Successfully reported this slideshow.

More Related Content

Related Books

Free with a 14 day trial from Scribd

See all

Log Forensics from CEIC 2007

  1. 1. Integrating Log Analysis into Your Incident Response Practice Anton Chuvakin, Ph.D., GCIA, GCIH, GCFA Chief Logging Evangelist LogLogic, Inc May 7, 2007
  2. 2. TEASER <ul><li>This is a shortened TEASER presentation. </li></ul><ul><li>Please contact us for a full presentation </li></ul>
  3. 3. Outline <ul><li>Log and logging overview </li></ul><ul><li>Just what is log management? </li></ul><ul><li>A brief on Incident response </li></ul><ul><li>Logs in incident response </li></ul><ul><li>“ Log forensics”: reality or marketing? </li></ul><ul><li>Conclusions and call to action! </li></ul>
  4. 4. Goals <ul><li>Get a refresher on logs and logging </li></ul><ul><li>Become familiar with log analysis and log management </li></ul><ul><li>Learn how logs help during (and before !) incident response </li></ul><ul><li>Pick a few logging tips </li></ul>
  5. 5. Logs for Cybercrime Investigations <ul><li>A few thoughts to start us off … </li></ul><ul><li>All attackers leave traces. Period!  </li></ul><ul><li>It is just that you don’t always know what and where </li></ul><ul><li>And almost never know why </li></ul><ul><li>Logs are the place to look, first </li></ul>
  6. 6. Log Data Overview <ul><li>Audit logs </li></ul><ul><li>Transaction logs </li></ul><ul><li>Intrusion logs </li></ul><ul><li>Connection logs </li></ul><ul><li>System performance records </li></ul><ul><li>User activity logs </li></ul><ul><li>Various alerts and other messages </li></ul><ul><li>Firewalls/intrusion prevention </li></ul><ul><li>Routers/switches </li></ul><ul><li>Intrusion detection </li></ul><ul><li>Servers, desktops, mainframes </li></ul><ul><li>Business applications </li></ul><ul><li>Databases </li></ul><ul><li>Anti-virus </li></ul><ul><li>VPNs </li></ul>What logs? From Where?
  7. 7. Top 11 Reasons to Collect and Preserve Computer Logs <ul><li>Before anything else, do you deal with credit cards? Patient info? Are you a government org under FISMA? A financial org? You have to keep'em </li></ul><ul><li>What if there is a law or a regulation that requires you to retain logs - and you don't know about it yet ? Does the world &quot;compliance&quot; ring a bell? </li></ul><ul><li>An auditor comes and asks for logs. Do you want to respond &quot;Eh, what do you mean?&quot;? </li></ul><ul><li>A system starts crashing and keeps doing so. Where is the answer? Oops, it was in the logs - you just didn't retain them ... </li></ul><ul><li>Somebody posts a piece of your future quarterly report online. Did John Smith did it? How? If not him, who did? Let's see who touched this document , got logs ? </li></ul><ul><li>A malware is rampant on your network. Where it came from? Who spreads it? Just check the logs - but only if you have them saved. </li></ul><ul><li>Your boss comes and says 'I emailed you this and you ignored it!!' - 'No, you didn't!!!' Who is right? Only email logs can tell! </li></ul><ul><li>Network is slow ; somebody is hogging the bandwidth. Let's catch the bastard! Is your firewall logging? Keep the info at least until you can investigate. </li></ul><ul><li>Somebody added a table to your database. Maybe he did something else too - no change control forms were filed. Got database log management ? How else would you know? </li></ul><ul><li>Disk space is cheap ; tape is cheaper still. Save a log! Got SAN or NAS? Save a few of them! </li></ul><ul><li>If you plan to throw away a log record, think - are you 100% sure you won't need it, ever? Exactly! :-) Keep it. </li></ul>
  8. 8. A Guide to Log Management: NIST 800-92 <ul><li>“This publication seeks to assist organizations in understanding the need for sound computer security log management. It provides practical, real-world guidance on developing, implementing, and maintaining effective log management practices throughout an enterprise. “ </li></ul>
  9. 9. Incident Response Methodologies: SANS <ul><li>SANS Six-Step Process </li></ul>[P]reparation [I]dentification [C]ontainment [E]radication [R]ecovery <ul><ul><li>[F]ollow-Up </li></ul></ul>
  10. 10. Logs at Various Stage of Incident Response <ul><li>Preparation : verify controls, collect normal usage data, baseline, etc </li></ul><ul><li>Identification : detect an incident, confirm incident, etc </li></ul><ul><li>Containment : scope the damage, learn what else is lost, etc </li></ul><ul><li>Eradication : preserving logs for the future, etc </li></ul><ul><li>Recovery : confirming the restoration, etc </li></ul><ul><li>Follow-Up : logs for “peaceful” purposes (training, etc) </li></ul>
  11. 11. Firewall Logs in Incident Response <ul><li>Proof of Connectivity </li></ul><ul><li>Proof of NO Connectivity </li></ul><ul><li>Scans </li></ul><ul><li>Malware: Worms, Spyware </li></ul><ul><li>Compromised Systems </li></ul><ul><li>Misconfigured Systems </li></ul><ul><li>Unauthorized Access and Access Attempts </li></ul><ul><li>Spam (yes, even spam!) </li></ul>
  12. 12. Example: Firewall Logs in Place of Netflow <ul><li>Why Look at Firewall Logs During Incident Investigation? </li></ul><ul><li>1990-2001 – to see what external (inbound) threats got blocked </li></ul><ul><li>2002-2006 – to see what internal system got connected (out) </li></ul><ul><li>Thus, firewall logs is poor-mans netflow… </li></ul>
  13. 13. So, What is “Log Forensics” <ul><li>Log analysis is trying to make sense of system and network logs </li></ul><ul><li>“ Computer forensics is application of the scientific method to digital media in order to establish factual information for judicial review.” </li></ul><ul><li>So…. </li></ul><ul><li>Log Forensics = trying to make sense of system and network logs + in order to establish factual information for judicial review </li></ul>
  14. 14. How Logs Help… Sometimes <ul><li>If logs are there , we can try to </li></ul><ul><li>… figure out who , where , what , when , how, etc </li></ul><ul><li>but </li></ul><ul><li>Who as a person or a system? </li></ul><ul><li>Is where spoofed? </li></ul><ul><li>When ? In what time zone? </li></ul><ul><li>How ? More like ‘how’d you think’… </li></ul><ul><li>What happened or what got recorded? </li></ul>
  15. 15. Conclusions <ul><li>Turn ON Logging!!! </li></ul><ul><li>Make Sure Logs Are There When You Need Them (and need them you will  ) </li></ul><ul><li>Include Log Analysis into the IR process and training </li></ul><ul><li>Prepare and Learn the Analysis Tools </li></ul><ul><li>When Going Into the Incident-Induced Panic Think ‘Its All Logged Somewhere – We Just Need to Dig it Out’  </li></ul><ul><li>Logs in Incident Response are critical for … </li></ul><ul><ul><li>Threat detection: “Is there something wrong?” </li></ul></ul><ul><ul><li>Early incident triage: “What is going on?” </li></ul></ul><ul><ul><li>Detailed investigation: ‘What REALLY happened?” </li></ul></ul><ul><li>Logs for Forensics </li></ul><ul><ul><li>Logs can tell you things, but are they “good evidence”? </li></ul></ul><ul><ul><li>Logs become evidence only if precautions are taken </li></ul></ul>
  16. 16. More information? <ul><li>Anton Chuvakin, Ph.D., GCIA, GCIH, GCFA </li></ul><ul><li> </li></ul><ul><li>Chief Logging Evangelist </li></ul><ul><li>LogLogic, Inc </li></ul><ul><li>Author of “Security Warrior” (O’Reilly 2004) </li></ul><ul><li>See for my papers, books, reviews and other security resources related to logs. </li></ul><ul><li>See for my blog! </li></ul>

Editor's Notes

  • Integrating Log Analysis into Your Incident Response Practice Monday May 7 — General Lab 1 7:30 a.m. - 9:00 a.m. Presented By Anton Chuvakin Log management and log analysis plays a key role in the area of incident response. As the complexity and frequency of investigations climb so does the understand of how to use logs to quickly diagnose an incident and narrow the scope of an investigation . With the proper procedures, logging settings, and analytical tools an organization can use logs to dramatically increase the productivity and effectiveness of their incident response process. Using hand on examples this lab will show the importance of logs and the specific situation in which they can be used , how they can be used and what their limitation are.
  • ×