4.3

Question 1

Vulnerability scan output

Answer 1

Vulnerability scanning identifies lack of security controls, weak security controls, and common misconfigurations. IT pros review the vulnerability scan output to determine whether they need to implement any new security controls, strengthen existing security controls, or make configuration changes and, if so, determine the order of priority.

Question 2

SIEM dashboards

Answer 2

A SIEM dashboard presents the analyzed data in a way that makes sense to those monitoring the data and informs them of incidents taking place. Most SIEM dashboards provide graphs and counters.

Question 3

SIEM dashboards Sensors

Answer 3

If an incident is taking place at a certain point, which sensor is giving that information? The sensor list or sensor warning provides that information.

Question 4

SIEM dashboards Sensitivity

Answer 4

How sensitive is a certain setting that might detect an incident? Too high and you’ll get false positives. Too low and you’ll get false negatives.

Question 5

SIEM dashboards Trends

Answer 5

Certain incidents make more sense when seen as a trend as opposed to an alert. Network usage is one good example. Techs can watch usage grow on a chat and consider those implications, as opposed to just getting some alert. Anyone who owns an automobile with an oil pressure gauge instead of an idiot light knows this feeling.

Question 6

SIEM dashboards Alerts

Answer 6

Alerts enable the SIEM dashboard to inform the person(s) monitoring of a potential incident. This can be a warning ribbon at the bottom of the screen, an audible alarm, or a log entry shown in red.

Question 7

SIEM dashboards Correlation

Answer 7

A good dashboard will recognize relationships between alerts and trends and in some way inform the person(s) monitoring of that correlation. This is often presented as line graphs with multiple data fields.

Question 8

Network log files

Answer 8

A network log varies by the type of device using the network. A router might have a network log that tracks the number of connections per hour on every route. A switch might record packets per seconds for VLANs. On an individual host, you might log the usage of a particular NIC.

Question 9

System log files

Answer 9

A system log file records issues that directly affect a single system but aren’t network functions. System log files will show reboots, executable files starting, and edited files on the system, for example.

Question 10

Application log files

Answer 10

An application may have its own log file. What appears in this application log file requires some knowledge of the application that is using the log. Probably one of the most common application logs is for a Web server. Web server software is an application to share Web pages.

Question 11

Security log files

Answer 11

Both systems and applications typically include security logs that record activities that potentially impact security. Security logs might track all successful and/or unsuccessful logon attempts. They track the creation or deletion of new users and also keep track of any permission changes to resources within the system or application.

Question 12

Web log files

Answer 12

In this case, since we know what Web servers do, we can assume the Web log keeps track of the number of pages served per hour/minute, perhaps even a listing of the different IP addresses asking for the Web page, or maybe the number of malformed HTTPS packets.

Question 13

DNS log files

Answer 13

Any good DNS server is going to keep a log. DNS logs are application logs that keep track of things appropriate to a DNS server application. DNS logs typically include entries for activities such as the creation of new forward lookup zones, cache updates/clearing, and changes to critical settings like root server.

Question 14

Authentication log files

Answer 14

An authentication log is a special type of security log that tracks nothing other than users attempting to log onto a system. This includes tracking failed logons as well as successful logons.

Question 15

Dump files

Answer 15

On some operating systems, a dump file is generated when an executable program crashes. These dump files record memory locations, running processes, and threads. Dump files are almost always used exclusively by the developers of the executable file that needs . . . dumping.

Question 16

VoIP and call manager log files

Answer 16

Voice over IP (VoIP) and call manager software solutions create logs that store information about the calls themselves. Phone numbers and duration of calls are the two most common items logged, but items from other VoIP tools such as billing might also be included.

Question 17

Session Initiation Protocol (SIP) traffic

Answer 17

Session Initial Protocol (SIP) traffic is usually a subset of VoIP traffic but exclusive to the SIP protocol. In this case, a SIP traffic log tracks where the IP address to/from is logged as well as any details about the call itself.

Question 18

syslog/rsyslog/syslog-ng

Answer 18

syslog and its alternative forms are more than just log tools. syslog is a complete protocol for the transmission and storage of Linux logs into a single syslog server, configured by the network administrators. Rsyslog, which came out in the late 1990s and is basically just an improved syslog, and syslog-ng, which is an object-oriented version of syslog.

Can you imagine using syslog to combine log files from all over a network? Imagine the complexity of just trying to read, analyze, and store these files. This is a big shortcoming of syslog and the reason we use other tools on top of syslog to do the big-picture jobs of network monitoring.

Question 19

journalctl

Answer 19

The go-to log viewer on most Linux systems, journalctl, displays all logs in a system in a single format. journalctl also takes all the common Linux terminal arguments.

Question 20

NXLog

Answer 20

NXLog is cross platform and takes advantage of darn near every and any protocol out there (including syslog and SNMP) to bring log data together. On Linux systems, NXLog reads from both a local system’s syslog and NXLog’s installed daemon.

Question 21

Bandwidth Monitors

Answer 21

Bandwidth monitor providing up-to-the-second information for network administrators. This real-time information can provide critical data sources to support investigations in the face of an incident.

Question 22

Metadata

Answer 22

Metadata is data about data. A file entry on a storage system has the file contents plus metadata, including the filename, creation, access, and update timestamps, size, and more.

Question 23

Email Metadata

Answer 23

E-mail is half metadata, half message. For short messages, the metadata can be larger than the message itself. E-mail metadata is in the header of the e-mail and includes routing information, the sender, receiver, timestamps, subject, and other information associated with the delivery of the message. The header of an e-mail includes information for the handling of the e-mail between mail user agents (MUAs), mail transfer agents (MTAs), and mail delivery agents (MDAs), as well as a host of other details.

Question 24

Mobile Metadata

Answer 24

Mobile devices generate, store, and transmit metadata. Common fields include when a call or text was made, whether it was an incoming or outgoing transmission, the duration of the call or the text message’s length (in characters), and the phone numbers of the senders and recipients.

Question 25

Web Metadata

Answer 25

Browser metadata is a commonly used source of forensic information, because entries of what and when a browser has accessed data can be important. Did a user go to a specific web page? Did they use a web-based e-mail client, exposing actual e-mail information as well as the fact they used e-mail? How long were they on a site? If a user hits a site that displays an image tagged by one of the security appliances, did they stay on that page or immediately go to a different site? There can be a wealth of user behavior information with respect to web browsing.

Question 26

File Metadata

Answer 26

File metadata comes in two flavors: system and application. The file system uses metadata to keep track of the filename as well as the timestamps associated with last access, creation, and last write.
The system metadata will include items needed by the OS, such as ownership information, parent object, permissions, and security descriptors.
Application metadata in a file is part of the file data field and is used by the application. common EXIF metadata include:
The original filename

• Capture and last edited date and timestamps (with varying precision)
• GPS location coordinates (degrees of latitude and longitude)
• A small thumbnail of the original image
• The author’s name and copyright details
• Compass heading
• Device information, including manufacturer and model
• Capture information, including lens type, focal range, aperture, shutter speed, and flash settings

Question 27

Netflow

Answer 27

NetFlow is a proprietary standard from Cisco. Flow data is generated by the network devices themselves, including routers and switches. The data that is collected and shipped off to data collectors is a simple set of metadata—source and destination IP addresses, source and destination ports, if any (ICMP, for example, doesn’t use ports), and the protocol.

Question 28

sFlow

Answer 28

sFlow is more suited for statistical traffic monitoring.
Both NetFlow and sFlow collect packets from routers and switches. NetFlow data can be useful in intrusion investigations. sFlow is used primarily for traffic management, although it will help with DDoS attacks.

Question 29

IPFIX

Answer 29

Internet Protocol Flow Information Export (IPFIX) is an IETF protocol that’s the answer to the proprietary Cisco NetFlow standard. IPFIX is based on NetFlow version 9 and is highly configurable using a series of templates. The primary purpose of IPFIX is to provide a central monitoring station with information about the state of the network. IPFIX is a push-based protocol, where the sender sends the reports and receives no response from the receiver.

Question 30

Protocol analyzer output

Answer 30

•Detecting intrusions or undesirable traffic. (An IDS/IPS must have some type of capture and decode capabilities to be able to look for suspicious/malicious traffic.)
•Capturing traffic during incident response or incident handling.
•Looking for evidence of botnets, Trojans, and infected systems.
•Looking for unusual traffic or traffic exceeding certain thresholds.
•Testing encryption between systems or applications.
From a network administration perspective, protocol analyzers can be used for activities such as these:
•Analyzing network problems
•Detecting misconfigured applications or misbehaving applications
•Gathering and reporting network usage and traffic statistics
•Debugging client/server communications