Sensors & Logging Flashcards

1
Q

What are security sensors?

A
  • Collects info about network or device
  • Assist in analysing security data and events
  • Sensors are everywhere - Network devices (firewall tap), Severs (event logs), independent (stand-alone security sensors), IoT devices
  • Aggregate that data into central location(s)
  • There is no one sensor that can capture everything
  • There can be an ideal configuration of sensors - complete system that logs every meaningful event, non-redundant (no duplicated events)
  • Capture account logins/modifications, firewall logs, network traffic
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What are some security sensor types?

A
  • Device/host sensors - pull event / system logs, SNMP logs (simple network management protocol), EDR software
  • Network sensors - network tap/span port, logs from network devices (can also be device sensor)
  • IDS/IPS
  • service sensors - generated from specific applications/ services, HTTP / SMTP etc,
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Why is logging critical?

A
  • Proper logging is critically important for security
  • Logs can assist in identifying: port scans, brute force attacks, DoS attacks, account compromises, System errors, almost any type of security issue
  • Can be used for real-time reporting and alerting
  • historical and forensic data
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What should be logged?

A
  • everything CAN be logged, but does it need to be?
    Security Logs
  • account logins (successful & failed)
  • account modifications
  • configuration changes
    Event/system logs
  • windows event logs
    Network traffic
    Application logs
  • any system with possible security implications
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What are the network sensor basics?

A
  • Can be individual devices or configs on network devices
  • provides data on network traffic
  • allows logging and analysis of traffic
  • placement in network determined logged traffic
  • ## provides insight into exactly what is happening on network (possible C2 activity, workstations downloading payloads, data exfiltration)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Describe Network Tap network sensor

A
  • usually a standalone device (can be built-in to other devices)
  • IPS systems can us this to monitor / block traffic
  • Three network ports - traffic between two ports passes through, traffic is copied and routed to monitor port for logging
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Describe a port mirroring / SPAN network sensor

A
  • configuration on network device
  • one port set up as “mirror” port
  • all traffic on device copied to that port for logging
  • can affect performance and result in dropped packets
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Describe SNMP network sensor

A
  • Simple Network Management Protocol
  • Normally used for monitoring device health and stats
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Describe network device logs as network sensors

A
  • Similar to SNMP - mostly for device health and information
  • Can provide information on traffic, but not packet data
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Describe a promiscuous sniffer network sensors

A
  • Works with older technologies
  • does not work with modern switched networks
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Discuss sensing encrypted network traffic

A
  • encrypted network traffic is designed to be secure
  • traffic CAN be intercepted, but contents cannot be read
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

what are the options for monitoring encrypted network traffic?

A
  • source and destination are still available, can still identify if traffic going to known malicious destination
  • SSL / TLS proxy - decrypts traffic to read, re-encrypts and sends to destination, can add complexity and increase errors
  • some malicious encrypted traffic can be mistaken for legitimate traffic
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What are host sensors?

A
  • sensors that live on a specific devices or host, not geared towards network traffic
  • part of (or installed on) a specific host or device
  • logs from OS or application installed on server/workstation
  • can also be dedicated devices for security monitoring (IPS, etc)
  • can assist in identifying - brute-force login attempts, possible account compromises, malicious files on host (EDR/AV), attacks against web server
  • depending on monitoring configs, may be only way to identify these
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q
A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly