logs in incident response
play

Logs in Incident Response Mitigating Risk. Automating Compliance. 1 - PowerPoint PPT Presentation

Jan 15, 2023 •147 likes •939 views

Anton Chuvakin, Ph.D., GCIA, GCIH, GCFA Director of Security Research LogLogic anton@loglogic.com Logs in Incident Response Mitigating Risk. Automating Compliance. 1 LogLogic Confidential Tuesday, June 27, 2006 Outline - I Incident

  1. Anton Chuvakin, Ph.D., GCIA, GCIH, GCFA Director of Security Research LogLogic anton@loglogic.com Logs in Incident Response Mitigating Risk. Automating Compliance. 1 LogLogic Confidential Tuesday, June 27, 2006

  2. Outline - I � Incident Response Process � Logs Overview � Logs Usage at Various Stages of the Response Process � How Log from Diverse Sources Help Mitigating Risk. Automating Compliance. Confidential | Tuesday, June 27, 2006 2

  3. Outline - II � Log Review, Monitoring and Investigative processes � Standards and Regulation Affecting Logs and Incident Response � Incident Response vs Forensics � Log Analysis and Incident Response Mistakes � Case Studies (throughout…) Mitigating Risk. Automating Compliance. Confidential | Tuesday, June 27, 2006 3

  4. To Avoid DBPPT Disease ☺ Mitigating Risk. Automating Compliance. Confidential | Tuesday, June 27, 2006 4

  5. Incident Response Processes Incident Response Processes Mitigating Risk. Automating Compliance. Confidential | Tuesday, June 27, 2006 5

  6. Incident Response Methodologies: SANS SANS Six-Step Process � [P]reparation [I]dentification [C]ontainment [E]radication [R]ecovery [F]ollow-Up Mitigating Risk. Automating Compliance. Confidential | Tuesday, June 27, 2006 6

  7. Incident Response Methodologies: NIST NIST Incident Response 800-61 � Preparation 1. Detection and Analysis 2. Containment , Eradication and Recovery 3. Post-incident Activity 4. Mitigating Risk. Automating Compliance. Confidential | Tuesday, June 27, 2006 7

  8. Process from “Incident Response and Forensics” Process from “Incident Response and Forensics” � Preparation 1. Detection 2. Initial response 3. Formulate response strategy 4. Investigation 5. Resolution and Recovery 6. Reporting 7. Mitigating Risk. Automating Compliance. Confidential | Tuesday, June 27, 2006 8

  9. Other IH/IR Frameworks and Methodologies � Company-specific Policies and Procedures � Sometimes : good, bad and ugly (aka “Just put it the way it was…”) – Escalation trees – Virtual CIRT structures and call lists – Intra-company processes – Etc, etc, etc Mitigating Risk. Automating Compliance. Confidential | Tuesday, June 27, 2006 9

  10. Why Have a Process? � It helps… Stage 1 – Predictability – Efficiency Stage 2a Stage 2b Stage 2c – Auditability – Constant Improvement � It shrinks… Stage 3 – Indecision – Uncertainty Stage 4 – Panic! � Mitigating Risk. Automating Compliance. Confidential | Tuesday, June 27, 2006 10

  11. Example: Worm “Mitigation” in a Large Company… … circa 2002 AD ☺ � Worm hits � Panic + initial response in parallel (urgh! ☺ ) � Mitigation + investigation at the same time � Two walking steps forward and 10 running steps back… Mitigating Risk. Automating Compliance. Confidential | Tuesday, June 27, 2006 11

  12. From Incident Response to Logs From Incident Response to Logs Mitigating Risk. Automating Compliance. Confidential | Tuesday, June 27, 2006 12

  13. Terms and Definitions � Message – some system indication � Logging that an event has transpired � Auditing � Log or audit record – recorded message related to the event � Monitoring � Log file – collection of the above � Event reporting records � Log analysis � Alert – a message usually sent to notify an operator � Alerting � Device – a source of security- relevant logs Mitigating Risk. Automating Compliance. Confidential | Tuesday, June 27, 2006 13

  14. So, What is A Log? � Typically, a log “file” is a file that lists all actions that have occurred on a device, within an application, or on a server � Example : is SNMP trap a log? Is a netflow record? Mitigating Risk. Automating Compliance. Confidential | Tuesday, June 27, 2006 14

  15. Log Data Overview From Where? What data? � Firewalls/intrusion prevention � Audit logs � Routers/switches � Transaction logs � Intrusion detection � Intrusion logs � Hosts � Connection logs � Business applications � System performance records � Anti-virus � User activity logs � VPNs � Various alerts Mitigating Risk. Automating Compliance. Confidential | Tuesday, June 27, 2006 15

  16. Devices that Log: An Attempt at a Comprehensive List � Network gear: routers, switches, � Security gear: firewall, IDS, VPN, IPS, � Access control: RAS, AD, directory services � Systems: OS (Unix, Windows, VMS, i5/OS400, etc) � Applications: databases, email, web, client applications � Misc: physical access, � Other: just about everything with the CPU… Mitigating Risk. Automating Compliance. Confidential | Tuesday, June 27, 2006 16

  17. What Commonly “Gets Logged”? System or software startup, shutdown, restart, and abnormal termination � (crash) Various thresholds being exceeded or reaching dangerous levels such as disk � space full, memory exhausted, or processor load too high Hardware health messages that the system can troubleshoot or at least detect � and log User access to the system such as remote (telnet, ssh, etc.) and local login, � network access (FTP) initiated to and from the system, failed and successful User access privilege changes such as the su command—both failed and � successful User credentials and access right changes , such as account updates, creation, � and deletion—both failed and successful System configuration changes and software updates—both failed and � successful Access to system logs for modification, deletion, and maybe even reading � Mitigating Risk. Automating Compliance. Confidential | Tuesday, June 27, 2006 17

  18. “Standard” Messages 10/09/200317:42:57,146.127.94.13,48352,146.127.97.14,909,,,accept,tcp,,,,909,146.127.93. 29,,0,,4,3,,' 9Oct2003 17:42:57,accept,labcpngfp3,inbound,eth2c0,0,VPN-1 & FireWall- 1,product=VPN-1 & FireWall-1[db_tag={0DE0E532-EEA0-11D7-BDFC- 927F5D1DECEC};mgmt= labcpngfp3;date=1064415722;policy_name= Standard],labdragon,48352,146.127.97.14,909, tcp,146.127.93.145,',eth2c0,inbound Oct 9 16:29:49 [146.127.94.4] Oct 09 2003 16:44:50: %PIX-6-302013: Built outbound TCP connection 2245701 for outside:146.127.98.67/1487 (146.127.98.67/1487) to inside:146.127.94.13/42562 (146.127.93.145/42562) PIX 2003-10-20|15:25:52|dragonapp-nids|TCP-SCAN|146.127.94.10|146.127.94.13|0|0|X|------S- |0|total=484,min=1,max=1024,up=246,down=237,flags=------S-,Oct20-15:25:34,Oct20-15:25:52| Oct 20 15:35:08 labsnort snort: [1:1421:2] SNMP AgentX/tcp request [Classification: Attempted Information Leak] [Priority: 2]: {TCP} 146.127.94.10:43355 -> 146.127.94.13:705 SENSORDATAID="138715" SENSORNAME="146.127.94.23:network_sensor_1" ALERTID="QPQVIOAJKBNC6OONK6FTNLLESZ" LOCALTIMEZONEOFFSET="14400" ALERTNAME="pcAnywhere_Probe“ ALERTDATETIME="2003-10-20 19:35:21.0" SRCADDRESSNAME="146.127.94.10" SOURCEPORT="42444" INTRUDERPORT="42444" DESTADDRESSNAME="146.127.94.13" VICTIMPORT="5631" ALERTCOUNT="1" ALERTPRIORITY="3" PRODUCTID="3" PROTOCOLID="6" REASON="RSTsent" Mitigating Risk. Automating Compliance. Confidential | Tuesday, June 27, 2006 18

  19. Logs at Stages of IR (SANS Model) � Preparation : verify controls, collect normal usage data, baseline, etc � Identification : detect an incident, confirm incident, etc � Containment : scope the damage, learn what else is lost, etc � Eradication : preserving logs for the future, etc � Recovery : confirming the restoration, etc � Follow-Up : logs for “peaceful” purposes (training, etc) Mitigating Risk. Automating Compliance. Confidential | Tuesday, June 27, 2006 19

  20. Using Logs at Preparation Stage � Verify Controls 1: P � Ongoing Monitoring � Change Management Support � “If you know the cards, you’d live on an island” ☺ � In general, verifying that you have control over your environment Mitigating Risk. Automating Compliance. Confidential | Tuesday, June 27, 2006 20

  21. Example 1 Logging Infrastructure for Optimum Response � Monitoring infrastructure based on NSM philosophy: netflow + packet content + logs (NIDS, etc) � Pre- and post-incident monitoring � Useful even if deployed after the incident, but most useful if deployed prior to it Mitigating Risk. Automating Compliance. Confidential | Tuesday, June 27, 2006 21

  22. Using Logs at Identification Stage � Detect Intrusion, Infections and Attacks � Observe Attack Attempts, Recon and Suspicious Activity � Perform Trend Analysis and Baselining for Anomaly Detection � Mine the Logs for Hidden Patterns, Indicating Incidents in the Making… 2: I � “What is Out There?” Mitigating Risk. Automating Compliance. Confidential | Tuesday, June 27, 2006 22

  23. Example 2 FTP Hack Case � Server stops � Found ‘rm-ed’ by the attacker � What logs do we have? � Forensics on an image to undelete logs � Client FTP logs reveals… � Firewall confirms! Mitigating Risk. Automating Compliance. Confidential | Tuesday, June 27, 2006 23

  24. Using Logs at Containment Stage � Assess Impact of the Infection, Compromise, Intrusion, etc � Correlate Logs to Know What You Can [Still] Trust � Verify that Containment Measures Are Working � “What Else is Hit?” 3 : C Mitigating Risk. Automating Compliance. Confidential | Tuesday, June 27, 2006 24

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Incident Response & Evidence Incident Response & Evidence Incident Response &

Incident Response & Evidence Incident Response & Evidence Incident Response &

Incident Response & Evidence Incident Response & Evidence Incident Response & Evidence Incident Response & Evidence Management Management Management Management CIPS Brandon Chapter November 28 2002 Dr. Marc Rogers PhD,

629 views • 27 slides
GE Incident Response Insight Awareness Advantage Sean Mason Director, Incident Response

GE Incident Response Insight Awareness Advantage Sean Mason Director, Incident Response

GE Incident Response Insight Awareness Advantage Sean Mason Director, Incident Response Investing in new talent & capabilities Incident response Cyber intelligence Digital forensics Security architecture Identity management

609 views • 42 slides
Why are UI Logs Important? UI logs will help you identify Trends and Patterns that need to be

Why are UI Logs Important? UI logs will help you identify Trends and Patterns that need to be

2/17/2015 Unusual Incident Log Reviews January 23, 2015 Why are UI Logs Important? UI logs will help you identify Trends and Patterns that need to be addressed to ensure the Health and Welfare of those you serve. To ensure that sound

589 views • 24 slides
Incident Response: Goals of Incident Management Steps to Preparation Risk Assessment

Incident Response: Goals of Incident Management Steps to Preparation Risk Assessment

6/19/2015 Incidents Are Not Necessarily Emergencies Incident Laboratory Incidences and An event thats likely to have adverse consequences Emergency Response Programs Emergency Unanticipated circumstances resulting in

564 views • 5 slides
Introduction to Incident Response Renana Friedlich, National Incident Response Leader March 2016

Introduction to Incident Response Renana Friedlich, National Incident Response Leader March 2016

Introduction to Incident Response Renana Friedlich, National Incident Response Leader March 2016 Agenda Evaluation of Cybersecurity risks The attackers playbook Case study What can you do today Page 2 Evaluation of

622 views • 12 slides
BIRT BIRT Liaisons Incident Response Incident Follow-Up Q&A 1 2 PURPOSE OF

BIRT BIRT Liaisons Incident Response Incident Follow-Up Q&A 1 2 PURPOSE OF

5/20/2014 COURSE OUTLINE Purpose Building Incident Response Team Expectations BIRT BIRT Liaisons Incident Response Incident Follow-Up Q&A 1 2 PURPOSE OF BIRT PURPOSE OF BIRT Prepare units to respond to a

342 views • 4 slides
Incident Response and Information Sharing A Practical Approach Rapha el Vinot - TLP:GREEN May

Incident Response and Information Sharing A Practical Approach Rapha el Vinot - TLP:GREEN May

Incident Response and Information Sharing A Practical Approach Rapha el Vinot - TLP:GREEN May 22, 2015 The Computer Incident Response Center Luxembourg (CIRCL) is a government-driven initiative designed to provide a systematic response

407 views • 13 slides
Agile Incident Response: Operating through Ongoing Confrontation Kevin Mandia Who Am I?

Agile Incident Response: Operating through Ongoing Confrontation Kevin Mandia Who Am I?

Agile Incident Response: Operating through Ongoing Confrontation Kevin Mandia Who Am I? Professorial Lecturer Carnegie Mellon University 95-856 Incident Response Master of Information System Management The George Washington

1.29k views • 60 slides
Above My Pay Grade: Incident Response at the National Level Jason Healey Atlantic Council

Above My Pay Grade: Incident Response at the National Level Jason Healey Atlantic Council

Above My Pay Grade: Incident Response at the National Level Jason Healey Atlantic Council Traditional Incident Response But at the national level, incident response is a different game Implications for Misunderstandings between geeks and

541 views • 27 slides
BALTIC SEA MARITIME INCIDENT RESPONSE GROUP PROJECT BALTIC SEA MARITIME INCIDENT RESPONSE GROUP

BALTIC SEA MARITIME INCIDENT RESPONSE GROUP PROJECT BALTIC SEA MARITIME INCIDENT RESPONSE GROUP

BALTIC SEA MARITIME INCIDENT RESPONSE GROUP PROJECT BALTIC SEA MARITIME INCIDENT RESPONSE GROUP PROJECT MIRG OOERATIONAL GUIDELINES The project developed the following operational guidelines: 1. Assessing the Safety Status of a Vessel

598 views • 16 slides
Planning for the Worst: The Role of Incident Response, Before Youve Had an Incident Sponsored

Planning for the Worst: The Role of Incident Response, Before Youve Had an Incident Sponsored

Planning for the Worst: The Role of Incident Response, Before Youve Had an Incident Sponsored By: Planning for the Worst: The Role of Incident Response, Before Youve Had an Incident Visit www.advisenltd.com at the end of this webinar to

498 views • 18 slides
Detection and Incident Response With osquery Javier Marcos @javutin $ whoami Security

Detection and Incident Response With osquery Javier Marcos @javutin $ whoami Security

Detection and Incident Response With osquery Javier Marcos @javutin $ whoami Security Engineer/Incident Responder Open source contributor (github.com/javuto) Former IBM, Facebook, Uber and Airbnb Current BitMEX Agenda Part 1:

981 views • 59 slides
PhiGARo: Automatic Phishing Detection and Incident Response Framework Martin Husk, Jakub

PhiGARo: Automatic Phishing Detection and Incident Response Framework Martin Husk, Jakub

PhiGARo: Automatic Phishing Detection and Incident Response Framework Martin Husk, Jakub egan {husakm|cegan}@ics.muni.cz ECTCM 2014 Fribourg, Switzerland Outline Introduction, Phishing incident response, PhiGARo (phishing

270 views • 23 slides
Cyber Up! Digital Forensics & Incident Response Tobi West Principal Investigator Coastline

Cyber Up! Digital Forensics & Incident Response Tobi West Principal Investigator Coastline

Cyber Up! Digital Forensics & Incident Response Tobi West Principal Investigator Coastline College NSF Grant Award #1800999 Agenda Background on Coastline College Need for Incident Response Professionals Overview Advisory

571 views • 14 slides
SW District Incident Response 1 Incident Management Coordinator 4 Motorist Assistance

SW District Incident Response 1 Incident Management Coordinator 4 Motorist Assistance

SW District Incident Response 1 Incident Management Coordinator 4 Motorist Assistance Operators 3 FillIn Motorist Assistance Operators from Maintenance 1 Work Zone Coordinator 2 MoDOT TMC Operators 1 City of Springfield

404 views • 24 slides
The Incident Responders Toolkit the stuff they dont teach you in school Judith van Stegeren

The Incident Responders Toolkit the stuff they dont teach you in school Judith van Stegeren

The Incident Responders Toolkit the stuff they dont teach you in school Judith van Stegeren After my graduation After my graduation Where I work Skill set What I do What I do Case study: incident response Incident Response for fictional

709 views • 39 slides
Lecture 9: Threads ... Lisa (Ling) Liu Overview Thread state WaitHandle Synchronization

Lecture 9: Threads ... Lisa (Ling) Liu Overview Thread state WaitHandle Synchronization

Chair of Softw are Engineering C# Programming in Depth Prof. Dr. Bertrand Meyer March 2007 May 2007 Lecture 9: Threads ... Lisa (Ling) Liu Overview Thread state WaitHandle Synchronization mechanism Synchronize access to collections

414 views • 28 slides
Accurate Prediction of Soft Error Vulnerability of Scientific Applications Greg Bronevetsky

Accurate Prediction of Soft Error Vulnerability of Scientific Applications Greg Bronevetsky

Accurate Prediction of Soft Error Vulnerability of Scientific Applications Greg Bronevetsky Post-doctoral Fellow Lawrence Livermore National Lab Soft error: one-time corruption of system state Examples: Memory bit-flips, erroneous

829 views • 46 slides
Charged Lepton Flavor Violation in Muon 3 Major Processes + e + + e + e +

Charged Lepton Flavor Violation in Muon 3 Major Processes + e + + e + e +

The COMET experiment: Search for muon-to-electron conversion Manabu MORITSU (KEK) On behalf of the COMET Collaboration The 3rd J-PARC Symposium (J-PARC2019) 26th Sep., 2019, Tsukuba, Japan M. Moritsu (KEK) 26/09/2019, J-PARC2019 ! 2

446 views • 40 slides
Hashing to Elliptic Curves and Cryptanalysis of RSA-Based Schemes Mehdi Tibouchi Ecole

Hashing to Elliptic Curves and Cryptanalysis of RSA-Based Schemes Mehdi Tibouchi Ecole

Introduction RSA Cryptanalysis Hashing to Elliptic Curves Conclusion Hashing to Elliptic Curves and Cryptanalysis of RSA-Based Schemes Mehdi Tibouchi Ecole normale sup erieure Ph.D. Defense 20110923 Introduction RSA

2.09k views • 162 slides
Dynamics of Networks Jnos Kertsz Central European University Pisa Summer School September

Dynamics of Networks Jnos Kertsz Central European University Pisa Summer School September

Dynamics of Networks Jnos Kertsz Central European University Pisa Summer School September 2019 Mark Granovetter The most pressing need for further development of network ideas is a move away from static analyses that observe a system at

970 views • 78 slides
China s Real Exchange Rate and Implications for s Real Exchange Rate and Implications for

China s Real Exchange Rate and Implications for s Real Exchange Rate and Implications for

China s Real Exchange Rate and Implications for s Real Exchange Rate and Implications for China East Asian Regional Trade and Investment Flows East Asian Regional Trade and Investment Flows David Roland- -Holst Holst David Roland UC

720 views • 44 slides
CS 525M Mobile and Ubiquitous Computing Emmanuel Agu A Little about me Faculty in WPI

CS 525M Mobile and Ubiquitous Computing Emmanuel Agu A Little about me Faculty in WPI

CS 525M Mobile and Ubiquitous Computing Emmanuel Agu A Little about me Faculty in WPI Computer Science Research interests: graphics, mobile computing/wireless and mobile graphics How did I get into mobile and ubiquitous computing

836 views • 61 slides
Fair Allocation of Vaccines, Ventilators and Antiviral Treatments: Leaving No Ethical Value Behind

Fair Allocation of Vaccines, Ventilators and Antiviral Treatments: Leaving No Ethical Value Behind

Fair Allocation of Vaccines, Ventilators and Antiviral Treatments: Leaving No Ethical Value Behind in Health Care Rationing Utku Parag Pathak Tayfun S onmez Unver Bumin Yenmez MIT Boston College Boston College Boston College

1.28k views • 111 slides

More recommend