Investigating an Incident (OBJ 4.9)
Data Sources for Incident Investigation
- Dashboards and Automated Reports
- Purpose
- Provide high-level insights
- Role
- Initial overview of the security landscape
- Purpose
- Vulnerability Scans
- Purpose
- Identify system vulnerabilities
- Role
- Foundation for understanding potential entry points
- Purpose
- Packet Captures
- Purpose
- Capture and analyze network traffic
- Role
- Reveal communication patterns and potential threats
- Purpose
- Logs (Various Types)
- Firewall Logs
- Monitor network traffic, detect unauthorized access
- Application Logs
- Record application-specific events, identify abnormal behavior
- Endpoint Logs
- Capture activities on individual devices
- OS-Specific Security Logs
- Monitor operating system security events
- IPS and IDS Logs and Alerts
- Track intrusion attempts and system compromises
- Network Logs
- Record network activities and connections
- Metadata
- Provide contextual information about other data sources
- Firewall Logs
Example
Consider the following snippet of a web server log:
/CAP/Security+/Visual%20Aids/Pasted%20image%2020250724170703.png)
- Look at line 2, you will notice that there's a query string of
laptops- This is normal
- Looking at line 3 we see the query string is updated to include
laptops'; DROP TABLE users; --- Probably using the
'to attempt SQL and XML Injections.
- Probably using the
- What is the best answer to be able to prevent an SQL injection?
- A web application firewall being placed between the database server and the end user who's trying to access it.
- A web application firewall can detect and prevent SQL injections from occurring by conducting input sanitization and blocking up known attack patterns like those used in an SQL injection.