How useful are Flows for detecting advanced threats?

A friend of mine wrote a nice blog article where he talks about detecting advanced threats with flows. The post aims to outline arguments for and against using netflow for advanced threat detection. In the setup for the article, he writes:

“…it is a discussion on whether having only shallow header data and no payload (no application layer / L7, no HTTP, no DNS details, no raw PCAP, etc) – and NO endpoint data gives us a decent shot – a shot worth taking, essentially. Is netflow a shot worth taking?”

A few interesting arguments for the use of netflow include:

  • Flows can give internal network visibility (think lateral movement, internal recon, staging, etc) that is often impossible to get with logs and hard to get with full traffic capture (need too many capture points)
  • Flow information processed by some magical ([Machine Learning] or otherwise) [technology] increases otherwise low information density of flow data and can lead to great insights and detections
  • If you happen to possess a surprisingly high level of awareness of what is normal on your network (such as on OT, ICS / SCADA, etc networks), flow is all you need
A few notable arguments against the use of netflow include:
  • Flows never produce enough certainty to give a credible conviction (bad/ not bad) for any activity; many “this is certainly bad” activities often end up being legit (yes, our IT today is that weird)
  • Flows are great to validate what you detected by other means (“ah, so they connected to X after their browser exploit worked”), but not as primary/initial means of threat detection

You can read the post for the other arguments.

1. Do you agree with the author’s arguments?

2. Have you seen netflow used successfully for advanced threat detection?

3. What other technologies can netflow be paired with for effective defensive cyber operations?