Final Exam

Question 1

NetFlow

Answer 1

NetFlow is statistical data about traffic flows on network
• Think of a flow as a unique TCP/UDP session
• We clump the packets together!
• It disregards packet data/payload
• Focuses in on the headers (metadata)

Question 2

NetFlow Pros

Answer 2

• Takes up less storage space
• Cheaper to implement on network devices (routers)
• Encrypted traffic looks same as normal traffic

Question 3

NetFlow Cons

Answer 3

• Harder to analyze/less informative without packet content
• Creates additional network traffic
• Infrastructure must be set up BEFORE incident

Question 4

NetFlow Architecture

Answer 4

• NetFlow Sensors – Generates NetFlow data
• NetFlow Collector – Collects NetFlow from multiple sensors
• Storage – Database storage for collected NetFlow
• Analysis Console – User interface to query/export NetFlow

Question 5

NetFlow Analysis

Answer 5

• Top talking IP addresses (foreign?) and ports (weird?)
• Traffic spikes (malware C2 or data exfiltration?)
• Anomalous behavior (compared to the “norm”)

Question 6

Logs vs. PCAPs & NetFlow

Answer 6

• With PCAPs and NetFlow we get insight into all the traffic
• PCAPs = content, NetFlow = no content
• Logs only record certain events from the traffic that are “meaningful” to that specific log source

Question 7

Log Sources

Answer 7

Some of the most common sources of log files:
• Network Devices
• Network Services
• Hosts
• Security Appliances (IDS/Firewall)
• Web Proxies
• VPN Concentrators

Question 8

Network Device Logs

Answer 8

• Routers – Admin Interface/Built-in Firewall

* Switches – Admin Interface/CAM Table Mappings (Mac to Switch Ports)

Question 9

Network Service Logs

Answer 9

• DNS Server – DNS Requests/Responses

* DHCP Server – DHCP DORA Requests/Responses

Question 10

Windows Event Logs

Answer 10

• End hosts (clients and servers) will have their own operating system specific logs.
• All systems running Windows OS have Windows Event Logs.
• We need specialized tools to parse and
analyze these files
• Windows has one built in: Event Viewer

Question 11

Windows Log Types

Answer 11

• Two categories of Event Logs: Windows and Applications/Services.

Question 12

Windows Logs (Big 3)

Answer 12

• Application.evtx – Any event logged by running applications
• System.evtx – Any event logged by Operating System
• Security.evtx – Any event related to the security of the system

Question 13

Applications/Services Logs

Answer 13

• There are many!
• DHCP, Internet Explorer, PowerShell, TaskScheduler,
TerminalServices (RDP), WMI, Windows Defender,
Windows Firewall, Winlogon

Question 14

Security Logon Events: Event ID 4624

Answer 14

• These events are logged in Security.evtx
• Event ID 4624 – “An account was successfully logged on”
• Type 2 – Local Keyboard Logon
• Type 3 – Network Logon (= remote)
• Type 7 – Unlock (can sometimes be remote)
• Type 10 – RemoteInteractive (RDP = remote)
• These events give us a “Source Network Address”

Question 15

Security Logon Events: Event ID 4625

Answer 15

• Event ID 4625 – “An account failed to log on”
• Includes Failure Reason (Account locked? Bad
username/password?)
• Does NOT include IP address of the attempt

Question 16

TerminalServices Logon Events

Answer 16

• These events are located in Microsoft-WindowsTerminalServices-LocalSessionManager%4Operational.evtx
• Event ID 21 – “Remote Desktop Services: Session Logon
Succeeded”
• Event ID 25 – “Remote Desktop Services: Session
reconnection suceeded”
• Both include a source network address as well

Question 17

Firewalls

Answer 17

• A type of security appliance that monitors and controls incoming and outgoing network traffic based on rules
• These rules are Access Control Lists (ACLs)
• A Firewall is only concerned with blocking/filtering traffic based on ACLs
• NOT looking for malicious traffic necessarily

Question 18

Firewalls: Host & Network

Answer 18

• Host or Network
• Host – Monitors traffic to/from a single host endpoint
• Running on our clients and servers themselves
• Network – Monitors traffic to/from a network chokepoint
• Think the ones we have been drawing in network diagrams

Question 19

Firewalls: Software & Hardware

Answer 19

• Software – Software running on system

* Hardware – Hardware appliance

Question 20

Stateless Firewalls

Answer 20

• Stateless Firewalls block packets based on static header values
• Monitors individual packets
• Source/destination addresses and ports

Question 21

Stateful Firewalls

Answer 21

• Stateful Firewalls can monitor streams of traffic
• Monitors the requests and responses
• Allows traffic that is part of an already established stream

Question 22

IDS

Answer 22

An Intrusion Detection System (IDS) is a network security appliance that can detect, log, and alert malicious traffic
• Passively listens on the network and compares traffic against its signatures or heuristics

Question 23

IPS

Answer 23

An Intrusion Prevention System (IPS) includes an ability to block or mitigate the malicious traffic threat
• Actively placed inline on the network so it can prevent the traffic from being delivered

Question 24

Network IDS

Answer 24

• Network IDS (NIDS) are placed at strategic point(s) within a network to monitor network traffic for signs of intrusion
• Examines the packets
• Online NIDS – examines real-time network traffic
• Offline NIDS – examines stored PCAP

Question 25

Host IDS

Answer 25

Host IDS (HIDS) run on an individual host and monitors that specific host for signs of intrusion
• Examines modifications to host files

Question 26

IDS Detection Styles: Signature-Based

Answer 26

• Detection based on known signatures of malicious traffic
• Signatures can be known domains/addresses/ports,
byte sequences, or attack patterns
• Signatures released by vendor, security community, or yourself
• Indicators of Compromise (IOCs)
• Shortcoming: Detection of Zero-Day threats

Question 27

IDS Detection Styles: Anomaly-Based (Heuristic)

Answer 27

• Detection based on machine learning from a baseline of normal network activity
• Shortcoming: False Positives

Question 28

Snort vs. Bro

Answer 28

• Snort/Suricata are signature-based IDS
• Based on known indicators of compromise (IOCs)
• Updating signatures all the time!
• Bro is better for anomaly-based IDS
• But is also signature-based

Question 29

Snort

Answer 29

• Snort is one of the main players in the NIDS game
• A strength of Snort is it is highly configurable to the needs of the specific network
• Snort uses rules!

Question 30

Snort Preprocessors

Answer 30

• Help Snort to interpret the packets meaningfully
• Provides ability to examine multiple packets
• Think of these as equivalent to Wireshark dissectors

Question 31

Snort Configuration File

Answer 31

• Allows us to tweak Snort to our exact needs

* More is not better!

Question 32

About Snort Rules

Answer 32

• Defines IOCs regarding a particular threat or attack on a vulnerability that trigger an alert when those conditions are met in the traffic
• IOCs from headers OR data in packets
• Those alerts are logged…that’s what is of use to us!
• The rules are mostly created by the security community

Question 33

Suricata

Answer 33

Suricata is similar to Snort as it’s signature/rule based
• Alert when the conditions of an alert are triggered
• Multi-threaded initially gave it better execution than Snort (but now Snort is too).
• Smaller community updating it.

Question 34

Bro

Answer 34

• Whereas Snort/Suricata are rule driven, Bro is event driven
• Bro converts a series of network traffic into an event
• Events can be used to learn/record detailed network behavior for Anomaly-Based detection

Question 35

Bro Scripting Language

Answer 35

• Bro includes its own scripting language
• A full fledged programming language
• Can execute scripts in response to malicious/anomalous events (IPS)

Question 36

Bro Frameworks

Answer 36

• Bro also has frameworks
• Can do signature matching like Snort rules
• Can perform logging/alerting

Question 37

Forensic Importance of IDS Logs

Answer 37

• All of these IDSs can create logs of alerts
We can use these logs to steer our investigation
• Helps us locate evidence in PCAPs, NetFlow, and other Logs
• Give us IOCs to investigate such as IPs and Domains
• They also help security staff discover and repair
vulnerabilities faster

Question 38

Tripwire and OSSEC

Answer 38

Tripwire and OSSEC are host-based IDS
• The others we have discussed were network-based
• They monitor and alert on changes to files on the host by comparing hashes
• These IDSs monitor the results of malicious traffic
• The goal of malicious network traffic is to “do something” on the end system – which means “changing things”

Question 39

Proxies

Answer 39

• A proxy is a system that acts on behalf of another system
• A common type is a Web Proxy
• A client sends all their web requests to the proxy and it sends the requests as though it is the original requester and forwards responses back to the real requester

Question 40

VPN Concentrators

Answer 40

• VPN = Virtual Private Network
• VPN Concentrators are secure network proxies
• All client traffic is routed through the VPN to mask the original source
• All transmission is encrypted
• VPN Concentrators can also create logs

Question 41

Log Aggregation

Answer 41

• Process of collecting multiple log sources in a single centralized log server
• Automatically pull together all these different sources so a human doesn’t have to do it manually.

Question 42

Windows Event Forwarding

Answer 42

Event Viewer includes a feature called Subscriptions
• Used to forward events from a local system to a collector
• Can use a filter to only forward certain events
• Those events get stored in the Forwarded Events log

Question 43

SPLUNK Short List

Answer 43

Used for Log Aggregation.
• Commercial
• “Google for Logs”
• Splunk Forwarders
• Splunk Querying Language
• Splunk Web UI

Question 44

ELK Stack Short List

Answer 44

Used for Log Aggregation.
• Free, Open-Source
• Log Analytics/Visualization
• Logstash Collectors
• Elasticsearch Querying
• Kibana user GUI

Question 45

SPLUNK

Answer 45

• Often called the “Google of Logs” because of its
great querying ability.
• Splunk has been the dominate player in log aggregation.
• Splunk consists of Forwarders to forward their logs/data to Indexers who store and index them in a database that the analyst can query against using the Splunk web user interface

Question 46

ELK Stack

Answer 46

• ELK, also known as Elastic Stack, is another option for log aggregation and querying
• Made up of three open source tools:
• Elasticsearch (search and analyze)
• Logstash (collect and transform)
• Kibana (visualize and manage)

Question 47

Log Correlation

Answer 47

• Log Correlation is the process of creating a timeline of
relevant events to an incident/investigation from multiple evidence sources
• Not just logs…can be Artifact Correlation
• Goal is to tell a chronological story of the incident

Question 48

Plaso

Answer 48

• Plaso is a collection of Python scripts that provide a tool to parse various logs and forensic artifacts to automatically produce a single correlated timeline
• Plaso calls this a “Super Timeline”
• It consists of events from multiple sources all sorted chronologically
• Helps an analyst see events that occurred near each other in time

Question 49

Log2Timeline

Answer 49

• Log2Timeline is the command line tool used in Plaso
• Run at the command line
• Usage is typically simple: just give it a timezone, input, and output timeline.
• Inputs can be specific logs and artifacts that it can parse or an image
• Output can be appended to an existing timeline

Question 50

Super Timeline

Answer 50

• The Super Timeline can be chronologically sorted and give insight into actions of multiple artifacts at the same time