Topic 12C Flashcards
In the context of an incident response case or digital forensics investigation, a data source is what?
something that can be subjected to analysis to discover indicators
Examples of datra sources:
System memory and media device file system data and metadata.
Log files generated by network appliances (switches, routers, and firewalls/UTMs).
Network traffic captured by sensors and/or any alertable or loggable conditions raised by intrusion detection systems.
Log files and alerts generated by network-based vulnerability scanners.
Log files generated by the OS components of client and server host computers.
Log files generated by applications and services running on hosts.
Log files and alerts generated by endpoint security software installed on hosts.
What can be used to aggregate and correlate multiple data sources?
security information and event management (SIEM) tools
A SIEM can be used for two types of reporting:
Alerts and alarms detect the presence of threat indicators in the data and can be used to start incident cases.
Status reports communicate data about the level of threat or number of incidents being raised and the effectiveness of security controls and response procedures.
Event Viewer
A Windows console related to viewing and exporting events in the Windows logging file format.
Syslog
Application protocol and event-logging format enabling different appliances and software applications to transmit logs or event records to a central server. Syslog works over UDP port 514 by default.
syslog messages can be generated by switches, routers, and firewalls, as well as UNIX or Linux servers and workstations.
Types of windows logs
Application - generated by application processes like crashed or installs
Security - failed logins, etc.
System - events generated by operating systems kernel processes and services. A driver or service cannot start, startup type change, etc.
Endpoint log
refer to events monitored by security software running on the host, rather than by the OS itself.
This can include host-based firewalls and intrusion detection, vulnerability scanners, and antivirus/antimalware protection suites.
Endpoint protection platform (EPP), enhanced detection and response (EDR), or extended detection and response (XDR).
Suites that integrate functions into a single product.
These security tools can be directly integrated with a SIEM using agent-based software.
Summarizing events from endpoint protection logs can show overall threat levels, such as amount of malware detected, number of host intrusion detection events, and numbers of hosts with missing patches.
Network logs
generated by appliances such as routers, firewalls, switches, and access points.
Log files will record the operation and status of the appliance itself—the system log for the appliance—plus traffic and access logs recording network behavior.
For example, A switch log might reveal an endpoint trying to use multiple MAC addresses to perpetrate an on-path attack.
A firewall log might identify scanning activity on a blocked port.
An access point log could record disassocation events that indicate a threat actor trying to attack the wireless network.
firewall rule
can be configured to generate an event whenever it is triggered.
As with most types of security data, this can quickly generate on overwhelming number of events. It is also possible to configure log-only rules
audit event will record a date/timestamp, the interface on which the rule was triggered, whether the rule matched incoming/ingress or outgoing/egress traffic, and whether the packet was accepted or dropped
IPS/IDS Logs
an event when a traffic pattern is matched to a rule. As this can generate a very high volume of events, it might be appropriate to only log high sensitivity/impact rules.
A single packet can trigger multiple rules.
An intrusion prevention system could additionally be configured to log shuns, resets, and redirects in the same way as a firewall.
Network traffic is typically analyzed in detail at the level of
individual frames or using summary statistics of traffic flows and protocol usage.
What layers does wireshark decode at?
data link/MAC, network/IP, and transport (TCP/UDP) layers
What can packet analysis identify?
Manipulation of packets through a standard port, for a botnet server for example.
Allows inspection of protocol payloads to identify data exfiltration attempts or attempts to contact suspicious domains and URLs.
Detailed analysis of the packet contents can help to reveal the tools used in an attack. It is also possible to extract binary files such as potential malware for analysis.
