Section 25.236 Investigating an Incident: & Investigate data

Question 1

Investigating an Incident: Data Sources for Incident Investigation

Dashboards and Automated Reports

Answer 1

Purpose: Provide high-level insights

Role: Initial overview of the security landscape

Question 2

Vulnerability Scans

Answer 2

Purpose: Identify system vulnerabilities

Role: Foundation for understanding potential entry points

Question 3

Packet Captures

Answer 3

Purpose: Capture and analyse network traffic

Role: Reveal communication patterns and potential threats

Question 4

Logs (Various Types)

Answer 4

Firewall Logs: Monitor network traffic, detect unauthorised access

Application Logs: Record application-specific events, identify abnormal behavior

Endpoint Logs: Capture activities on individual devices

OS-Specific Security Logs: Monitor operating system security events

IPS and IDS Logs and Alerts: Track intrusion attempts and system compromises

Network Logs: Record network activities and connections

Metadata: Provide contextual information about other data sources

Question 5

Investigative Data

SIEM (Security Information and Event Monitoring System)

Answer 5

Combination of different data sources into one tool that provides real-time analysis of security alerts generated by applications and network hardware

Question 6

SIEM considerations

Answer 6

● Sensors: The endpoint that is being monitored - that sensor can feed data in to the SIEM

● Sensitivity: Focused on how much of how little you are going to be logging (everything will overload SIEM)

● Trends: SIEM and graphical ability can help you see trends

● Alerts: Set up alerts based on certain parameters e.g multiple failed log in attempts

● Correlation: Data from lots of different sources need to be correlated e.g Time is correlated to a common standard UTC

Question 7

Log Files

Answer 7

Records events and messages in operating systems, software, and network devices

■ Includes
Network log files: Keep track of everything going through routers and switches

System log files: Keeps tracks of what is happening on a host or server

Application log files: Tells us what an application is doing on a given system

Security log files: Monitor things like log in attempts

Web log files: Things like proxy server logs so we can see what websites have been accessed by your users

DNS log files: What requests has been made of that DNS server so we can see who is trying to get what IP addresses from what domain name

Authentication lof files: Tells you who has successfully logged in/out or failed to log in/out

Dump files: When things crash - a host which crashes can dump its memory contents to disk whilst its crashing. that can be uploaded as a log file in to the system

VoIP log files: Voice over IP devices - you can obtain information of calls

Call managers: Recorded calls if allowed in policy and procedures

Question 8

Syslog, Rsyslog, Syslog-ng

Answer 8

Tools for centralising log data from different systems into a repository

■ Commonly used to feed data into SIEM

Question 9

JournalCTL

Answer 9

Linux command-line utility for querying and displaying logs from the Journal Daemon (SystemD’s logging service)

if you want to look at logs on linux machine you can use this

Question 10

NXLog

Answer 10

Multi-platform, open-source log management tool

■ Identifies security risks and analySes logs from server, OS, and applications

MULTI/CROSS PLATFORM USE!

Question 11

NetFlow

Answer 11

Network protocol for collecting active IP network traffic data

■ Provides information on source, destination, volume, and paths

THIS IS NOT A PACKLET CAPTURE - ITS MORE OF A SUMMARISATION OF THAT DATA COMING IN AND OUT OF THE NETWORK

Question 12

SFlow (Sampled Flow)

Answer 12

Open-source alternative to NetFlow

■ Exports truncated packets and interface counter for network monitoring

Not full capture here just a sample flow e.g capture 1 out of 100 packets

Question 13

IPFIX (Internet Protocol Flow Information Export)

Answer 13

Universal standard for exporting IP flow information

■ Used for mediation, accounting, and billing by defining data format for exporters and collectors

IPFIX is used on the back end of service managemnt for example if im running a phone company and i was chargin £10 for every gig of data you transfer per month if your using IPFIX it can count up to 1gb and then pass that to the billing system in standard format which then charges the £10

Question 14

Netflow Sflow IPFIX and bandwidth

Answer 14

All these tools can give you a good idea of how much bandwidth is being used in your organisation. This can bee seen in graphical format

Why at this time was there a spike in bandwith?

Question 15

Metadata

Answer 15

Data that describes other data

■ Useful for understanding details about events, calls, emails, web visits, and files during investigations

■ Use Cases for Metadata
● Mobile: Review data transfer, call duration, and contacts

● Email: Analyse metadata for phishing campaigns

● Web: Determine website visits and user behavior

● File: Examine file details, such as creation time and viewer statistics