not have any user identifiers, including any references to the geography or identity of the individual. NetFlow cannot break encryption. It isn’t useful in isolation. It’s impractical for monitoring non-malicious user activity. NetFlow can’t provide content, insight into content, of any online communication.
For example, when analyzing NetFlow, you could see that one IP sent traffic to another. However, the NetFlow record doesn’t contain any content. In the example of an email packet, NetFlow doesn’t see or include the “To,” “From,” “Subject,” or any content of the email message.
NetFlow and Team Cymru
Team Cymru provides aggregated and summarized access to sampled NetFlow, which differs from the standard NetFlow an organization could gather from its own private networks.
Team Cymru’s focus with its NetFlow is to enable analysts to locate, monitor, and track compromised and malevolent Internet devices. Access to NetFlow data via the Team Cymru products and services is limited due to restrictions placed on the data set, which is sampled NetFlow, not all NetFlow data. As a result, none of our products or platforms contain any data relating to the type, usage, or users of Internet services, nor the granularity of standard NetFlow.
To inhibit and control how sampled NetFlow can be used, none of our Community or Commercial products or services allow a user access to “bulk” volumes of NetFlow.
How Team Cymru Controls Access to Sampled NetFlow
​Our mission is “To Save and Improve Human Lives.” As part of our commitment to a safer and more secure Internet, we go to great lengths to ensure that we qualify our prospective customers. We prohibit customers from using our products other than for intended use cases and as allowed in our license agreements and terms of service. We do not do business with entities that go against our own mission. We also maintain a list of countries we don’t do business with based on OFAC, US State Department lists, and our own list of diplomatically troublesome countries. In addition to our commercial products, we provide data and insight through our Community Services to Internet defenders and network operators worldwide on a pro-bono basis.
Team Cymru Strictly Follows Regulatory Compliance and Laws
Team Cymru regularly reviews and complies with all applicable laws and regulations where we operate. Our data is lawfully collected, stored, and processed. The data that underpins our products and platforms is lawfully handled and compliant with all applicable data privacy regulations, including GDPR, CPRA, and other applicable US state and national privacy legislation.
We operate beyond best practices. Our dedicated team maintains strict compliance with all applicable data protection laws. Our privacy and data handling policies have been reviewed by our customers, including some of the world’s largest, most sophisticated organizations. We have been consistently found to be compliant with such data protection laws.
In addition, we undertake a privacy review with our prospective customers. To do this, we share our data handling policy and practices, then discuss with the representatives of the potential customer’s data, privacy, and legal teams to candidly address any questions. This also serves as a crucial double-check that the potential customer’s intended use case fits our end user licensing terms, our privacy policies, and cleaves to all applicable laws.
The Future of NetFlow Analysis
As cyber risks aggressively grow from malicious actors and internet criminals, sampled NetFlow remains central to how the Internet is defended and remains an essential tool in the cyber defender’s toolkit. It has been used for decades and remains the only tool available in many cases to thwart malicious activity such as ransomware, hacking, and other internet-based criminality.
Privacy is maintained by law, policy, and the design and technical limitations of NetFlow - it simply can’t be turned into a packet collector or a tool for identifying and tracking individuals.
As the world becomes more volatile and the costs of compromise increase exponentially, as seen in the case of ransomware, it is imperative that cyber defenders have access to a powerful tool that aligns with the need to defend a network and protect privacy – that tool is NetFlow.