4.3 Given an Incident, Utilize appropriate data sources to support an Investigation Flashcards
Vulnerability scan output
A vulnerability scan creates a report showing the results of the scan. The output of the scan typically shows the following
• A list of hosts that it discovered and scanned • A detailed list of applications running on each host • A detailed list of open ports and services found on each host • A list of vulnerabilities discovered on any of the scanned hosts • Recommendations to resolve any of the discovered vulnerabilities Some vulnerability scanners include the ability to run at preconfigured times automatically.
SIEM dashboards
In addition to monitoring logs to detect any single incident, you can also use SIEMs to detect trends and raise alerts in real time. By analyzing past alerts, you can identify trends, such as an increase of attacks on a specific system.
Sensors
Many SIEM systems use agents placed on systems throughout a network. These collect logs from devices and send these logs to the SIEM system. Dashboards can display data received from these agents.
Sensitivity
A challenge with triggers and alerts is setting the sensitivity levels to limit false positives while avoiding false negatives. As an example, imagine Homer enters an incorrect password when logging on. This isn’t an attack, but an honest error. If the SIEM system raises an alert, it would be a false positive. Alternatively, imagine a system is under attack and logs 100 failed login tries in about five minutes. If the SIEM system doesn’t raise an alert, it is a false negative. When setting the sensitivity level for failed logins, administrators pick a number between 1 and 100.
Trends
As the SIEM system is analyzing the data, it can identify trends. For example, if there is suddenly a high rate of failed logins, it can identify the trend and raise an alert. Many SIEM systems display trends in graphs allowing users to digest a lot of information in a single picture.
Alerts
After setting triggers in a SIEM system, it sends out alerts when the event fires. These alerts may trigger specific responses (such as sending an email to a group), but they are also displayed in the dashboard.
Correlation
As log entries arrive at the SIEM system, it correlates and analyzes the data. Administrators can configure the dashboard to display this data in multiple ways depending on their needs.
Log files
Log files play a massive part in providing evidence for investigations. There are many different types of log files. Let’s look at each of these in turn and identify the type of information from each of these log files.
Network
This log file can identify the IP address and the MAC address of devices that are attached to your network.
System
System log files have information about hardware changes, updates to devices, and time synchronization, and they log group policy events and whether they have been successful.
Application
Application log files contain information about a software application, when it was launched, whether it was successful, or whether it carries warnings about potential problems or errors.
Security
Security log files contain information about a successful login or an unauthorized attempt to access the system. This can identify attackers trying to log in to your computer systems. Security logs capture information on file access and can determine who has downloaded certain data.
Web
Web servers log many types of information about the web requests and can be very useful in identifying events.
DNS
This log contains all DNS information, such as zone transfer, name resolution queries, DNS server errors, DNS caching, and DNSSEC. If you search the log file on a user’s computer, you can determine which web sites and servers they have visited.
Authentication
This log gives information about login events, and whether they are successful or not. One of the best resources for authenticating log files in a domain environment would be a RADIUS server, which maintains a log of when people log in and out. Therefore, it is able to not only authenticate users, but to track them as well. Authentication log files are also kept on a domain controller or remote users coming in via a VPN server.
Dump Files
Dump files is when a computer crashes (commonly known as the blue screen of death), and all of the contents in the memory are saved in a dump file (.dmp). These dump files can be analyzed by using a tool such as the Blue Screen Review.
VoIP and Call Managers
These systems provide information on the calls being made and the devices that they originate from. They also measure the quality of the call by logging the Mean Optical Score (MOS), jitter, and loss of signal. Each call is logged where you can see inbound and outbound calls, the person making the call, and the person receiving the call.
Session Initiation Protocol (SIP) Traffic
SIP is used for internet-based calls and the log files show the 100 events, known as the INVITE, the imitation of a connection, that relates to ringing and then 200 OK is followed by an acknowledgement. If users cannot connect to their SIP calls, this log file can be used to troubleshoot them.
Syslog/Rsyslog/Syslog-ng
The system logging protocol (syslog) is known as a log collector as it collects event logs from various devices and then sends them to a central syslog server. If someone deleted the log files in error, they could obtain a copy from the syslog server. In the Linux version, these logs are called syslogd and syslog daemon, which stores the log files in the var/log/syslog directory.
Rsyslog: This is an advanced syslog server. It is called rocket-fast as it has a high performance. It obtains the data and then transforms it to send the outputs to the destinations such as a SIEM server.
Syslog-ng: This was developed by Balabit IT Security Ltd as a free open source protocol for Unix and Linux systems.
journalctl
journald collects and stores log data in binary format, and journalctl is able to query and display these logs in a readable format. It is used in a Linux environment.
NXLog
This is an open-source log management tool that helps identify security risks in a Linux/Unix environment.
Bandwidth Monitors
These can be used to understand your network traffic flow. They can monitor changes in traffic patterns and identify devices on your network that are causing bottlenecks and could detect broadcast storms and potential denial-of-service attacks.
Metadata
This is data that provides information about other data. Let’s look at the different types of metadata, starting with email
Email headers contain detailed information about an email. It shows the source, destination, and the route through the email providers to the recipient. This can be used when phishing emails are received so that you can identify the perpetrator.
