Logs for Information Assurance and Forensics @ USMA


Published on

This is my presentation on "Logs for Information Assurance and Forensics", which was given to 2 of the USMA @ West Point, NY classes in April 2006. It sure was fun! Now I know where all the smart college students are :-)

Published in: Technology
1 Like
  • Be the first to comment

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Abstract The presentation will cover the use of various systems and network logs and audit trails in the incident response and forensics processes. It will describe both a methodology for log collection and analysis as well as practical case studies and tools. Logs often will provide most of the answers needed for the investigators without diving deeply into expensive disk image forensics. Being able to rely on logs by making sure that they are collected and available for analysis is invaluable during the investigation. – It will also touch upon preserving log evidence integrity and possible challenges to such integrity.
  • Logs for Information Assurance and Forensics @ USMA

    1. 1. Logs for Information Assurance and Forensic Analysis Dr Anton Chuvakin Lecture @ USMA United States Military Academy West Point, NY April 2006
    2. 2. Outline <ul><li>Logs: What and Where From? </li></ul><ul><li>What People Do with Logs </li></ul><ul><ul><li>Yes, ignore them too  </li></ul></ul><ul><li>Log Analysis: Why and How </li></ul><ul><li>Analysis Methods </li></ul><ul><ul><li>Log mining, correlation, pattern discovery </li></ul></ul><ul><li>Forensics Brief </li></ul><ul><ul><li>Logs, disk images, “network forensics” </li></ul></ul><ul><li>Log Forensics Challenges </li></ul><ul><ul><li>Too much data, too little data </li></ul></ul><ul><li>Log Case Studies </li></ul><ul><ul><li>FTP hack </li></ul></ul><ul><ul><li>Honeynet examples </li></ul></ul>
    3. 3. Terms and Definitions <ul><li>Message – some system indication that an event has transpired </li></ul><ul><li>Log or audit record – recorded message related to the event </li></ul><ul><li>Log file – collection of the above records </li></ul><ul><li>Alert – a message usually sent to notify an operator </li></ul><ul><li>Device – a source of security-relevant logs </li></ul><ul><li>Logging </li></ul><ul><li>Auditing </li></ul><ul><li>Monitoring </li></ul><ul><li>Event reporting </li></ul><ul><li>Log analysis </li></ul><ul><li>Alerting </li></ul>
    4. 4. Security-Relevant Log Data Overview <ul><li>Audit logs </li></ul><ul><li>Transaction logs </li></ul><ul><li>Intrusion logs </li></ul><ul><li>Connection logs </li></ul><ul><li>System performance records </li></ul><ul><li>User activity logs </li></ul><ul><li>Various alerts </li></ul><ul><li>Firewalls/intrusion prevention </li></ul><ul><li>Routers/switches </li></ul><ul><li>Intrusion detection </li></ul><ul><li>Hosts </li></ul><ul><li>Anti-virus </li></ul><ul><li>VPNs </li></ul><ul><li>Business applications </li></ul><ul><li>Custom applications </li></ul>What data? From Where?
    5. 5. What Commonly “Gets Logged”? <ul><li>System or software startup, shutdown, restart, and abnormal termination (crash) </li></ul><ul><li>Various thresholds being exceeded or reaching dangerous levels such as disk space full, memory exhausted, or processor load too high </li></ul><ul><li>Hardware health messages that the system can troubleshoot or at least detect and log </li></ul><ul><li>User access to the system such as remote (telnet, ssh, etc.) and local login, network access (FTP) initiated to and from the system, failed and successful </li></ul><ul><li>User access privilege changes such as the su command—both failed and successful </li></ul><ul><li>User credentials and access right changes , such as account updates, creation, and deletion—both failed and successful </li></ul><ul><li>System configuration changes and software updates—both failed and successful </li></ul><ul><li>Access to system logs for modification, deletion, and maybe even reading </li></ul>
    6. 6. “ Standard” Log Messages 10/09/200617:42:57,,48352,,909,,,accept,tcp,,,,909,,,0,,4,3,,' 9Oct2003 17:42:57,accept,truepngfp3,inbound,eth2c0,0,VPN-1 & FireWall-1,product=VPN-1 & FireWall-1[db_tag={0DE0E532-EEA0-11D7-BDFC-927F5D1DECEC};mgmt= truepngfp3;date=1064415722;policy_name= Standard],hfgton,48352,,909, tcp,,',eth2c0,inbound Oct 9 16:29:49 [] Oct 09 2003 16:44:50: %PIX-6-302013: Built outbound TCP connection 2245701 for outside: ( to inside: ( 2006-10-20|15:25:52|dragon-nids|TCP-SCAN|||0|0|X|------S-|0|total=484,min=1,max=1024,up=246,down=237,flags=------S-,Oct20-15:25:34,Oct20-15:25:52| Oct 20 15:35:08 oinker snort: [1:1421:2] SNMP AgentX/tcp request [Classification: Attempted Information Leak] [Priority: 2]: {TCP} -> SENSORDATAID=&quot;135&quot; SENSORNAME=&quot;; ALERTID=&quot;QPQVIOAJKBNC6OONK6FTNLLESZ&quot; LOCALTIMEZONEOFFSET=&quot;14400&quot; ALERTNAME=&quot;pcAnywhere_Probe“ ALERTDATETIME=&quot;2003-10-20 19:35:21.0&quot; SRCADDRESSNAME=&quot;; SOURCEPORT=&quot;42444&quot; INTRUDERPORT=&quot;42444&quot; DESTADDRESSNAME=&quot;; VICTIMPORT=&quot;5631&quot; ALERTCOUNT=&quot;1&quot; ALERTPRIORITY=&quot;3&quot; PRODUCTID=&quot;3&quot; PROTOCOLID=&quot;6&quot; REASON=&quot;RSTsent&quot;
    7. 7. What’s Going On? <ul><li>Can you Answer ‘What is Going on?’ from just the above? </li></ul><ul><li>NO! </li></ul>
    8. 8. Why Analyze? <ul><li>“ Too much stuff out there – why even bother?”  </li></ul><ul><li>Situational awareness </li></ul><ul><ul><li>What is going on? </li></ul></ul><ul><li>New threat discovery </li></ul><ul><ul><li>Unique perspective from combined logs </li></ul></ul><ul><li>Getting more value out of the network and security infrastructures </li></ul><ul><ul><li>Get more that you paid for! </li></ul></ul><ul><li>Extracting what is really actionable automatically </li></ul><ul><li>Measuring security and IT performance (metrics, trends, etc) </li></ul><ul><li>Compliance and regulations </li></ul><ul><li>Incident investigation and forensics </li></ul>
    9. 9. Log Analysis Basics: How <ul><li>Approaches to the problem: </li></ul><ul><li>Manual </li></ul><ul><ul><li>‘ Tail’, ‘more’, etc </li></ul></ul><ul><li>Filtering </li></ul><ul><ul><li>Positive and negative (“Artificial ignorance”) </li></ul></ul><ul><li>Summarization and reports </li></ul><ul><li>Simple visualization </li></ul><ul><ul><li>“… worth a thousand words?” </li></ul></ul><ul><li>Simple automation </li></ul><ul><ul><li>Filters </li></ul></ul><ul><li>Correlation </li></ul><ul><ul><li>Rule-based and other </li></ul></ul><ul><li>Log data mining </li></ul>
    10. 10. Log Analysis Basics: When <ul><li>Timing requirements for analysis </li></ul><ul><li>Real-time fallacy: “we have to have it when?”  </li></ul><ul><ul><li>“ A day later vs never” question </li></ul></ul><ul><ul><li>Daily in-depth analysis </li></ul></ul><ul><li>Log management vs alert management : different challenges </li></ul><ul><ul><li>When filtering and event correlation is not enough </li></ul></ul><ul><li>“ Boring” or sparse data and what to do with it: </li></ul><ul><ul><li>Netflow connectivity data </li></ul></ul><ul><ul><li>Transaction logs </li></ul></ul><ul><ul><li>Routine server logs </li></ul></ul><ul><ul><li>External firewall logs </li></ul></ul>
    11. 11. Example 1 FTP Hack Case <ul><li>Server stops </li></ul><ul><li>Found ‘rm-ed’ by the attacker </li></ul><ul><li>What logs do we have? </li></ul><ul><li>Forensics on an image to undelete logs </li></ul><ul><li>Client FTP logs reveals… </li></ul><ul><li>Firewall confirms! </li></ul>
    12. 12. Log Management Process <ul><li>Collect the log data </li></ul><ul><li>Convert to a common format </li></ul><ul><li>Reduce in size, if possible </li></ul><ul><li>Transport securely to a central location </li></ul><ul><li>Process in real-time </li></ul><ul><li>Alert on when needed </li></ul><ul><li>Store securely </li></ul><ul><li>Report on trends </li></ul>
    13. 13. Log Management Challenges <ul><li>Not enough data </li></ul><ul><li>Too much data </li></ul><ul><li>Diverse records </li></ul><ul><li>Time out of sync </li></ul><ul><li>False records </li></ul><ul><li>Duplicate data </li></ul><ul><li>Hard to get data </li></ul><ul><li>Chain of custody issues </li></ul>
    14. 14. Monitoring or Ignoring Logs? <ul><li>How to plan a response strategy to activate when monitoring logs? </li></ul><ul><li>Where to start? </li></ul><ul><li>How to tune it? </li></ul>
    15. 15. Monitoring Strategy
    16. 16. Value of Logging and Monitoring <ul><li>Monitoring </li></ul><ul><li>Incident detection </li></ul><ul><li>Loss prevention </li></ul><ul><li>Compliance </li></ul><ul><li>Logging </li></ul><ul><li>Audit </li></ul><ul><li>Forensics </li></ul><ul><li>Incident response </li></ul><ul><li>Compliance </li></ul><ul><li>Analysis and Mining </li></ul><ul><li>Deeper insight </li></ul><ul><li>Internal attacks </li></ul><ul><li>Fault prediction </li></ul>
    17. 17. “Real-Time” Tasks <ul><li>Malware outbreaks </li></ul><ul><li>Convincing and reliable intrusion evidence </li></ul><ul><li>Serious internal network abuse </li></ul><ul><li>Loss of service on critical assets </li></ul>
    18. 18. Daily Tasks <ul><li>Unauthorized configuration changes </li></ul><ul><li>Disruption in other services </li></ul><ul><li>Intrusion evidence </li></ul><ul><li>Suspicious login failures </li></ul><ul><li>Minor malware activity </li></ul><ul><li>Activity summary </li></ul>
    19. 19. Weekly Tasks <ul><li>Review inside and perimeter log trends and activities </li></ul><ul><li>Account creation/removal </li></ul><ul><li>Other host and network device changes </li></ul><ul><li>Less critical attack and probe summary </li></ul>
    20. 20. Monthly Tasks <ul><li>Review long-term network and perimeter trends </li></ul><ul><li>Minor policy violation summary </li></ul><ul><li>Incident team performance measurements </li></ul><ul><li>Security technology performance measurements </li></ul>
    21. 21. “On Incident” Tasks <ul><li>Use SANS six-step incident workflow </li></ul><ul><li>Review all relevant logs on a central logging system or elsewhere </li></ul><ul><li>Collect additional logs, if needed </li></ul>
    22. 22. Example 2 Scan of the Month Challenge #34 <ul><li>Honeypot hacked </li></ul><ul><li>All logs available </li></ul><ul><li>In fact, too many  </li></ul><ul><li>Analysis process </li></ul>
    23. 23. Logs in Support of Compliance <ul><li>Application and asset risk measurement </li></ul><ul><li>Data collection and storage to satisfy auditing of controls requirements </li></ul><ul><li>Support for security metrics </li></ul><ul><li>Industry best-practices for incident management and reporting </li></ul><ul><li>Proof of security due diligence </li></ul><ul><li>Example regulation include: HI PAA (please!) , SOX, PCI, GLBA, FISMA … </li></ul>
    24. 24. Forensics Brief <ul><li>“ Computer forensics is application of the scientific method to digital media in order to establish factual information for judicial review. This process often involves investigating computer systems to determine whether they are or have been used for illegal or unauthorized activities (Wikipedia)” </li></ul>
    25. 25. So, What is “Log Forensics” <ul><li>Log analysis is trying to make sense of system and network logs </li></ul><ul><li>“ Computer forensics is application of the scientific method to digital media in order to establish factual information for judicial review.” </li></ul><ul><li>So…. </li></ul><ul><li>Log Forensics = trying to make sense of system and network logs + in order to establish factual information for judicial review </li></ul>
    26. 26. How Logs Help… Sometimes <ul><li>If logs are there , we can try to </li></ul><ul><li>… figure out who , where , what , when , how, etc </li></ul><ul><li>but </li></ul><ul><li>Who as a person or a system? </li></ul><ul><li>Is where spoofed? </li></ul><ul><li>When ? In what time zone? </li></ul><ul><li>How ? More like ‘how’d you think’… </li></ul><ul><li>What happened or what got recorded? </li></ul>
    27. 27. Logs Forensics Challenges <ul><li>What? You think this is evidence? Bua-ha-ha-ha  </li></ul><ul><li>“ Computer Records and the Federal Rules of Evidence “ </li></ul><ul><li>“ First , parties may challenge the authenticity of both computer-generated and computer-stored records by questioning whether the records were altered, manipulated, or damaged after they were created. </li></ul><ul><li>Second , parties may question the authenticity of computer-generated records by challenging the reliability of the computer program that generated the records. </li></ul><ul><li>Third , parties may challenge the authenticity of computer-stored records by questioning the identity of their author.” </li></ul>
    28. 28. Some Future Bits  <ul><li>“AI” and data mining for log analysis </li></ul><ul><li>Common log standards and event taxonomies </li></ul><ul><li>Some logging mandated by laws and regulations </li></ul><ul><li>Log sharing – community log analysis </li></ul><ul><li>Forensically-sound logging emerges </li></ul>
    29. 29. Example 3 Spyware Alert <ul><li>A compromised system is discovered scanning (firewall log analysis) </li></ul><ul><li>The system has broken anti-virus software </li></ul><ul><li>Where would you investigate? </li></ul>
    30. 30. Summary <ul><li>Logs for Information Assurance </li></ul><ul><ul><li>How else would you assure that something happened? </li></ul></ul><ul><ul><li>Beware the challenges with logs and avoid mistakes </li></ul></ul><ul><li>Logs for Forensics </li></ul><ul><ul><li>Logs can tell you things, but are they “good evidence”? </li></ul></ul><ul><ul><li>Logs become evidence only if precautions are taken </li></ul></ul>
    31. 31. Thank you! Q&A? <ul><li>Dr Anton Chuvakin </li></ul><ul><li>Chief Logging Evangelist </li></ul><ul><li>LogLogic, Inc </li></ul><ul><li>Co-author of “Security Warrior” (O’Reilly 2004) and “PCI Compliance” (Syngress, 2007) </li></ul><ul><li>See www.info-secure.org for my papers, books, reviews and other security resources related to logs </li></ul><ul><li>Also see my blog www.securitywarrior.org </li></ul>