4.3 Incident, utilize appropriate data sources to support investigation

Question 1

Vulnerability scan output: what a vuln scan can tell you ?

Answer 1

• There is a lack of security controls: no firewall, no anti-virus, no anti-spyware
• Misconfigurations: open shares, guest access
• Real vunerabilities

Question 2

Vulnerability scan output: how to prevent false positives / negatives ?

Answer 2

Ensure your scanner is updated with the latest signatures

Question 3

SIEM dashboard: what is a SIEM ?

Answer 3

Logging of security events and information. You got security alerts real-time.
Also able to do data correlation and forensic analysis

Question 4

SIEM dashboard: where a SIEM gather information?

Answer 4

• OS
• Infrastructure devices
• NetFlow sensors

Question 5

SIEM dashboard: how a SIEM get information ?

Answer 5

Using sensors and logs

Question 6

Log files: what can you find in network log files ?

Answer 6

Data form switches, routers, access point, VPN concentrators. It can be:
- network changes: touting updates, authentication issues, network issues

Question 7

Log files: what can you find in system log files ?

Answer 7

OS informaton: extensive logs, files system information, authentication details, security events

Question 8

Log files: what can you find in application log files ?

Answer 8

Log specific to the application

Question 9

Log files: where can you find application log files in Linux/ Windows ?

Answer 9

/var/log directory

Question 10

Log files: what can you find in security log files ?

Answer 10

Detailes security-related information: blocked and allowed traffic flows, exploit attempts, blocked URL categories, DNS sinkhole traffic,

Question 11

Log files: what can you find in firewall log files ? And WAF?

Answer 11

Information on the traffic flows: deny website packet, blocked packet
WAF provide additional info on certains attacks (XSS, SQLi)

Question 12

Log files: what can you find in web log files ?

Answer 12

• Web server access: IP address, web page URL
• Access errors: unauthorized folder/ file
• Exploit attempts
• Server activity: startup, shutdown, restart message

Question 13

Log files: what can you find in DNS log files ?

Answer 13

• Queries made to the DNS
• IP address of the request
• Identify queries to known bad URLs
• Block or modify known bad request at the DNS server

Question 14

Log files: what can you find in authentication log files ?

Answer 14

• Know who logged in: account names, source IP address, authentication method
• Identify multiple failures
• Correlate with other events: file transfer, app installation etc

Question 15

Log management: what is syslog?

Answer 15

Protocol that computer systems use to send event data logs to a central location for storage (SIEM)

Question 16

Log management: what is journalctl?

Answer 16

Utility for querying and displaying logs from journald, systemd’s logging service in Linux

Question 17

Log management: what is metadata?

Answer 17

Data that describes other data sources

Ex: email header details, sending server, destination address, when taking photo the GPS location, type of phone are metadata

Question 18

Log management: what is Netflow?

Answer 18

Gather traffic statistics from traffic flows such as shared communication between routers, switches etc. There are probe and collector that watches network communication