4.3 Given an Incident, Utilize appropriate data sources to support an Investigation

Question 1

Vulnerability scan output

Answer 1

A vulnerability scan creates a report showing the results of the scan. The output of the scan typically shows the following

• A list of hosts that it discovered and scanned • A detailed list of applications running on each host • A detailed list of open ports and services found on each host • A list of vulnerabilities discovered on any of the scanned hosts • Recommendations to resolve any of the discovered vulnerabilities Some vulnerability scanners include the ability to run at preconfigured times automatically.

Question 2

SIEM dashboards

Answer 2

In addition to monitoring logs to detect any single incident, you can also use SIEMs to detect trends and raise alerts in real time. By analyzing past alerts, you can identify trends, such as an increase of attacks on a specific system.

Question 3

Sensors

Answer 3

Many SIEM systems use agents placed on systems throughout a network. These collect logs from devices and send these logs to the SIEM system. Dashboards can display data received from these agents.

Question 4

Sensitivity

Answer 4

A challenge with triggers and alerts is setting the sensitivity levels to limit false positives while avoiding false negatives. As an example, imagine Homer enters an incorrect password when logging on. This isn’t an attack, but an honest error. If the SIEM system raises an alert, it would be a false positive. Alternatively, imagine a system is under attack and logs 100 failed login tries in about five minutes. If the SIEM system doesn’t raise an alert, it is a false negative. When setting the sensitivity level for failed logins, administrators pick a number between 1 and 100.

Question 5

Trends

Answer 5

As the SIEM system is analyzing the data, it can identify trends. For example, if there is suddenly a high rate of failed logins, it can identify the trend and raise an alert. Many SIEM systems display trends in graphs allowing users to digest a lot of information in a single picture.

Question 6

Alerts

Answer 6

After setting triggers in a SIEM system, it sends out alerts when the event fires. These alerts may trigger specific responses (such as sending an email to a group), but they are also displayed in the dashboard.

Question 7

Correlation

Answer 7

As log entries arrive at the SIEM system, it correlates and analyzes the data. Administrators can configure the dashboard to display this data in multiple ways depending on their needs.

Question 8

Log files

Answer 8

Log files play a massive part in providing evidence for investigations. There are many different types of log files. Let’s look at each of these in turn and identify the type of information from each of these log files.

Question 9

Network

Answer 9

This log file can identify the IP address and the MAC address of devices that are attached to your network.

Question 10

System

Answer 10

System log files have information about hardware changes, updates to devices, and time synchronization, and they log group policy events and whether they have been successful.

Question 11

Application

Answer 11

Application log files contain information about a software application, when it was launched, whether it was successful, or whether it carries warnings about potential problems or errors.

Question 12

Security

Answer 12

Security log files contain information about a successful login or an unauthorized attempt to access the system. This can identify attackers trying to log in to your computer systems. Security logs capture information on file access and can determine who has downloaded certain data.

Question 13

Web

Answer 13

Web servers log many types of information about the web requests and can be very useful in identifying events.

Question 14

DNS

Answer 14

This log contains all DNS information, such as zone transfer, name resolution queries, DNS server errors, DNS caching, and DNSSEC. If you search the log file on a user’s computer, you can determine which web sites and servers they have visited.

Question 15

Authentication

Answer 15

This log gives information about login events, and whether they are successful or not. One of the best resources for authenticating log files in a domain environment would be a RADIUS server, which maintains a log of when people log in and out. Therefore, it is able to not only authenticate users, but to track them as well. Authentication log files are also kept on a domain controller or remote users coming in via a VPN server.

Question 16

Dump Files

Answer 16

Dump files is when a computer crashes (commonly known as the blue screen of death), and all of the contents in the memory are saved in a dump file (.dmp). These dump files can be analyzed by using a tool such as the Blue Screen Review.

Question 17

VoIP and Call Managers

Answer 17

These systems provide information on the calls being made and the devices that they originate from. They also measure the quality of the call by logging the Mean Optical Score (MOS), jitter, and loss of signal. Each call is logged where you can see inbound and outbound calls, the person making the call, and the person receiving the call.

Question 18

Session Initiation Protocol (SIP) Traffic

Answer 18

SIP is used for internet-based calls and the log files show the 100 events, known as the INVITE, the imitation of a connection, that relates to ringing and then 200 OK is followed by an acknowledgement. If users cannot connect to their SIP calls, this log file can be used to troubleshoot them.

Question 19

Syslog/Rsyslog/Syslog-ng

Answer 19

The system logging protocol (syslog) is known as a log collector as it collects event logs from various devices and then sends them to a central syslog server. If someone deleted the log files in error, they could obtain a copy from the syslog server. In the Linux version, these logs are called syslogd and syslog daemon, which stores the log files in the var/log/syslog directory.

Rsyslog: This is an advanced syslog server. It is called rocket-fast as it has a high performance. It obtains the data and then transforms it to send the outputs to the destinations such as a SIEM server.

Syslog-ng: This was developed by Balabit IT Security Ltd as a free open source protocol for Unix and Linux systems.

Question 20

journalctl

Answer 20

journald collects and stores log data in binary format, and journalctl is able to query and display these logs in a readable format. It is used in a Linux environment.

Question 21

NXLog

Answer 21

This is an open-source log management tool that helps identify security risks in a Linux/Unix environment.

Question 22

Bandwidth Monitors

Answer 22

These can be used to understand your network traffic flow. They can monitor changes in traffic patterns and identify devices on your network that are causing bottlenecks and could detect broadcast storms and potential denial-of-service attacks.

Question 23

Metadata

Answer 23

This is data that provides information about other data. Let’s look at the different types of metadata, starting with email

Question 24

Email

Answer 24

Email headers contain detailed information about an email. It shows the source, destination, and the route through the email providers to the recipient. This can be used when phishing emails are received so that you can identify the perpetrator.

Question 25

Mobile

Answer 25

Telecom providers retain information about phone calls, including calls made, calls received, text messages, internet usage, and location information. These can be used during an investigation to provide evidence that could lead to a conviction.

Question 26

Web

Answer 26

Website metadata provides information about every page created on a website, including who was the author, date created, images, videos, and spreadsheets.

Question 27

File

Answer 27

When investigations are being carried out, the file metadata can be used to track information, such as the author, date created, date modified, and file size. File metadata does not include printing or copying the data.

Question 28

Netflow/sFlow

Answer 28

This is a CISCO product that monitors network traffic, so that they can identify the load on the network. This helps you utilize your network traffic efficiently. During an investigation, it can help identify patterns in network traffic.

Sflow: This is a multi-vendor product that gives you clear visibility of network traffic patterns. This can help identify malicious traffic so that we can keep the network secure and safe.

Question 29

IPFIX

Answer 29

IP Flow Information Export (IPFIX): This product can be used to capture traffic from the node itself. This data can then be exported to a collector within the node.

IPFIX can be used to identify data traveling through a switch and this can be used for billing purposes. It can take IP Flow information and both format the data and forward it to a collector.

Question 30

Protocol Analyzer Output

Answer 30

A protocol analyzer such as Wireshark can capture data traveling across the network. Law enforcement has been able to use Wireshark for forensics by replaying video traffic sent to network devices they capture. The output can be saved in a packet capture file (pcap). Other names for a protocol analyzer are a packet sniffer, wireshark, or tcpdump.