Log Forensics from CEIC 2007

Integrating Log Analysis into Your Incident Response Practice Anton Chuvakin, Ph.D., GCIA, GCIH, GCFA Chief Logging Evangelist LogLogic, Inc May 7, 2007

TEASER
This is a shortened TEASER presentation.
Please contact us for a full presentation

Outline
Log and logging overview
Just what is log management?
A brief on Incident response
Logs in incident response
“ Log forensics”: reality or marketing?
Conclusions and call to action!

Goals
Get a refresher on logs and logging
Become familiar with log analysis and log management
Learn how logs help during (and before !) incident response
Pick a few logging tips

Logs for Cybercrime Investigations
A few thoughts to start us off …
All attackers leave traces. Period! 
It is just that you don’t always know what and where
And almost never know why
Logs are the place to look, first

Log Data Overview
Audit logs
Transaction logs
Intrusion logs
Connection logs
System performance records
User activity logs
Various alerts and other messages
Firewalls/intrusion prevention
Routers/switches
Intrusion detection
Servers, desktops, mainframes
Business applications
Databases
Anti-virus
VPNs
What logs? From Where?

Top 11 Reasons to Collect and Preserve Computer Logs
Before anything else, do you deal with credit cards? Patient info? Are you a government org under FISMA? A financial org? You have to keep'em
What if there is a law or a regulation that requires you to retain logs - and you don't know about it yet ? Does the world "compliance" ring a bell?
An auditor comes and asks for logs. Do you want to respond "Eh, what do you mean?"?
A system starts crashing and keeps doing so. Where is the answer? Oops, it was in the logs - you just didn't retain them ...
Somebody posts a piece of your future quarterly report online. Did John Smith did it? How? If not him, who did? Let's see who touched this document , got logs ?
A malware is rampant on your network. Where it came from? Who spreads it? Just check the logs - but only if you have them saved.
Your boss comes and says 'I emailed you this and you ignored it!!' - 'No, you didn't!!!' Who is right? Only email logs can tell!
Network is slow ; somebody is hogging the bandwidth. Let's catch the bastard! Is your firewall logging? Keep the info at least until you can investigate.
Somebody added a table to your database. Maybe he did something else too - no change control forms were filed. Got database log management ? How else would you know?
Disk space is cheap ; tape is cheaper still. Save a log! Got SAN or NAS? Save a few of them!
If you plan to throw away a log record, think - are you 100% sure you won't need it, ever? Exactly! :-) Keep it.

A Guide to Log Management: NIST 800-92
“This publication seeks to assist organizations in understanding the need for sound computer security log management. It provides practical, real-world guidance on developing, implementing, and maintaining effective log management practices throughout an enterprise. “

Incident Response Methodologies: SANS
SANS Six-Step Process
[P]reparation [I]dentification [C]ontainment [E]radication [R]ecovery
[F]ollow-Up

Logs at Various Stage of Incident Response
Preparation : verify controls, collect normal usage data, baseline, etc
Identification : detect an incident, confirm incident, etc
Containment : scope the damage, learn what else is lost, etc
Eradication : preserving logs for the future, etc
Recovery : confirming the restoration, etc
Follow-Up : logs for “peaceful” purposes (training, etc)

Firewall Logs in Incident Response
Proof of Connectivity
Proof of NO Connectivity
Scans
Malware: Worms, Spyware
Compromised Systems
Misconfigured Systems
Unauthorized Access and Access Attempts
Spam (yes, even spam!)

Example: Firewall Logs in Place of Netflow
Why Look at Firewall Logs During Incident Investigation?
1990-2001 – to see what external (inbound) threats got blocked
2002-2006 – to see what internal system got connected (out)
Thus, firewall logs is poor-mans netflow…

So, What is “Log Forensics”
Log analysis is trying to make sense of system and network logs
“ Computer forensics is application of the scientific method to digital media in order to establish factual information for judicial review.”
So….
Log Forensics = trying to make sense of system and network logs + in order to establish factual information for judicial review

How Logs Help… Sometimes
If logs are there , we can try to
… figure out who , where , what , when , how, etc
but
Who as a person or a system?
Is where spoofed?
When ? In what time zone?
How ? More like ‘how’d you think’…
What happened or what got recorded?

Conclusions
Turn ON Logging!!!
Make Sure Logs Are There When You Need Them (and need them you will  )
Include Log Analysis into the IR process and training
Prepare and Learn the Analysis Tools
When Going Into the Incident-Induced Panic Think ‘Its All Logged Somewhere – We Just Need to Dig it Out’ 
Logs in Incident Response are critical for …
Threat detection: “Is there something wrong?”
Early incident triage: “What is going on?”
Detailed investigation: ‘What REALLY happened?”
Logs for Forensics
Logs can tell you things, but are they “good evidence”?
Logs become evidence only if precautions are taken

More information?
Anton Chuvakin, Ph.D., GCIA, GCIH, GCFA
http://www.chuvakin.org
Chief Logging Evangelist
LogLogic, Inc
Author of “Security Warrior” (O’Reilly 2004)
See http://ww.info-secure.org for my papers, books, reviews and other security resources related to logs.
See http://chuvakin.blogspot.com for my blog!

Log Forensics from CEIC 2007

by Anton Chuvakin on May 15, 2007

Accessibility

Categories

Tags

Upload Details

Usage Rights

3 Embeds 13

Statistics

Log Forensics from CEIC 2007 — Presentation Transcript

http://www.slideshare.net	9
http://cuentaconnosotros5.blogspot.com	3
http://jeeveshwarni.blogspot.com	1