4.3 Given an incident, utilize appropriate data sources to support an investigation.

Question 1

What does a vulnerability scanner look for?

Answer 1

Look for key signatures of vulnerabilities. Like:
Lack of security controls
-No firewall
- no AV
- no antispyware

Misconfigurations
- open shares
- guest access

Real vulnerabilities
- New vulns and old vulns from a vuln database.

Question 2

SIEM

Answer 2

security information and event management
A device that logs information from many different resources on the network and consolidates these logs back into one single reporting tool.

• Security Alerts
• log aggregation and long term storage
• Data correlation
• Forensic analysis

Question 3

How does a SIEM get its data?

Answer 3

Sensors and logs
- OS, from windows or linux
- Infrastructure devices, switches, routers, firewalls etc
- Netflow systems - third party sensors etc.

Question 4

What kind of ways can you view a SIEM, and what can you identify?

Answer 4

You can identify :

Trends
- Identify changes over time
- Easily view constant attack metrics

Alerts
-Identify a security event
- View raw data
- Visualize the log information

Correlations:
- Combine and compare
- View data in different ways

Question 5

Network log files

Answer 5

Switches, access points, VPN concentrators etc.
Network changes
– Routing updates
– Authentication issues
– Network security issues

Question 6

system log files

Answer 6

Operating system information
– Extensive logs
– File system information
– Authentication details
* Can also include security events
– Monitoring apps
– Brute force, file changes
* May require filtering
– Don’t forward everything

Question 7

Application log files

Answer 7

Specific to the application
– Information varies widely
* Windows - Event Viewer / Application Log
* Linux / macOS - /var/log
* Parse the log details on the SIEM
– Filter out unneeded info

Question 8

Web log files

Answer 8

Web server access
– IP address, web page URL
* Access errors
– Unauthorized or non-existent folders/files
* Exploit attempts
– Attempt to access files containing known
vulnerabilities
* Server activity
– Startup and shutdown notices
– Restart messages

Question 9

DNS log files

Answer 9

View lookup requests
– And other DNS queries
* IP address of the request
– The request FQDN or IP
* Identify queries to known bad URLs
– Malware sites, known command
and control domains
* Block or modify known bad requests
at the DNS server
– Log the results
– Report on malware activity

Question 10

Authentication log files

Answer 10

Know who logged in (or didn’t)
– Account names
– Source IP address
– Authentication method
– Success and failure reports
* Identify multiple failures
– Potential brute force attacks
* Correlate with other events
– File transfers
– Authentications to other devices
– Application installation

Question 11

Dump files

Answer 11

Store all contents of memory into a diagnostic file
– Developers can use this info
* Easy to create from the
– Windows Task Manager
– Right-click, Create dump file
* Some applications have their own dump file process
– Contact the appropriate support team for
additional details

Question 12

VoIP and Call Manager logs

Answer 12

View inbound and outbound call info
– Endpoint details, gateway communication
* Security information
– Authentications, audit trail
* SIP traffic logs
– Session Initiation Protocol
– Call setup, management, and teardown
– Inbound and outbound calls
– Alert on unusual numbers or country codes

Question 13

Security log files

Answer 13

Detailed security-related information
– Blocked and allowed traffic flows
– Exploit attempts
– Blocked URL categories
– DNS sinkhole traffic
* Security devices
– IPS, firewall, proxy
* Critical security information
– Documentation of every traffic flow
– Summary of attack info
– Correlate with other logs

Question 14

Syslog

Answer 14

• Standard for message logging
  – Diverse systems create a consolidated log
• Usually a central logging receiver
  – Integrated into the SIEM (Security Information and
  Event Manager)
• Each log entry is labeled
  – Facility code (program that created the log) and
  severity level
• Syslog daemon options
  – Rsyslog -“Rocket-fast System for log processing”
  – syslog-ng - A popular syslog daemon with additional
  filtering and storage options
  – NXLog - Collection from many diverse log types

Question 15

journalctl

Answer 15

Linux has a lot of logs
– The OS, daemons, applications, etc.
* System logs are stored in a binary format
– Optimized for storage and queries
– Can’t read them with a text editor
* Journalctl provides a method for querying the system
journal
– Search and filter
– View as plain text

Question 16

bandwidth monitors

Answer 16

The fundamental network statistic
– Percentage of network use over time
* Many different ways to gather this metric
– SNMP, NetFlow, sFlow, IPFIX protocol analysis,
software agent
* Identify fundamental issues
– Nothing works properly if bandwidth is highly utilized

Question 17

Metadata

Answer 17

Metadata
– Data that describes other data sources
* Email
– Header details, sending servers, destination address
* Mobile - Type of phone, GPS location,
* Web - Operating system, browser type, IP address
* Files - Name, address, phone number, title

Question 18

NetFlow

Answer 18

Gather traffic statistics from all traffic flows
– Shared communication between devices
* NetFlow
– Standard collection method
– Many products and options
* Probe and collector
– Probe watches network communication
– Summary records are sent to the collector
* Usually a separate reporting app
– Closely tied to the collector

Question 19

IPFIX

Answer 19

• IP Flow Information Export
  – A newer, NetFlow-based standard
  – Evolved from NetFlow v9
• Flexible data support
  – Templates are used to describe the data

Question 20

sFlow

Answer 20

IPFIX
* IP Flow Information Export
– A newer, NetFlow-based standard
– Evolved from NetFlow v9
* Flexible data support
– Templates are used to describe the data

Question 21

Protocol analyzer output

Answer 21

• Solve complex application issues
  – Get into the details
• Gathers packets on the network
  – Or in the air
  – Sometimes built into the device
• View detailed traffic information
  – Identify unknown traffic
  – Verify packet filtering and security controls
  – View a plain-language description of the
  application data

Question 22

TAP

Answer 22

A test access point (TAP) is a device that copies signals from the physical layer and the data link layer. Since no network or transport logic is used, every frame is received, allowing reliable packet monitoring.

Test access point (TAP) is a separate hardware device.

Test access point (TAP) avoids frame loss

Question 23

SPAN

Answer 23

SPAN (switched port analyzer) functionality is a feature of many network switches. Also known as port mirroring, a copy of network traffic is sent to another port as it passes through the switch. Frames with errors will not be mirrored and frames may be dropped under heavy load.

Question 24

OSSEC

Answer 24

OSSEC is a host intrusion detection system (HIDS) that can collect DNS server logs for trend analysis. OSSEC can crosscheck these DNS server logs against a list of known malicious domains.
OSSEC can perform frequency-based trend analysis on NXDOMAIN errors received by comparing it to a baseline. Trends outside of the baseline may allude to malicious activity.

Question 25

What types of information might the analyst find in email headers?

Answer 25

Sender address, Results of spam checking, details of server carrying the message

Question 26

NXlog

Answer 26

NXlog (nxlog.co) is an open-source centralized log collection tool. It has similar features of a SIEM like alerting, normalization, aggregation, correlation, and retention. NXlog is multi-platform compatibl