4.3 Data Sources for Investation Flashcards
Identify vulnerability
• The scanner looks for everything
– Well, not everything
– The signatures are the key
• The vulnerabilities can be cross-referenced online
– Almost all scanners give you a place to go
– National Vulnerability Database: http://nvd.nist.gov/
– Microsoft Security Bulletins:
– https://docs.microsoft.com/en-us/security-updates/
• Some vulnerabilities cannot be definitively identified
– You’ll have to check manually to see if a
system is vulnerable
– But the scanner gives you a heads-up
Identify vulnerability
Vulnerability scan results • Lack of security controls – No firewall – No anti-virus – No anti-spyware • Misconfigurations – Open shares – Guest access • Real vulnerabilities – Especially newer ones – Occasionally the old ones
Dealing with false positives
• False positives
– A vulnerability is identified that doesn’t really exist
• This is different than a low-severity vulnerability
– It’s real, but it may not be your highest priority
• False negatives
– A vulnerability exists, but you didn’t detect it
• Update to the latest signatures
– If you don’t know about it, you can’t see it
• Work with the vulnerability detection manufacturer
– They may need to update their signatures
for your environment
Vulnerability scan results
• [this] – Logging of security events and information • Security alerts – Real-time information • Log aggregation and long-term storage – Usually includes advanced reporting features • Data correlation – Link diverse data types • Forensic analysis – Gather details after an event
Getting the data • Sensors* and logs – Operating systems – Infrastructure devices – NetFlow sensors
• Sensitivity settings*
– Easy to be overwhelmed with data
– Some information is unnecessary
– Informational, Warning, Urgent
Viewing the data
• Trends*
– Identify changes over time
– Easily view constant attack metrics
• Alerts*
– Identify a security event
– View raw data
– Visualize the log information
• Correlation*
– Combine and compare
– View data in different ways
SIEM (Security Information and Event Management)
the primary data source for network observability.
• Switches, routers, access points, VPN concentrators
– And other infrastructure devices
• Network changes
– Routing updates
– Authentication issues
– Network security issues
Network log files
a record of operating system events. It includes startup messages, system changes, unexpected shutdowns, errors and warnings, and other important processes. Windows, Linux, and macOS all generate syslogs. • Operating system information – Extensive logs – File system information – Authentication details • Can also include security events – Monitoring apps – Brute force, file changes • May require filtering – Don’t forward everything
System log files
a file that contains information about events that have occurred within a software application. These events are logged out by the application and written to the file. They can include errors and warnings as well as informational events.
• Specific to the application
– Information varies widely
• Windows - Event Viewer / Application Log
• Linux / macOS - /var/log
• Parse the log details on the SIEM
– Filter out unneeded info
Application log files
created in response to security events that take place on the computer. These can include a variety of events such as failed log-ins, password changes, failed authentication requests, file deletion and more. • Detailed security-related information – Blocked and allowed traffic flows – Exploit attempts – Blocked URL categories – DNS sinkhole traffic • Security devices – IPS, firewall, proxy • Critical security information – Documentation of every traffic flow – Summary of attack info – Correlate with other logs
Security log files
a file to which the Web server writes information each time a user requests a web. site from that particular server.
• Web server access
– IP address, web page URL
• Access errors
– Unauthorized or non-existent folders/files
• Exploit attempts
– Attempt to access files containing known
vulnerabilities
• Server activity
– Startup and shutdown notices
– Restart messages
Web log files
provides extremely detailed data about all DNS information that is sent and received by the DNS server, similar to the data that can be gathered using packet capture tools such as network monitor. • View lookup requests – And other DNS queries • IP address of the request – The request FQDN or IP • Identify queries to known bad URLs – Malware sites, known command and control domains • Block or modify known bad requests at the DNS server – Log the results – Report on malware activity
DNS log files
• Know who logged in (or didn’t) – Account names – Source IP address – Authentication method – Success and failure reports • Identify multiple failures – Potential brute force attacks • Correlate with other events – File transfers – Authentications to other devices – Application installation
Authentication log files
a snapshot that shows the process that was executing and modules that were loaded for an app at a point in time. A dump with heap information also includes a snapshot of the app’s memory at that point.
• Store all contents of memory into a diagnostic file
– Developers can use this info
• Easy to create from the
– Windows Task Manager
– Right-click, Create dump file
• Some applications have their own dump file process
– Contact the appropriate support team for
additional details
Dump files
a subset of telephone recording or voice logging, first used by call centers and now being used by all types of businesses.
- monitors the services to determine the status of the system. If something is wrong with a service, an alarm gets written to an alarm monitor. After viewing this alarm information, a system administrator can run a trace on the service.
- the process of collecting, analyzing, and recording data on telephone calls. The data can include the call origin, call destination, the length of the call, and other transmission details. Other characteristics might include the call start and end times and the specific network used.
• View inbound and outbound call info – Endpoint details, gateway communication • Security information – Authentications, audit trail • SIP traffic logs – Session Initiation Protocol – Call setup, management, and teardown – Inbound and outbound calls – Alert on unusual numbers or country codes
VoIP and Call Manager logs
Log Management -
a standard for message logging. It allows separation of the software that generates messages, the system that stores them, and the software that reports and analyzes them. Each message is labeled with a facility code, indicating the type of system generating the message, and is assigned a severity level.
• Standard for message logging
– Diverse systems create a consolidated log
• Usually a central logging receiver
– Integrated into the SIEM (Security Information and
Event Manager)
• Each log entry is labeled
– Facility code (program that created the log) and
severity level
• Syslog* daemon options
– Rsyslog* -“Rocket-fast System for log processing” - the default logging program in Debian and Red Hat. It is an extension of the original syslog protocol, with additional features such as flexible configuration, rich filtering capabilities and content-based filtering.
- Daemon - a program that runs continuously and exists for the purpose of handling periodic service requests that a computer system expects to receive. The daemon program forwards the requests to other programs (or processes) as appropriate.
– syslog-ng* - A popular syslog daemon with additional
filtering and storage options
– NXLog - Collection from many diverse log types (multi-platform log collection and centralization tool)
Syslog
Log Management -
a command for viewing logs collected by systemd. The systemd-journald service is responsible for systemd’s log collection, and it retrieves messages from the kernel, systemd services, and other sources. These logs are gathered in a central location, which makes them easy to review.
- Systemd provides a standard process for controlling what programs run when a Linux system boots up.
• Linux has a lot of logs – The OS, daemons, applications, etc. • System logs are stored in a binary format – Optimized for storage and queries – Can’t read them with a text editor • Journalctl provides a method for querying the system journal – Search and filter – View as plain text
Journalctl
Log Management -
a tool for measuring the actual available bandwidth on a local system. End users can use bandwidth monitors to get a true picture of what bandwidth may actually be available due to various factors involved in the provision of high-speed Internet.
• The fundamental network statistic
– Percentage of network use over time
• Many different ways to gather this metric
– SNMP, NetFlow, sFlow, IPFIX protocol analysis,
software agent
• Identify fundamental issues
– Nothing works properly if bandwidth is highly utilized
Bandwidth monitors
