4.3 Given an Incident, Utilize appropriate data sources to support an Investigation Flashcards

1
Q

Vulnerability scan output

A

A vulnerability scan creates a report showing the results of the scan. The output of the scan typically shows the following

• A list of hosts that it discovered and scanned • A detailed list of applications running on each host • A detailed list of open ports and services found on each host • A list of vulnerabilities discovered on any of the scanned hosts • Recommendations to resolve any of the discovered vulnerabilities Some vulnerability scanners include the ability to run at preconfigured times automatically.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

SIEM dashboards

A

In addition to monitoring logs to detect any single incident, you can also use SIEMs to detect trends and raise alerts in real time. By analyzing past alerts, you can identify trends, such as an increase of attacks on a specific system.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Sensors

A

Many SIEM systems use agents placed on systems throughout a network. These collect logs from devices and send these logs to the SIEM system. Dashboards can display data received from these agents.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Sensitivity

A

A challenge with triggers and alerts is setting the sensitivity levels to limit false positives while avoiding false negatives. As an example, imagine Homer enters an incorrect password when logging on. This isn’t an attack, but an honest error. If the SIEM system raises an alert, it would be a false positive. Alternatively, imagine a system is under attack and logs 100 failed login tries in about five minutes. If the SIEM system doesn’t raise an alert, it is a false negative. When setting the sensitivity level for failed logins, administrators pick a number between 1 and 100.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Trends

A

As the SIEM system is analyzing the data, it can identify trends. For example, if there is suddenly a high rate of failed logins, it can identify the trend and raise an alert. Many SIEM systems display trends in graphs allowing users to digest a lot of information in a single picture.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Alerts

A

After setting triggers in a SIEM system, it sends out alerts when the event fires. These alerts may trigger specific responses (such as sending an email to a group), but they are also displayed in the dashboard.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Correlation

A

As log entries arrive at the SIEM system, it correlates and analyzes the data. Administrators can configure the dashboard to display this data in multiple ways depending on their needs.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Log files

A

Log files play a massive part in providing evidence for investigations. There are many different types of log files. Let’s look at each of these in turn and identify the type of information from each of these log files.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Network

A

This log file can identify the IP address and the MAC address of devices that are attached to your network.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

System

A

System log files have information about hardware changes, updates to devices, and time synchronization, and they log group policy events and whether they have been successful.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Application

A

Application log files contain information about a software application, when it was launched, whether it was successful, or whether it carries warnings about potential problems or errors.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Security

A

Security log files contain information about a successful login or an unauthorized attempt to access the system. This can identify attackers trying to log in to your computer systems. Security logs capture information on file access and can determine who has downloaded certain data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Web

A

Web servers log many types of information about the web requests and can be very useful in identifying events.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

DNS

A

This log contains all DNS information, such as zone transfer, name resolution queries, DNS server errors, DNS caching, and DNSSEC. If you search the log file on a user’s computer, you can determine which web sites and servers they have visited.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Authentication

A

This log gives information about login events, and whether they are successful or not. One of the best resources for authenticating log files in a domain environment would be a RADIUS server, which maintains a log of when people log in and out. Therefore, it is able to not only authenticate users, but to track them as well. Authentication log files are also kept on a domain controller or remote users coming in via a VPN server.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Dump Files

A

Dump files is when a computer crashes (commonly known as the blue screen of death), and all of the contents in the memory are saved in a dump file (.dmp). These dump files can be analyzed by using a tool such as the Blue Screen Review.

17
Q

VoIP and Call Managers

A

These systems provide information on the calls being made and the devices that they originate from. They also measure the quality of the call by logging the Mean Optical Score (MOS), jitter, and loss of signal. Each call is logged where you can see inbound and outbound calls, the person making the call, and the person receiving the call.

18
Q

Session Initiation Protocol (SIP) Traffic

A

SIP is used for internet-based calls and the log files show the 100 events, known as the INVITE, the imitation of a connection, that relates to ringing and then 200 OK is followed by an acknowledgement. If users cannot connect to their SIP calls, this log file can be used to troubleshoot them.

19
Q

Syslog/Rsyslog/Syslog-ng

A

The system logging protocol (syslog) is known as a log collector as it collects event logs from various devices and then sends them to a central syslog server. If someone deleted the log files in error, they could obtain a copy from the syslog server. In the Linux version, these logs are called syslogd and syslog daemon, which stores the log files in the var/log/syslog directory.

Rsyslog: This is an advanced syslog server. It is called rocket-fast as it has a high performance. It obtains the data and then transforms it to send the outputs to the destinations such as a SIEM server.

Syslog-ng: This was developed by Balabit IT Security Ltd as a free open source protocol for Unix and Linux systems.

20
Q

journalctl

A

journald collects and stores log data in binary format, and journalctl is able to query and display these logs in a readable format. It is used in a Linux environment.

21
Q

NXLog

A

This is an open-source log management tool that helps identify security risks in a Linux/Unix environment.

22
Q

Bandwidth Monitors

A

These can be used to understand your network traffic flow. They can monitor changes in traffic patterns and identify devices on your network that are causing bottlenecks and could detect broadcast storms and potential denial-of-service attacks.

23
Q

Metadata

A

This is data that provides information about other data. Let’s look at the different types of metadata, starting with email

24
Q

Email

A

Email headers contain detailed information about an email. It shows the source, destination, and the route through the email providers to the recipient. This can be used when phishing emails are received so that you can identify the perpetrator.

25
Q

Mobile

A

Telecom providers retain information about phone calls, including calls made, calls received, text messages, internet usage, and location information. These can be used during an investigation to provide evidence that could lead to a conviction.

26
Q

Web

A

Website metadata provides information about every page created on a website, including who was the author, date created, images, videos, and spreadsheets.

27
Q

File

A

When investigations are being carried out, the file metadata can be used to track information, such as the author, date created, date modified, and file size. File metadata does not include printing or copying the data.

28
Q

Netflow/sFlow

A

This is a CISCO product that monitors network traffic, so that they can identify the load on the network. This helps you utilize your network traffic efficiently. During an investigation, it can help identify patterns in network traffic.

Sflow: This is a multi-vendor product that gives you clear visibility of network traffic patterns. This can help identify malicious traffic so that we can keep the network secure and safe.

29
Q

IPFIX

A

IP Flow Information Export (IPFIX): This product can be used to capture traffic from the node itself. This data can then be exported to a collector within the node.

IPFIX can be used to identify data traveling through a switch and this can be used for billing purposes. It can take IP Flow information and both format the data and forward it to a collector.

30
Q

Protocol Analyzer Output

A

A protocol analyzer such as Wireshark can capture data traveling across the network. Law enforcement has been able to use Wireshark for forensics by replaying video traffic sent to network devices they capture. The output can be saved in a packet capture file (pcap). Other names for a protocol analyzer are a packet sniffer, wireshark, or tcpdump.