Investigative Data

(OBJ .)

SIEM (Security Information and Event Monitoring System)

• Real-time analysis of security alerts from applications and network hardware
• Combination of different data sources into one tool
• Provides a consolidated view of network activity
• Allows for trend analysis, alert creation, and correlation of data
• Considerations
  • Sensors
    • Actual endpoint that's being monitored.
  • Sensitivity
    • How much or how little you're going to be logging
    • How much data to feed the SIEM, remember you do not want to overload systems
  • Trends
    • Example:
      • Number of failed authentication attempts going up
  • Alerts
    • Based on certain parameters triggered
  • Correlation
    • Getting data from all sorts of different sources
    • Need to have a good picture of what is really hapenning
    • Example:
      • Use the same format for presenting IPs, etc
      • Correlate Time formats using UTC (Universal Time)

Log Files

• A file that records events and messages in operating systems, software, and network devices
• Includes network, system, application, security, web, DNS, authentication, dump files, VoIP , and call managers
• Dump Files
  • When things happen to crash
  • Dumping the memory contents to disk while a user is crashing
  • Can be uploaded as a log file into our system for us to use that for analysis as well

Syslog, Rsyslog, Syslog-ng

• Basically 3 variations that do the same thing
• Tools for centralizing log data from different systems into a repository
• Commonly used to feed data into SIEM

JournalCTL

• Linux command-line utility for querying and displaying logs from the Journal Daemon (SystemD's logging service)

NXLog

• Multi-platform, open-source log management tool
  • Has a lot of similarities with Syslog but Syslog-ng/Rsyslog only work in Linux and Unix systems. NXlog is cross-platform so you can use it in Unix, Linux, and Windows.
• Identifies security risks and analyzes logs from server, OS, and applications

NetFlow

• Network protocol system created by Cisco for collecting active IP network traffic data as it flows in or out of an interface, including its point of origin, destination, volume, and paths on the network
• Provides information on source (point of origin), destination, volume, and paths
• Not a packet capture, is a summarization of that data.

SFlow (Sampled Flow)

• Open-source alternative to NetFlow
• Exports truncated packets and interface counter for network monitoring
• Not full packet capture, just some of the sampled flow

IPFIX (Internet Protocol Flow Information Export)

• Universal standard for exporting IP flow information from routers, probes, and other devices
• Used for mediation, accounting, and billing by defining data format for exporters and collectors
• Used on the backend of service management
  • For standard format sharing

Metadata

• Data that describes other data by providing an underlying definition or description by summarizing basic information about data that makes finding and working with particular instances of data easier
• Useful for understanding details about events, calls, emails, web visits, and files during investigations
• Use Cases for Metadata
  • Email
    • Analyze metadata for phishing campaigns
  • Mobile
    • Review data transfer, call duration, and contacts
  • Web
    • Determine website visits and user behavior
  • File
    • Examine file details, such as creation time and viewer statistics