Your SlideShare is downloading. ×
0
Using Logs for Breach Investigations and Incident Response by Dr Anton Chuvakin
Using Logs for Breach Investigations and Incident Response by Dr Anton Chuvakin
Using Logs for Breach Investigations and Incident Response by Dr Anton Chuvakin
Using Logs for Breach Investigations and Incident Response by Dr Anton Chuvakin
Using Logs for Breach Investigations and Incident Response by Dr Anton Chuvakin
Using Logs for Breach Investigations and Incident Response by Dr Anton Chuvakin
Using Logs for Breach Investigations and Incident Response by Dr Anton Chuvakin
Using Logs for Breach Investigations and Incident Response by Dr Anton Chuvakin
Using Logs for Breach Investigations and Incident Response by Dr Anton Chuvakin
Using Logs for Breach Investigations and Incident Response by Dr Anton Chuvakin
Using Logs for Breach Investigations and Incident Response by Dr Anton Chuvakin
Using Logs for Breach Investigations and Incident Response by Dr Anton Chuvakin
Using Logs for Breach Investigations and Incident Response by Dr Anton Chuvakin
Using Logs for Breach Investigations and Incident Response by Dr Anton Chuvakin
Using Logs for Breach Investigations and Incident Response by Dr Anton Chuvakin
Using Logs for Breach Investigations and Incident Response by Dr Anton Chuvakin
Using Logs for Breach Investigations and Incident Response by Dr Anton Chuvakin
Using Logs for Breach Investigations and Incident Response by Dr Anton Chuvakin
Using Logs for Breach Investigations and Incident Response by Dr Anton Chuvakin
Using Logs for Breach Investigations and Incident Response by Dr Anton Chuvakin
Using Logs for Breach Investigations and Incident Response by Dr Anton Chuvakin
Using Logs for Breach Investigations and Incident Response by Dr Anton Chuvakin
Using Logs for Breach Investigations and Incident Response by Dr Anton Chuvakin
Using Logs for Breach Investigations and Incident Response by Dr Anton Chuvakin
Using Logs for Breach Investigations and Incident Response by Dr Anton Chuvakin
Using Logs for Breach Investigations and Incident Response by Dr Anton Chuvakin
Using Logs for Breach Investigations and Incident Response by Dr Anton Chuvakin
Using Logs for Breach Investigations and Incident Response by Dr Anton Chuvakin
Using Logs for Breach Investigations and Incident Response by Dr Anton Chuvakin
Using Logs for Breach Investigations and Incident Response by Dr Anton Chuvakin
Using Logs for Breach Investigations and Incident Response by Dr Anton Chuvakin
Using Logs for Breach Investigations and Incident Response by Dr Anton Chuvakin
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Using Logs for Breach Investigations and Incident Response by Dr Anton Chuvakin

2,554

Published on

Log and logging overview …

Log and logging overview
A brief on Incident response and forensics
Logs in incident investigations
Just what is log forensics?
Conclusions and call to action!

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
2,554
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
0
Comments
0
Likes
2
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Using Logs for Breach Investigations and Incident Response<br />Dr. Anton Chuvakin<br />@anton_chuvakin<br />SecurityWarrior LLC<br />www.securitywarriorconsulting.com<br />BrightTalk Forensics Summit 2011<br />
  • 2. Logs for Breach Investigations<br />A few thoughts to start us off …<br /> All attackers leave traces. Period! <br /> It is just that you don’t always knowwhat and where<br /> And almost never knowwhy…<br /> Logs are the place to look, first<br />
  • 3. Outline<br />Log and logging overview<br />A brief on Incident response and forensics<br />Logs in incident investigations<br />Just what is log forensics?<br />Conclusions and call to action!<br />
  • 4. Log Data Overview<br />From Where?<br />What logs?<br /><ul><li>Firewalls/intrusion prevention
  • 5. Routers/switches
  • 6. Intrusion detection
  • 7. Servers, desktops, mainframes
  • 8. Business applications
  • 9. Databases
  • 10. Anti-virus
  • 11. VPNs
  • 12. Audit logs
  • 13. Transaction logs
  • 14. Intrusion logs
  • 15. Connection logs
  • 16. System performance records
  • 17. User activity logs
  • 18. Various alerts and other messages</li></li></ul><li>Login? Logon? Log in?<br /><18> Dec 17 15:45:57 10.14.93.7 ns5xp: NetScreen device_id=ns5xp system-warning-00515: Admin User netscreen has logged on via Telnet from 10.14.98.55:39073 (2002-12-17 15:50:53) <br /><57> Dec 25 00:04:32:%SEC_LOGIN-5-LOGIN_SUCCESS:Login Success [user:yellowdog] [Source:10.4.2.11] [localport:23] at 20:55:40 UTC Fri Feb 28 2006<br /><122> Mar 4 09:23:15 localhost sshd[27577]: Accepted password for kyle from ::ffff:192.168.138.35 port 2895 ssh2<br /><13> Fri Mar 17 14:29:38 2006 680 Security SYSTEM User Success Audit ENTERPRISE Account Logon Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0    Logon account:  POWERUSER    Source Workstation: ENTERPRISE    Error Code: 0xC000006A     4574 <br />
  • 19. Logs at Various Stage of Incident Response<br />Preparation: verify controls, collect normal usage data, baseline, etc<br />Identification: detect an incident, confirm incident, etc <- really?<br />Containment: scope the damage, learn what else is “lost”, what else the attacker visited/tried, etc<br />Eradication: preserving logs for the future, etc<br />Recovery: confirming the restoration, etc<br />Follow-Up: logs for “peaceful” purposes (training, etc) as well as preventing the recurrence<br />
  • 20. Various Logs for Incident Response<br />
  • 21. Firewall Logs in Incident Response<br />Proof of Connectivity<br />Proof of NO Connectivity <br />Scans<br />Malware: Worms, Spyware<br />Compromised Systems<br />Misconfigured Systems<br />Unauthorized Access and Access Attempts<br />
  • 22. Example: Firewall Logs in Place of Netflow<br />Why Look at Firewall Logs During Incident Investigation?<br />1990-2001 – to see what external threats got blocked (in, failure) <br />2002-2011+ – to see what internal system got connected (out, success)<br />Thus, firewall logs is “poor man’s” netflow…<br />
  • 23. Recommendations<br />Log denied connections<br />Log allowed connection<br />If cannot log all allowed connections, then log outbound allowed connections<br />Watch for firewall rule changes<br />
  • 24. NIDS Logs in Incident Response<br />Attack, Intrusion and Compromise Detection<br />Malware Detection: Worms, Viruses, Spyware, etc<br />Network Abuses and Policy Violations<br />Unauthorized Access and Access Attempts<br />Recon Activity<br />
  • 25. Just A Thought…<br />Q: How many serious incidents were discovered by an IDS/IPS?<br />A: Answers I’ve heard..<br />0, 0, 0, 0 with an average of 0 <br />
  • 26. Server Logs in Incident Response<br />Confirmed Access by an Intruder<br />Service Crashes and Restarts<br />Reboots<br />Password, Trust and Other Account Changes<br />System Configuration Changes<br />A World of Other Things <br />
  • 27. Example: “Irrelevant, You Say”<br />Using disk failures for IDS <br />What is really there? <br />Is this OUR server? Well …<br />“Detection by catastrophe”<br />Is CNN you IDS?<br />
  • 28. Recommendations<br />On a typical Unix system log:<br />Syslog = usually defaults are sensible<br />Select file access = via kernel logging<br />Select process execution = via kernel logging<br />On a typical Windows server:<br />Authentication = failure/success<br />Account changes = failure/success<br />Privilege use = failure/success<br />Others as needed (see MS Recommended Audit Policy)<br />
  • 29. Database Logs in Incident Response<br />Database and Schema Modifications<br />Data and Object Modifications<br />User and Privileged User Access<br />Database Backups (!)<br />Failures, Crashes and Restarts<br />LOOK AT LOGS! <br />
  • 30. Proxy Logs in Incident Response<br />Internet access patterns<br />Policy violations<br />Accidental/malicious information disclosure<br />Malware: spyware, trojans, etc<br />Outbound web-hacking<br />
  • 31. Example: Proxy Logs vs Uploads<br />How?<br />Search for POST requests AND specific document content-types (e.g. msword, powerpoint, etc.)<br />What?<br />Look for a uploads to unusual sites (especially with unresolved IPs), web mail, or for sensitive document names<br />Especially, look for uploads to unusual ports<br />
  • 32. Antivirus Logs in Incident Response<br />Virus Detection and Clean-up (or lack thereof!)<br />Failed and Successful Antivirus Signature Updates<br />Other Protection Failures and Issues<br />Antivirus Software Crashes and Terminations<br />
  • 33. Log Forensics<br />
  • 34. So, What is “Log Forensics”<br />Log analysis is trying to make sense of system and network logs<br />“Computer forensics is application of the scientific method to digital media in order to establish factual information for judicial review.”<br />So….<br />Log Forensics = trying to make sense of system and network logs + in order to establish factual information for judicial review<br />
  • 35. How Logs Help… Sometimes<br />Logs help to figure out who, where, when, how, what, etc. <br />but …<br />Who as a person or a system? <br />Is where spoofed?<br />When? In what time zone?<br />How? More like ‘how’d you think’…<br />What happened or what got recorded?<br />
  • 36. Who?<br />Just who is 10.1.1.2? Do you know him?<br />Is jsmith.example.com a who?<br />Is JSMITH at JSMITHEXAMPLE?<br />Is JSMITHauthenticated by an RSA token at JSMITHEXAMPLE and also logged to another system as “jsmith” a who?<br />Is JSMITHauthenticated by a fingerprint reader at JSMITHEXAMPLE a who?<br />
  • 37. Solving "Who?”<br />Q: How do you know who? did something in a forensically sound manner?<br />A: Offline evidence: we (or camera) see that he did it<br />
  • 38. When?<br />Got timestamp?  - challenges to log timing!<br />Completely false timestamp in logs <br />It’s always 5PM somewhere: time zone<br />Are you in drift? NTP might be<br />Syslog forwarder delays<br />Systems with two timestamps!<br />It got logged at 5:17AM. When did it happen? <br />Yes, even, 24 vs. 12 time<br />Lying NTP? Is it possible?<br />
  • 39. Solving “When?”<br />Q: How do you know when something occurred in a forensically sound manner?<br />A: NTP sync religiously, make note of time zones, know the logging systems and keep logs secure to prevent timestamp modification<br />
  • 40. Where?<br />The attack came from X.1.1.2, which belongs to Guanjou Internet Alliance, Beijing China<br />The stolen data then went to X.2.2.1 which belongs to PakNet ISP in Karachi, Pakistan<br />Result: Romanian hackers attack! <br />or <br />Result: it was a guy from the office on the 3rd floor?<br />or …<br />
  • 41. Solving “Where?”<br />Q: How do you know wheredid something happen in a forensically sound manner?<br />A: Only offline evidence can help: we (or camera) see that he did it! For remote access: unlikely to be available<br />
  • 42. Conclusions <br />Turn ON Logging!!!<br />Make sure logs are there when you need them <br />When going into the incident-induced panic think ‘its all logged somewhere – we just need to dig it out’ <br />Review logs to know your environment!<br />Logs for Forensics <br />Logs can tell you things, but are they “good evidence”?<br />Logs become evidence only if precautions are taken<br />
  • 43. Questions?<br />Dr. Anton Chuvakin <br />SecurityWarrior LLC<br />Email:anton@chuvakin.org<br />Site:http://www.chuvakin.org<br />Blog:http://www.securitywarrior.org<br />Twitter:@anton_chuvakin<br />Consulting:http://www.securitywarriorconsulting.com<br />
  • 44. More Resources<br />Blog: www.securitywarrior.org<br />SANS SEC434 Log Management Class<br />Podcast: look for “LogChat” on iTunes<br />Slides: http://www.slideshare.net/anton_chuvakin<br />Papers: www.info-secure.org and http://www.docstoc.com/profile/anton1chuvakin<br />Consulting: http://www.securitywarriorconsulting.com/<br />
  • 45. More on Anton<br />Consultant: http://www.securitywarriorconsulting.com<br />Book author: “Security Warrior”, “PCI Compliance”, “Information Security Management Handbook”, “Know Your Enemy II”, “Hacker’s Challenge 3”, etc<br />Conference speaker: SANS, FIRST, GFIRST, ISSA, CSI, RSA, Interop, many, many others worldwide<br />Standard developer: CEE, CVSS, OVAL, etc<br />Community role: SANS, Honeynet Project, WASC, CSI, ISSA, OSSTMM, InfraGard, ISSA, others<br />Past roles: Researcher, Security Analyst, Strategist, Evangelist, Product Manager<br />

×