4.3 Given an Incident, Utilize appropriate data sources to support an Investigation Flashcards
Vulnerability scan output
A vulnerability scan creates a report showing the results of the scan. The output of the scan typically shows the following
• A list of hosts that it discovered and scanned • A detailed list of applications running on each host • A detailed list of open ports and services found on each host • A list of vulnerabilities discovered on any of the scanned hosts • Recommendations to resolve any of the discovered vulnerabilities Some vulnerability scanners include the ability to run at preconfigured times automatically.
SIEM dashboards
In addition to monitoring logs to detect any single incident, you can also use SIEMs to detect trends and raise alerts in real time. By analyzing past alerts, you can identify trends, such as an increase of attacks on a specific system.
Sensors
Many SIEM systems use agents placed on systems throughout a network. These collect logs from devices and send these logs to the SIEM system. Dashboards can display data received from these agents.
Sensitivity
A challenge with triggers and alerts is setting the sensitivity levels to limit false positives while avoiding false negatives. As an example, imagine Homer enters an incorrect password when logging on. This isn’t an attack, but an honest error. If the SIEM system raises an alert, it would be a false positive. Alternatively, imagine a system is under attack and logs 100 failed login tries in about five minutes. If the SIEM system doesn’t raise an alert, it is a false negative. When setting the sensitivity level for failed logins, administrators pick a number between 1 and 100.
Trends
As the SIEM system is analyzing the data, it can identify trends. For example, if there is suddenly a high rate of failed logins, it can identify the trend and raise an alert. Many SIEM systems display trends in graphs allowing users to digest a lot of information in a single picture.
Alerts
After setting triggers in a SIEM system, it sends out alerts when the event fires. These alerts may trigger specific responses (such as sending an email to a group), but they are also displayed in the dashboard.
Correlation
As log entries arrive at the SIEM system, it correlates and analyzes the data. Administrators can configure the dashboard to display this data in multiple ways depending on their needs.
Log files
Log files play a massive part in providing evidence for investigations. There are many different types of log files. Let’s look at each of these in turn and identify the type of information from each of these log files.
Network
This log file can identify the IP address and the MAC address of devices that are attached to your network.
System
System log files have information about hardware changes, updates to devices, and time synchronization, and they log group policy events and whether they have been successful.
Application
Application log files contain information about a software application, when it was launched, whether it was successful, or whether it carries warnings about potential problems or errors.
Security
Security log files contain information about a successful login or an unauthorized attempt to access the system. This can identify attackers trying to log in to your computer systems. Security logs capture information on file access and can determine who has downloaded certain data.
Web
Web servers log many types of information about the web requests and can be very useful in identifying events.
DNS
This log contains all DNS information, such as zone transfer, name resolution queries, DNS server errors, DNS caching, and DNSSEC. If you search the log file on a user’s computer, you can determine which web sites and servers they have visited.
Authentication
This log gives information about login events, and whether they are successful or not. One of the best resources for authenticating log files in a domain environment would be a RADIUS server, which maintains a log of when people log in and out. Therefore, it is able to not only authenticate users, but to track them as well. Authentication log files are also kept on a domain controller or remote users coming in via a VPN server.