Monitoring and Auditing Flashcards
What is SYSLOG
Standardized format used for computer message logging that allows for the separation of the software that generates messages, the system that stores them, and the software that reports and analyzes them
Log File Maintence
Actions taken to ensure the proper creation and storage of a log file, such as the proper configuration, saving, backup, securing, and encryption of the log files
What is ELK/Elastic Stack
Collection of free and open-source SIEM tools that provides, storage, search, and analysis functions
what does ELK/ Elastic Stack consist of.
Elasticsearch (query/analytics),
logstatsh( log colleciton/normalization),
kibana(visualization),
beats (endpoint collection agents)
What is syslog
A protocol enabling different appliances and software applications to transmit logs or event records toa central server.
It is the defacto standard for logging of events from distributed systems
what are the contexts of a syslog message?
PRI Code (priority code)
A header
A message portion
How is the pri code in a syslog message determined
A PRI code is calculated form the facility and severity level of the data
What is contained in the header of a syslog message
A header contains the timestamp of the event and the hostname
What does the message portion of a syslog message contain
The source process of the event and related content.
What was the original drawback to Syslog
Since the syslog relied on UDP, there can be delivery issues within congested networks.
There were also no security controls such as authentication and encryption included by default.
This can cause issues because UDP packets may be lost as they are fire and forget. This can be problematic
What are the improvements to newer Syslog messagin?
The ability to use port 1468 for TCP connections, ensuring consistent delivery.
The ability to use TLS to encrypt messages sent to servers
The ability to use MD-5 or SHA-1 for authentication and integrity
Message filtering, automated log analysis, event response scripting, and alternate message formats
What is the newer version of syslog server called?
Syslog-NG or Rsyslog
Syslog can be refered to as what three thigns
The network protocol, the server, or the log entries themselves
What is soar? And what is it primarily used for?
Security orchestration, automation, and response (SIEM 2.0) is used for incident response.
A class of security tools that facilitates incident response, threat hunting, and security configuration by orchestrating automated runbooks and delivering data enrichment.
What can you use a SOAR For
Scan security / threat data
Analyze data with Machine Learning
Automate data enrichment
Provision new resources using automated playbooks
( New accounts, VMs, delete infected virtual machines. )
What is a playbook
A checklist of actions to perform to detect and respond to a specific type of incident.
What is a runbook
An automated version of a playbook that leaves clearly defined interaction points for human analysis
Assist analysts by performing tasks before flagging for human involvement, humans make a decision, then the runbook performs actions based on the choices made.
What is SNMP and what does it provide
Simple Network Management Protocol (SNMP) is commonly used to gather information from routers, switches, and other network devices. It provides information about a device’s status, including CPU and memory utilization, as well as many other useful details about the device. NetFlow provides information about network traffic. A management information base (MIB) is a database used for managing the entities in a communication network. The Simple Mail Transfer Protocol (SMTP) is a communication protocol for electronic mail transmission.
What are the 3 main forms of automated monitoring and their characteristics
Signature - Network traffic is analyzed for predetermined attack patterns
Anomaly - Baseline is established, anything outside baseline is evaluated
Behavior - activity is based upon the previous behavior of applications, executables, and OS in comparison to the activity of the system
What automated monitoring form causes the most and least number of false positvives
Behavior creates the largest number of false positives
Signature based produces the fewest number of false positives
Can you combine monitoring methods?
Yes, hybrid approaches can be used with some IDS\IPS systems
What is baseline reporting
Documenting and reporting on the changes in a baseline which is used to inform the organizations security posture.
Example: 60% CPU utilization is now running at 80%, 5 apps installed on a PC now there are 30
How is security posturing measured
High Risk = Less configuration management
Low Risk = more configuration management
What is performance baselining used for
Used to investigate anomalies and track operations and functions to their root.
More useful for Operations and functionality than security.
I/O usage, CPU usage, Memory
Can use Resource Monitor to track and create alerts
What are protocol analyzers used for
Capturing and analyzing network traffic
What are the two modes that protocol analyzers can run in?
Promiscuos mode - The network adapter is able to capture all of the packets on the network regardless of the destination mac address of the frames
Non-Promisuos - Network adapter is only capturing the packets addressed to the protocol analyzer itself
What are somethings to know about promiscuos mode
You need promiscuous mode enabled to capture the most amount of traffic
Not all network adapters allow this
The port on the switch must also support this.
What is port mirroring
One or more switch ports are configured to forward all of their traffic to another port on a switch known as a “SPAN PORT”
What can you do if a span port is not an option, but you need to analyze all traffic coming across a port or device link.
Span ports put strain on the CPU of switches, a network tap can come in handy. You break the line between the switches or routers, and insert a physical device between the two links.
Network taps add no strain on networking devices.
What is SNMP
Simple Network Management Protocol aides in the monitoring of network attached devices
SNMP is typically incorporated into a network management ad monitoring system, but it can also send data inband, although this is much less secure.
What are the three components of SNMP
Managed Devices - Computers and other network attached devices monitored through the use of agents by a NMS
Agent- Software that is loaded on to a managed device to redirect information to the NMS
Network Management System (NMS)- Software running on one or more servers to control the monitoring of network attached devices and PCs
What is SNMP Trap used for?
It is a connection whereby un-solicited traffic can be sent from agent to the NMS
What Versions are there of SNMP and are there any concerns?
SNMP V.1 and V.2 are insecure due to the risk of community strings used to access devices.
SNMP V. provides integrity, authentication and encryption of the message over the network
How should management traffic be tramsitted on a network
Management traffic should be conducted out of band to increase security
What is Open files and what does it do?
it is a CMD that allows you to see what files are open on the system, what process is calling the file and the PID of the process
What does Netstat -ano do
It shows all connections in established, listening, and closed. It also shows source and destination IP along with the PID
What is Auditing in IT
Technical assessment conducted on applications systems, or networks
What are some manual auditing items
Reviewing of:
Security logs
ACL
User Rights and Permissions
GPOs
Performing Vulnerability Scans
Written Organizational Policy
Interviewing Personell
What are some automatic auditing tools
Windows local group policy editor can be used to establish audit policies based on computer events
You can also use the security tab in NTFS settings to configure file access auditing
what is a log
Data file that contains the accounting and audit trail for actions performed by a user on a computer or network.
Where are logs located in Linux
/var/log
Which windows logs should always be audited and where do you find them
Security, System, and Application logs
Windows event viewer
Explain what security, system, and application logs measure
Security Logs - events such as successful and unsuccessful user logons to the syste.
System Logs - logs events such as a system shutdown or driver failures
Application logs - logs events for the OS and third part apps
What is the importance of log files? What are some considerations with Log files
They allow for the reconstruction of events once they occur.
What the scope of the audit should be, and how long you should keep them
How should log files be stored at rest?
Log files should not be stored on the same device that is generating them.
They should be stored on an external server
Logs should be archived and backed up to ensure availability
Wat is a SIEM
Security Information Event Management
A solation that provides real-time or near real-time analysis of security events generated b network hardware and applications.
The main function of a SIEM is log review and event correlation
How can SIEMs be implemented
They can be implemented as both software and hardware appliances. SIEMs can also be outsourced managed services
What are the first 3 steps to implementing a SIEM
- Log all relevant events and filter irrelevant data
- Establish and document scope of events
- Develop use cases to define a threat
What are the last 4 steps to implementing a SIEM
- Plan incident response for an event
- Establish a ticketing process to track events
- Schedule threat hunting
- Provide evidence trail for analysts and auditors
What is splunk
Big data information gathering and analytics tool that can import machine generated data using connector visibility addon. Can be installed locally or cloud based
What are some other SIEMS
ArcSight
Qradar - log mgmt - created by IBM
Alien Vault - Owned by ATT AKA ATT cyber security
OSSIM - open source,
GrayLog - focused on Devo Ops and IT Operations
