As we have seen before, MIMIC allows you to simulate network telemetry/flow exporter
(e.g., NetFlow, IPFIX, sFlow) and SNMP agent of many virtual devices. You can fully customise
the flow records and device behavior: e.g., set source/destination IPs, protocols, ports,
packet/byte counts, export intervals, etc. You can manipulate the instrumentation
of agent MIBs in the simulation in real-time: change MIB object values, add/remove MIB
table entries, simulate traps, etc.
NetObserv is a network-flow and telemetry analytics platform: it ingests flows
(NetFlow/IPFIX/sFlow) and SNMP/telemetry, normalises/enriches them, then provides
dashboards, alerts, and security/operational analytics. On the security side, NetObserv
can detect things like port scans, unusual protocol usage, data exfiltration attempts,
link saturation, routing anomalies, DDOS, among others.
When you combine the two tools, you get a controlled lab environment in which you can
simulate threat-scenarios via MIMIC, and then ensure that your NetObserv setup detects
them. Here’s how you can customise threat detection:
1. Simulate specific malicious/abnormal flows
Your flow source(s) will export flows for many ports, unusual source / destination combinations,
unexpected protocol usage, high volume flows from internal to external, etc.
Your SNMP agents can simulate devices or network segments going into abnormal
states via SNMP that might reflect threat behaviour (e.g., interface up/down, weird
routing, high error rates).
Because you control every field in the flow record and instrumentation, you can test
how NetObserv will behave if certain vendor-specific fields are present, or if flows are
mal-formatted, or spoofed sources are used.
2. Configure NetObserv rules/analytics to catch your scenarios
Once the simulated flows appear in NetObserv, you can inspect how the detection logic
(alerts, machine-learning models, anomaly detectors) handles them.
You can then fine-tune thresholds, detection logic, filters, enrichment settings so that your
You can then fine-tune thresholds, detection logic, filters, enrichment settings so that your
crafted malicious/abnormal flows trigger the appropriate alerts (or don’t trigger false positives).
For example: if you simulate “data exfiltration” flows (large outbound flows at odd hours
For example: if you simulate “data exfiltration” flows (large outbound flows at odd hours
to unknown destinations), you can validate that NetObserv flags those; if not, you adjust
the detection rule.
Because you have full control of simulation, you can test edge cases: low-volume stealth
Because you have full control of simulation, you can test edge cases: low-volume stealth
exfiltration, internal lateral movement, scanning disguised as normal traffic, etc.
The following Youtube video shows this in 3 minutes:
