logs in incident response
play

Logs in Incident Response Mitigating Risk. Automating Compliance. 1 - PowerPoint PPT Presentation

Jan 15, 2023 •147 likes •939 views

Anton Chuvakin, Ph.D., GCIA, GCIH, GCFA Director of Security Research LogLogic anton@loglogic.com Logs in Incident Response Mitigating Risk. Automating Compliance. 1 LogLogic Confidential Tuesday, June 27, 2006 Outline - I Incident

  1. Anton Chuvakin, Ph.D., GCIA, GCIH, GCFA Director of Security Research LogLogic anton@loglogic.com Logs in Incident Response Mitigating Risk. Automating Compliance. 1 LogLogic Confidential Tuesday, June 27, 2006

  2. Outline - I � Incident Response Process � Logs Overview � Logs Usage at Various Stages of the Response Process � How Log from Diverse Sources Help Mitigating Risk. Automating Compliance. Confidential | Tuesday, June 27, 2006 2

  3. Outline - II � Log Review, Monitoring and Investigative processes � Standards and Regulation Affecting Logs and Incident Response � Incident Response vs Forensics � Log Analysis and Incident Response Mistakes � Case Studies (throughout…) Mitigating Risk. Automating Compliance. Confidential | Tuesday, June 27, 2006 3

  4. To Avoid DBPPT Disease ☺ Mitigating Risk. Automating Compliance. Confidential | Tuesday, June 27, 2006 4

  5. Incident Response Processes Incident Response Processes Mitigating Risk. Automating Compliance. Confidential | Tuesday, June 27, 2006 5

  6. Incident Response Methodologies: SANS SANS Six-Step Process � [P]reparation [I]dentification [C]ontainment [E]radication [R]ecovery [F]ollow-Up Mitigating Risk. Automating Compliance. Confidential | Tuesday, June 27, 2006 6

  7. Incident Response Methodologies: NIST NIST Incident Response 800-61 � Preparation 1. Detection and Analysis 2. Containment , Eradication and Recovery 3. Post-incident Activity 4. Mitigating Risk. Automating Compliance. Confidential | Tuesday, June 27, 2006 7

  8. Process from “Incident Response and Forensics” Process from “Incident Response and Forensics” � Preparation 1. Detection 2. Initial response 3. Formulate response strategy 4. Investigation 5. Resolution and Recovery 6. Reporting 7. Mitigating Risk. Automating Compliance. Confidential | Tuesday, June 27, 2006 8

  9. Other IH/IR Frameworks and Methodologies � Company-specific Policies and Procedures � Sometimes : good, bad and ugly (aka “Just put it the way it was…”) – Escalation trees – Virtual CIRT structures and call lists – Intra-company processes – Etc, etc, etc Mitigating Risk. Automating Compliance. Confidential | Tuesday, June 27, 2006 9

  10. Why Have a Process? � It helps… Stage 1 – Predictability – Efficiency Stage 2a Stage 2b Stage 2c – Auditability – Constant Improvement � It shrinks… Stage 3 – Indecision – Uncertainty Stage 4 – Panic! � Mitigating Risk. Automating Compliance. Confidential | Tuesday, June 27, 2006 10

  11. Example: Worm “Mitigation” in a Large Company… … circa 2002 AD ☺ � Worm hits � Panic + initial response in parallel (urgh! ☺ ) � Mitigation + investigation at the same time � Two walking steps forward and 10 running steps back… Mitigating Risk. Automating Compliance. Confidential | Tuesday, June 27, 2006 11

  12. From Incident Response to Logs From Incident Response to Logs Mitigating Risk. Automating Compliance. Confidential | Tuesday, June 27, 2006 12

  13. Terms and Definitions � Message – some system indication � Logging that an event has transpired � Auditing � Log or audit record – recorded message related to the event � Monitoring � Log file – collection of the above � Event reporting records � Log analysis � Alert – a message usually sent to notify an operator � Alerting � Device – a source of security- relevant logs Mitigating Risk. Automating Compliance. Confidential | Tuesday, June 27, 2006 13

  14. So, What is A Log? � Typically, a log “file” is a file that lists all actions that have occurred on a device, within an application, or on a server � Example : is SNMP trap a log? Is a netflow record? Mitigating Risk. Automating Compliance. Confidential | Tuesday, June 27, 2006 14

  15. Log Data Overview From Where? What data? � Firewalls/intrusion prevention � Audit logs � Routers/switches � Transaction logs � Intrusion detection � Intrusion logs � Hosts � Connection logs � Business applications � System performance records � Anti-virus � User activity logs � VPNs � Various alerts Mitigating Risk. Automating Compliance. Confidential | Tuesday, June 27, 2006 15

  16. Devices that Log: An Attempt at a Comprehensive List � Network gear: routers, switches, � Security gear: firewall, IDS, VPN, IPS, � Access control: RAS, AD, directory services � Systems: OS (Unix, Windows, VMS, i5/OS400, etc) � Applications: databases, email, web, client applications � Misc: physical access, � Other: just about everything with the CPU… Mitigating Risk. Automating Compliance. Confidential | Tuesday, June 27, 2006 16

  17. What Commonly “Gets Logged”? System or software startup, shutdown, restart, and abnormal termination � (crash) Various thresholds being exceeded or reaching dangerous levels such as disk � space full, memory exhausted, or processor load too high Hardware health messages that the system can troubleshoot or at least detect � and log User access to the system such as remote (telnet, ssh, etc.) and local login, � network access (FTP) initiated to and from the system, failed and successful User access privilege changes such as the su command—both failed and � successful User credentials and access right changes , such as account updates, creation, � and deletion—both failed and successful System configuration changes and software updates—both failed and � successful Access to system logs for modification, deletion, and maybe even reading � Mitigating Risk. Automating Compliance. Confidential | Tuesday, June 27, 2006 17

  18. “Standard” Messages 10/09/200317:42:57,146.127.94.13,48352,146.127.97.14,909,,,accept,tcp,,,,909,146.127.93. 29,,0,,4,3,,' 9Oct2003 17:42:57,accept,labcpngfp3,inbound,eth2c0,0,VPN-1 & FireWall- 1,product=VPN-1 & FireWall-1[db_tag={0DE0E532-EEA0-11D7-BDFC- 927F5D1DECEC};mgmt= labcpngfp3;date=1064415722;policy_name= Standard],labdragon,48352,146.127.97.14,909, tcp,146.127.93.145,',eth2c0,inbound Oct 9 16:29:49 [146.127.94.4] Oct 09 2003 16:44:50: %PIX-6-302013: Built outbound TCP connection 2245701 for outside:146.127.98.67/1487 (146.127.98.67/1487) to inside:146.127.94.13/42562 (146.127.93.145/42562) PIX 2003-10-20|15:25:52|dragonapp-nids|TCP-SCAN|146.127.94.10|146.127.94.13|0|0|X|------S- |0|total=484,min=1,max=1024,up=246,down=237,flags=------S-,Oct20-15:25:34,Oct20-15:25:52| Oct 20 15:35:08 labsnort snort: [1:1421:2] SNMP AgentX/tcp request [Classification: Attempted Information Leak] [Priority: 2]: {TCP} 146.127.94.10:43355 -> 146.127.94.13:705 SENSORDATAID="138715" SENSORNAME="146.127.94.23:network_sensor_1" ALERTID="QPQVIOAJKBNC6OONK6FTNLLESZ" LOCALTIMEZONEOFFSET="14400" ALERTNAME="pcAnywhere_Probe“ ALERTDATETIME="2003-10-20 19:35:21.0" SRCADDRESSNAME="146.127.94.10" SOURCEPORT="42444" INTRUDERPORT="42444" DESTADDRESSNAME="146.127.94.13" VICTIMPORT="5631" ALERTCOUNT="1" ALERTPRIORITY="3" PRODUCTID="3" PROTOCOLID="6" REASON="RSTsent" Mitigating Risk. Automating Compliance. Confidential | Tuesday, June 27, 2006 18

  19. Logs at Stages of IR (SANS Model) � Preparation : verify controls, collect normal usage data, baseline, etc � Identification : detect an incident, confirm incident, etc � Containment : scope the damage, learn what else is lost, etc � Eradication : preserving logs for the future, etc � Recovery : confirming the restoration, etc � Follow-Up : logs for “peaceful” purposes (training, etc) Mitigating Risk. Automating Compliance. Confidential | Tuesday, June 27, 2006 19

  20. Using Logs at Preparation Stage � Verify Controls 1: P � Ongoing Monitoring � Change Management Support � “If you know the cards, you’d live on an island” ☺ � In general, verifying that you have control over your environment Mitigating Risk. Automating Compliance. Confidential | Tuesday, June 27, 2006 20

  21. Example 1 Logging Infrastructure for Optimum Response � Monitoring infrastructure based on NSM philosophy: netflow + packet content + logs (NIDS, etc) � Pre- and post-incident monitoring � Useful even if deployed after the incident, but most useful if deployed prior to it Mitigating Risk. Automating Compliance. Confidential | Tuesday, June 27, 2006 21

  22. Using Logs at Identification Stage � Detect Intrusion, Infections and Attacks � Observe Attack Attempts, Recon and Suspicious Activity � Perform Trend Analysis and Baselining for Anomaly Detection � Mine the Logs for Hidden Patterns, Indicating Incidents in the Making… 2: I � “What is Out There?” Mitigating Risk. Automating Compliance. Confidential | Tuesday, June 27, 2006 22

  23. Example 2 FTP Hack Case � Server stops � Found ‘rm-ed’ by the attacker � What logs do we have? � Forensics on an image to undelete logs � Client FTP logs reveals… � Firewall confirms! Mitigating Risk. Automating Compliance. Confidential | Tuesday, June 27, 2006 23

  24. Using Logs at Containment Stage � Assess Impact of the Infection, Compromise, Intrusion, etc � Correlate Logs to Know What You Can [Still] Trust � Verify that Containment Measures Are Working � “What Else is Hit?” 3 : C Mitigating Risk. Automating Compliance. Confidential | Tuesday, June 27, 2006 24

Recommend

Incident Response & Evidence Incident Response & Evidence Incident Response &

Incident Response & Evidence Incident Response & Evidence Incident Response &

Incident Response & Evidence Incident Response & Evidence Incident Response & Evidence Incident Response & Evidence Management Management Management Management CIPS Brandon Chapter November 28 2002 Dr. Marc Rogers PhD,

629 views • 27 slides
GE Incident Response Insight Awareness Advantage Sean Mason Director, Incident Response

GE Incident Response Insight Awareness Advantage Sean Mason Director, Incident Response

GE Incident Response Insight Awareness Advantage Sean Mason Director, Incident Response Investing in new talent & capabilities Incident response Cyber intelligence Digital forensics Security architecture Identity management

609 views • 42 slides
Why are UI Logs Important? UI logs will help you identify Trends and Patterns that need to be

Why are UI Logs Important? UI logs will help you identify Trends and Patterns that need to be

2/17/2015 Unusual Incident Log Reviews January 23, 2015 Why are UI Logs Important? UI logs will help you identify Trends and Patterns that need to be addressed to ensure the Health and Welfare of those you serve. To ensure that sound

589 views • 24 slides
Incident Response: Goals of Incident Management Steps to Preparation Risk Assessment

Incident Response: Goals of Incident Management Steps to Preparation Risk Assessment

6/19/2015 Incidents Are Not Necessarily Emergencies Incident Laboratory Incidences and An event thats likely to have adverse consequences Emergency Response Programs Emergency Unanticipated circumstances resulting in

564 views • 5 slides
Introduction to Incident Response Renana Friedlich, National Incident Response Leader March 2016

Introduction to Incident Response Renana Friedlich, National Incident Response Leader March 2016

Introduction to Incident Response Renana Friedlich, National Incident Response Leader March 2016 Agenda Evaluation of Cybersecurity risks The attackers playbook Case study What can you do today Page 2 Evaluation of

622 views • 12 slides
BIRT BIRT Liaisons Incident Response Incident Follow-Up Q&A 1 2 PURPOSE OF

BIRT BIRT Liaisons Incident Response Incident Follow-Up Q&A 1 2 PURPOSE OF

5/20/2014 COURSE OUTLINE Purpose Building Incident Response Team Expectations BIRT BIRT Liaisons Incident Response Incident Follow-Up Q&A 1 2 PURPOSE OF BIRT PURPOSE OF BIRT Prepare units to respond to a

342 views • 4 slides
Incident Response and Information Sharing A Practical Approach Rapha el Vinot - TLP:GREEN May

Incident Response and Information Sharing A Practical Approach Rapha el Vinot - TLP:GREEN May

Incident Response and Information Sharing A Practical Approach Rapha el Vinot - TLP:GREEN May 22, 2015 The Computer Incident Response Center Luxembourg (CIRCL) is a government-driven initiative designed to provide a systematic response

407 views • 13 slides
Agile Incident Response: Operating through Ongoing Confrontation Kevin Mandia Who Am I?

Agile Incident Response: Operating through Ongoing Confrontation Kevin Mandia Who Am I?

Agile Incident Response: Operating through Ongoing Confrontation Kevin Mandia Who Am I? Professorial Lecturer Carnegie Mellon University 95-856 Incident Response Master of Information System Management The George Washington

1.29k views • 60 slides
Above My Pay Grade: Incident Response at the National Level Jason Healey Atlantic Council

Above My Pay Grade: Incident Response at the National Level Jason Healey Atlantic Council

Above My Pay Grade: Incident Response at the National Level Jason Healey Atlantic Council Traditional Incident Response But at the national level, incident response is a different game Implications for Misunderstandings between geeks and

541 views • 27 slides
BALTIC SEA MARITIME INCIDENT RESPONSE GROUP PROJECT BALTIC SEA MARITIME INCIDENT RESPONSE GROUP

BALTIC SEA MARITIME INCIDENT RESPONSE GROUP PROJECT BALTIC SEA MARITIME INCIDENT RESPONSE GROUP

BALTIC SEA MARITIME INCIDENT RESPONSE GROUP PROJECT BALTIC SEA MARITIME INCIDENT RESPONSE GROUP PROJECT MIRG OOERATIONAL GUIDELINES The project developed the following operational guidelines: 1. Assessing the Safety Status of a Vessel

598 views • 16 slides
Planning for the Worst: The Role of Incident Response, Before Youve Had an Incident Sponsored

Planning for the Worst: The Role of Incident Response, Before Youve Had an Incident Sponsored

Planning for the Worst: The Role of Incident Response, Before Youve Had an Incident Sponsored By: Planning for the Worst: The Role of Incident Response, Before Youve Had an Incident Visit www.advisenltd.com at the end of this webinar to

498 views • 18 slides
Detection and Incident Response With osquery Javier Marcos @javutin $ whoami Security

Detection and Incident Response With osquery Javier Marcos @javutin $ whoami Security

Detection and Incident Response With osquery Javier Marcos @javutin $ whoami Security Engineer/Incident Responder Open source contributor (github.com/javuto) Former IBM, Facebook, Uber and Airbnb Current BitMEX Agenda Part 1:

981 views • 59 slides
PhiGARo: Automatic Phishing Detection and Incident Response Framework Martin Husk, Jakub

PhiGARo: Automatic Phishing Detection and Incident Response Framework Martin Husk, Jakub

PhiGARo: Automatic Phishing Detection and Incident Response Framework Martin Husk, Jakub egan {husakm|cegan}@ics.muni.cz ECTCM 2014 Fribourg, Switzerland Outline Introduction, Phishing incident response, PhiGARo (phishing

270 views • 23 slides
Cyber Up! Digital Forensics & Incident Response Tobi West Principal Investigator Coastline

Cyber Up! Digital Forensics & Incident Response Tobi West Principal Investigator Coastline

Cyber Up! Digital Forensics & Incident Response Tobi West Principal Investigator Coastline College NSF Grant Award #1800999 Agenda Background on Coastline College Need for Incident Response Professionals Overview Advisory

571 views • 14 slides
SW District Incident Response 1 Incident Management Coordinator 4 Motorist Assistance

SW District Incident Response 1 Incident Management Coordinator 4 Motorist Assistance

SW District Incident Response 1 Incident Management Coordinator 4 Motorist Assistance Operators 3 FillIn Motorist Assistance Operators from Maintenance 1 Work Zone Coordinator 2 MoDOT TMC Operators 1 City of Springfield

404 views • 24 slides
The Incident Responders Toolkit the stuff they dont teach you in school Judith van Stegeren

The Incident Responders Toolkit the stuff they dont teach you in school Judith van Stegeren

The Incident Responders Toolkit the stuff they dont teach you in school Judith van Stegeren After my graduation After my graduation Where I work Skill set What I do What I do Case study: incident response Incident Response for fictional

709 views • 39 slides
EVERY MINUTE COUNTS COORDINATING HEROKU'S INCIDENT RESPONSE / Blake Gentry @blakegentry

EVERY MINUTE COUNTS COORDINATING HEROKU'S INCIDENT RESPONSE / Blake Gentry @blakegentry

EVERY MINUTE COUNTS COORDINATING HEROKU'S INCIDENT RESPONSE / Blake Gentry @blakegentry PERSONAL BACKGROUND Lead Engineer at Heroku since 2011 Worked on nearly all parts of the platform In 2012, I led a project to overhaul Herokus Incident

1.03k views • 72 slides
A perspective to incident response or another set of recommendations for malware authors

A perspective to incident response or another set of recommendations for malware authors

A perspective to incident response or another set of recommendations for malware authors Alexandre Dulaunoy - TLP:WHITE alexandre.dulaunoy@circl.lu June 7, 2013 CIRCL, national CERT of Luxembourg CIRCL 1 is composed of 6 full-time incident

572 views • 21 slides
2018 Data Security Incident Response Report Building Cyber Resilience: Compromise Response

2018 Data Security Incident Response Report Building Cyber Resilience: Compromise Response

2018 Data Security Incident Response Report Building Cyber Resilience: Compromise Response Intelligence in Action April 11, 2018 Contact Information Theodore J. Kobus, III Casie D. Collignon Leader, Privacy and Data Protection Practice

448 views • 23 slides
National Incident Management System National Incident Management System and and National

National Incident Management System National Incident Management System and and National

National Incident Management System National Incident Management System and and National Response Plan National Response Plan Overview March 2006 HSPD-5: Management of Domestic Incidents HSPD-5 Objectives: Single comprehensive

463 views • 21 slides
National Incident Management System National Incident Management System and and National

National Incident Management System National Incident Management System and and National

National Incident Management System National Incident Management System and and National Response Plan National Response Plan Overview March 2006 HSPD-5: Management of Domestic Incidents HSPD-5 Objectives: Single comprehensive

196 views • 17 slides
Logs on Logs on Logs No More Append Atomic & Remap Eric Mackay Venkatesh Srinivas Basics

Logs on Logs on Logs No More Append Atomic & Remap Eric Mackay Venkatesh Srinivas Basics

Logs on Logs on Logs No More Append Atomic & Remap Eric Mackay Venkatesh Srinivas Basics of Block Device Interfaces I/O is done in granularity of blocks 512 bytes is pretty standard Writing is slooooooow Data is

898 views • 15 slides
Environment Management Series ENVIRONMENT INCIDENT IDENTIFICATION & RESPONSE TOOLBOX

Environment Management Series ENVIRONMENT INCIDENT IDENTIFICATION & RESPONSE TOOLBOX

Environment Management Series ENVIRONMENT INCIDENT IDENTIFICATION & RESPONSE TOOLBOX PRESENTATION Environment Management Series: EMS004 Key Information: Env Incident Identification & Response (V2) (SIMEC Mining) 2018 WHAT IS AN

445 views • 8 slides
Public Safety Response to a School Incident What You Can Do!!!

Public Safety Response to a School Incident What You Can Do!!!

Active Shooter Awareness Public Safety Response to a School Incident What You Can Do!!! http://www.drc-group.com/project/jitt-schoolactiveshootersafety.html Presentation Overview This presentation provides guidance to individuals, including

603 views • 34 slides

More recommend