Final Exam Flashcards
NetFlow
NetFlow is statistical data about traffic flows on network
• Think of a flow as a unique TCP/UDP session
• We clump the packets together!
• It disregards packet data/payload
• Focuses in on the headers (metadata)
NetFlow Pros
- Takes up less storage space
- Cheaper to implement on network devices (routers)
- Encrypted traffic looks same as normal traffic
NetFlow Cons
- Harder to analyze/less informative without packet content
- Creates additional network traffic
- Infrastructure must be set up BEFORE incident
NetFlow Architecture
- NetFlow Sensors – Generates NetFlow data
- NetFlow Collector – Collects NetFlow from multiple sensors
- Storage – Database storage for collected NetFlow
- Analysis Console – User interface to query/export NetFlow
NetFlow Analysis
- Top talking IP addresses (foreign?) and ports (weird?)
- Traffic spikes (malware C2 or data exfiltration?)
- Anomalous behavior (compared to the “norm”)
Logs vs. PCAPs & NetFlow
- With PCAPs and NetFlow we get insight into all the traffic
- PCAPs = content, NetFlow = no content
- Logs only record certain events from the traffic that are “meaningful” to that specific log source
Log Sources
Some of the most common sources of log files: • Network Devices • Network Services • Hosts • Security Appliances (IDS/Firewall) • Web Proxies • VPN Concentrators
Network Device Logs
- Routers – Admin Interface/Built-in Firewall
* Switches – Admin Interface/CAM Table Mappings (Mac to Switch Ports)
Network Service Logs
- DNS Server – DNS Requests/Responses
* DHCP Server – DHCP DORA Requests/Responses
Windows Event Logs
• End hosts (clients and servers) will have their own operating system specific logs.
• All systems running Windows OS have Windows Event Logs.
• We need specialized tools to parse and
analyze these files
• Windows has one built in: Event Viewer
Windows Log Types
• Two categories of Event Logs: Windows and Applications/Services.
Windows Logs (Big 3)
- Application.evtx – Any event logged by running applications
- System.evtx – Any event logged by Operating System
- Security.evtx – Any event related to the security of the system
Applications/Services Logs
• There are many!
• DHCP, Internet Explorer, PowerShell, TaskScheduler,
TerminalServices (RDP), WMI, Windows Defender,
Windows Firewall, Winlogon
Security Logon Events: Event ID 4624
- These events are logged in Security.evtx
- Event ID 4624 – “An account was successfully logged on”
- Type 2 – Local Keyboard Logon
- Type 3 – Network Logon (= remote)
- Type 7 – Unlock (can sometimes be remote)
- Type 10 – RemoteInteractive (RDP = remote)
- These events give us a “Source Network Address”
Security Logon Events: Event ID 4625
• Event ID 4625 – “An account failed to log on”
• Includes Failure Reason (Account locked? Bad
username/password?)
• Does NOT include IP address of the attempt
TerminalServices Logon Events
• These events are located in Microsoft-WindowsTerminalServices-LocalSessionManager%4Operational.evtx
• Event ID 21 – “Remote Desktop Services: Session Logon
Succeeded”
• Event ID 25 – “Remote Desktop Services: Session
reconnection suceeded”
• Both include a source network address as well
Firewalls
- A type of security appliance that monitors and controls incoming and outgoing network traffic based on rules
- These rules are Access Control Lists (ACLs)
- A Firewall is only concerned with blocking/filtering traffic based on ACLs
- NOT looking for malicious traffic necessarily
Firewalls: Host & Network
- Host or Network
- Host – Monitors traffic to/from a single host endpoint
- Running on our clients and servers themselves
- Network – Monitors traffic to/from a network chokepoint
- Think the ones we have been drawing in network diagrams
Firewalls: Software & Hardware
- Software – Software running on system
* Hardware – Hardware appliance
Stateless Firewalls
- Stateless Firewalls block packets based on static header values
- Monitors individual packets
- Source/destination addresses and ports