Sensors & Logging Flashcards
1
Q
What are security sensors?
A
- Collects info about network or device
- Assist in analysing security data and events
- Sensors are everywhere - Network devices (firewall tap), Severs (event logs), independent (stand-alone security sensors), IoT devices
- Aggregate that data into central location(s)
- There is no one sensor that can capture everything
- There can be an ideal configuration of sensors - complete system that logs every meaningful event, non-redundant (no duplicated events)
- Capture account logins/modifications, firewall logs, network traffic
2
Q
What are some security sensor types?
A
- Device/host sensors - pull event / system logs, SNMP logs (simple network management protocol), EDR software
- Network sensors - network tap/span port, logs from network devices (can also be device sensor)
- IDS/IPS
- service sensors - generated from specific applications/ services, HTTP / SMTP etc,
3
Q
Why is logging critical?
A
- Proper logging is critically important for security
- Logs can assist in identifying: port scans, brute force attacks, DoS attacks, account compromises, System errors, almost any type of security issue
- Can be used for real-time reporting and alerting
- historical and forensic data
4
Q
What should be logged?
A
- everything CAN be logged, but does it need to be?
Security Logs - account logins (successful & failed)
- account modifications
- configuration changes
Event/system logs - windows event logs
Network traffic
Application logs - any system with possible security implications
5
Q
What are the network sensor basics?
A
- Can be individual devices or configs on network devices
- provides data on network traffic
- allows logging and analysis of traffic
- placement in network determined logged traffic
- ## provides insight into exactly what is happening on network (possible C2 activity, workstations downloading payloads, data exfiltration)
6
Q
Describe Network Tap network sensor
A
- usually a standalone device (can be built-in to other devices)
- IPS systems can us this to monitor / block traffic
- Three network ports - traffic between two ports passes through, traffic is copied and routed to monitor port for logging
7
Q
Describe a port mirroring / SPAN network sensor
A
- configuration on network device
- one port set up as “mirror” port
- all traffic on device copied to that port for logging
- can affect performance and result in dropped packets
8
Q
Describe SNMP network sensor
A
- Simple Network Management Protocol
- Normally used for monitoring device health and stats
9
Q
Describe network device logs as network sensors
A
- Similar to SNMP - mostly for device health and information
- Can provide information on traffic, but not packet data
10
Q
Describe a promiscuous sniffer network sensors
A
- Works with older technologies
- does not work with modern switched networks
11
Q
Discuss sensing encrypted network traffic
A
- encrypted network traffic is designed to be secure
- traffic CAN be intercepted, but contents cannot be read
12
Q
what are the options for monitoring encrypted network traffic?
A
- source and destination are still available, can still identify if traffic going to known malicious destination
- SSL / TLS proxy - decrypts traffic to read, re-encrypts and sends to destination, can add complexity and increase errors
- some malicious encrypted traffic can be mistaken for legitimate traffic
12
Q
What are host sensors?
A
- sensors that live on a specific devices or host, not geared towards network traffic
- part of (or installed on) a specific host or device
- logs from OS or application installed on server/workstation
- can also be dedicated devices for security monitoring (IPS, etc)
- can assist in identifying - brute-force login attempts, possible account compromises, malicious files on host (EDR/AV), attacks against web server
- depending on monitoring configs, may be only way to identify these
13
Q
A
