4.3 Given an incident, utilize appropriate data sources to support an investigation. Flashcards
What does a vulnerability scanner look for?
Look for key signatures of vulnerabilities. Like:
Lack of security controls
-No firewall
- no AV
- no antispyware
Misconfigurations
- open shares
- guest access
Real vulnerabilities
- New vulns and old vulns from a vuln database.
SIEM
security information and event management
A device that logs information from many different resources on the network and consolidates these logs back into one single reporting tool.
- Security Alerts
- log aggregation and long term storage
- Data correlation
- Forensic analysis
How does a SIEM get its data?
Sensors and logs
- OS, from windows or linux
- Infrastructure devices, switches, routers, firewalls etc
- Netflow systems - third party sensors etc.
What kind of ways can you view a SIEM, and what can you identify?
You can identify :
Trends
- Identify changes over time
- Easily view constant attack metrics
Alerts
-Identify a security event
- View raw data
- Visualize the log information
Correlations:
- Combine and compare
- View data in different ways
Network log files
Switches, access points, VPN concentrators etc.
Network changes
– Routing updates
– Authentication issues
– Network security issues
system log files
Operating system information
– Extensive logs
– File system information
– Authentication details
* Can also include security events
– Monitoring apps
– Brute force, file changes
* May require filtering
– Don’t forward everything
Application log files
Specific to the application
– Information varies widely
* Windows - Event Viewer / Application Log
* Linux / macOS - /var/log
* Parse the log details on the SIEM
– Filter out unneeded info
Web log files
Web server access
– IP address, web page URL
* Access errors
– Unauthorized or non-existent folders/files
* Exploit attempts
– Attempt to access files containing known
vulnerabilities
* Server activity
– Startup and shutdown notices
– Restart messages
DNS log files
View lookup requests
– And other DNS queries
* IP address of the request
– The request FQDN or IP
* Identify queries to known bad URLs
– Malware sites, known command
and control domains
* Block or modify known bad requests
at the DNS server
– Log the results
– Report on malware activity
Authentication log files
Know who logged in (or didn’t)
– Account names
– Source IP address
– Authentication method
– Success and failure reports
* Identify multiple failures
– Potential brute force attacks
* Correlate with other events
– File transfers
– Authentications to other devices
– Application installation
Dump files
Store all contents of memory into a diagnostic file
– Developers can use this info
* Easy to create from the
– Windows Task Manager
– Right-click, Create dump file
* Some applications have their own dump file process
– Contact the appropriate support team for
additional details
VoIP and Call Manager logs
View inbound and outbound call info
– Endpoint details, gateway communication
* Security information
– Authentications, audit trail
* SIP traffic logs
– Session Initiation Protocol
– Call setup, management, and teardown
– Inbound and outbound calls
– Alert on unusual numbers or country codes
Security log files
Detailed security-related information
– Blocked and allowed traffic flows
– Exploit attempts
– Blocked URL categories
– DNS sinkhole traffic
* Security devices
– IPS, firewall, proxy
* Critical security information
– Documentation of every traffic flow
– Summary of attack info
– Correlate with other logs
Syslog
- Standard for message logging
– Diverse systems create a consolidated log - Usually a central logging receiver
– Integrated into the SIEM (Security Information and
Event Manager) - Each log entry is labeled
– Facility code (program that created the log) and
severity level - Syslog daemon options
– Rsyslog -“Rocket-fast System for log processing”
– syslog-ng - A popular syslog daemon with additional
filtering and storage options
– NXLog - Collection from many diverse log types
journalctl
Linux has a lot of logs
– The OS, daemons, applications, etc.
* System logs are stored in a binary format
– Optimized for storage and queries
– Can’t read them with a text editor
* Journalctl provides a method for querying the system
journal
– Search and filter
– View as plain text
bandwidth monitors
The fundamental network statistic
– Percentage of network use over time
* Many different ways to gather this metric
– SNMP, NetFlow, sFlow, IPFIX protocol analysis,
software agent
* Identify fundamental issues
– Nothing works properly if bandwidth is highly utilized
Metadata
Metadata
– Data that describes other data sources
* Email
– Header details, sending servers, destination address
* Mobile - Type of phone, GPS location,
* Web - Operating system, browser type, IP address
* Files - Name, address, phone number, title
NetFlow
Gather traffic statistics from all traffic flows
– Shared communication between devices
* NetFlow
– Standard collection method
– Many products and options
* Probe and collector
– Probe watches network communication
– Summary records are sent to the collector
* Usually a separate reporting app
– Closely tied to the collector
IPFIX
- IP Flow Information Export
– A newer, NetFlow-based standard
– Evolved from NetFlow v9 - Flexible data support
– Templates are used to describe the data
sFlow
IPFIX
* IP Flow Information Export
– A newer, NetFlow-based standard
– Evolved from NetFlow v9
* Flexible data support
– Templates are used to describe the data
Protocol analyzer output
- Solve complex application issues
– Get into the details - Gathers packets on the network
– Or in the air
– Sometimes built into the device - View detailed traffic information
– Identify unknown traffic
– Verify packet filtering and security controls
– View a plain-language description of the
application data
TAP
A test access point (TAP) is a device that copies signals from the physical layer and the data link layer. Since no network or transport logic is used, every frame is received, allowing reliable packet monitoring.
Test access point (TAP) is a separate hardware device.
Test access point (TAP) avoids frame loss
SPAN
SPAN (switched port analyzer) functionality is a feature of many network switches. Also known as port mirroring, a copy of network traffic is sent to another port as it passes through the switch. Frames with errors will not be mirrored and frames may be dropped under heavy load.
OSSEC
OSSEC is a host intrusion detection system (HIDS) that can collect DNS server logs for trend analysis. OSSEC can crosscheck these DNS server logs against a list of known malicious domains.
OSSEC can perform frequency-based trend analysis on NXDOMAIN errors received by comparing it to a baseline. Trends outside of the baseline may allude to malicious activity.
What types of information might the analyst find in email headers?
Sender address, Results of spam checking, details of server carrying the message
NXlog
NXlog (nxlog.co) is an open-source centralized log collection tool. It has similar features of a SIEM like alerting, normalization, aggregation, correlation, and retention. NXlog is multi-platform compatibl
