First designed by Cisco Systems in 1996, NetFlow is a feature found in network devices such as switches and routers that allows network administrators to monitor traffic within the network. NetFlow is not strictly a security tool, but it does provide a good deal of data to incident responders in the event of an incident. NetFlow is sent by network devices via the UDP protocol to a central collection point, often called the NetFlow Collector.

In a security context, NetFlow provides deep insights into the internal traffic of systems as they communicate with each other. This is often referred to as east-west traffic as opposed to the north-south traffic, which is used to describe internal systems communicating with external systems through the perimeter firewall. For example, the following diagram shows a simple network. In a real-world scenario, an attacker may compromise a system on the 10.10.2.0/24 subnet. From there, they may attempt to pivot to a file server on the 10.10.1.0/24 subnet. Once there, they can acquire confidential data and move it back to the compromised system for exfiltration. The switches forward the NetFlow data to the collector, which includes the IP addresses, protocols, and data size. This data is critical to providing incident response analysts with details that they may not normally otherwise acquire:

Configuring NetFlow is dependent on the type and manufacturer of the network components. Moreover, there is a wide range of collectors and analysis tools that can be leveraged depending on budgetary and other resources. One of the advantages from including NetFlow analysis in the overall network operations is that it not only provides data to the incident response team, but it is also highly useful in day-to-day network operations in terms of hunting down latency or other communication issues. This dual purpose makes including it as part of the overall network operations easier to justify.