Successfully reported this slideshow.

Using Logs for Breach Investigations and Incident Response by Dr Anton Chuvakin



1 of 32
1 of 32

More Related Content

Related Books

Free with a 14 day trial from Scribd

See all

Using Logs for Breach Investigations and Incident Response by Dr Anton Chuvakin

  1. 1. Using Logs for Breach Investigations and Incident Response<br />Dr. Anton Chuvakin<br />@anton_chuvakin<br />SecurityWarrior LLC<br /><br />BrightTalk Forensics Summit 2011<br />
  2. 2. Logs for Breach Investigations<br />A few thoughts to start us off …<br /> All attackers leave traces. Period! <br /> It is just that you don’t always knowwhat and where<br /> And almost never knowwhy…<br /> Logs are the place to look, first<br />
  3. 3. Outline<br />Log and logging overview<br />A brief on Incident response and forensics<br />Logs in incident investigations<br />Just what is log forensics?<br />Conclusions and call to action!<br />
  4. 4. Log Data Overview<br />From Where?<br />What logs?<br /><ul><li>Firewalls/intrusion prevention
  5. 5. Routers/switches
  6. 6. Intrusion detection
  7. 7. Servers, desktops, mainframes
  8. 8. Business applications
  9. 9. Databases
  10. 10. Anti-virus
  11. 11. VPNs
  12. 12. Audit logs
  13. 13. Transaction logs
  14. 14. Intrusion logs
  15. 15. Connection logs
  16. 16. System performance records
  17. 17. User activity logs
  18. 18. Various alerts and other messages</li></li></ul><li>Login? Logon? Log in?<br /><18> Dec 17 15:45:57 ns5xp: NetScreen device_id=ns5xp system-warning-00515: Admin User netscreen has logged on via Telnet from (2002-12-17 15:50:53) <br /><57> Dec 25 00:04:32:%SEC_LOGIN-5-LOGIN_SUCCESS:Login Success [user:yellowdog] [Source:] [localport:23] at 20:55:40 UTC Fri Feb 28 2006<br /><122> Mar 4 09:23:15 localhost sshd[27577]: Accepted password for kyle from ::ffff: port 2895 ssh2<br /><13> Fri Mar 17 14:29:38 2006 680 Security SYSTEM User Success Audit ENTERPRISE Account Logon Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0    Logon account:  POWERUSER    Source Workstation: ENTERPRISE    Error Code: 0xC000006A     4574 <br />
  19. 19. Logs at Various Stage of Incident Response<br />Preparation: verify controls, collect normal usage data, baseline, etc<br />Identification: detect an incident, confirm incident, etc <- really?<br />Containment: scope the damage, learn what else is “lost”, what else the attacker visited/tried, etc<br />Eradication: preserving logs for the future, etc<br />Recovery: confirming the restoration, etc<br />Follow-Up: logs for “peaceful” purposes (training, etc) as well as preventing the recurrence<br />
  20. 20. Various Logs for Incident Response<br />
  21. 21. Firewall Logs in Incident Response<br />Proof of Connectivity<br />Proof of NO Connectivity <br />Scans<br />Malware: Worms, Spyware<br />Compromised Systems<br />Misconfigured Systems<br />Unauthorized Access and Access Attempts<br />
  22. 22. Example: Firewall Logs in Place of Netflow<br />Why Look at Firewall Logs During Incident Investigation?<br />1990-2001 – to see what external threats got blocked (in, failure) <br />2002-2011+ – to see what internal system got connected (out, success)<br />Thus, firewall logs is “poor man’s” netflow…<br />
  23. 23. Recommendations<br />Log denied connections<br />Log allowed connection<br />If cannot log all allowed connections, then log outbound allowed connections<br />Watch for firewall rule changes<br />
  24. 24. NIDS Logs in Incident Response<br />Attack, Intrusion and Compromise Detection<br />Malware Detection: Worms, Viruses, Spyware, etc<br />Network Abuses and Policy Violations<br />Unauthorized Access and Access Attempts<br />Recon Activity<br />
  25. 25. Just A Thought…<br />Q: How many serious incidents were discovered by an IDS/IPS?<br />A: Answers I’ve heard..<br />0, 0, 0, 0 with an average of 0 <br />
  26. 26. Server Logs in Incident Response<br />Confirmed Access by an Intruder<br />Service Crashes and Restarts<br />Reboots<br />Password, Trust and Other Account Changes<br />System Configuration Changes<br />A World of Other Things <br />
  27. 27. Example: “Irrelevant, You Say”<br />Using disk failures for IDS <br />What is really there? <br />Is this OUR server? Well …<br />“Detection by catastrophe”<br />Is CNN you IDS?<br />
  28. 28. Recommendations<br />On a typical Unix system log:<br />Syslog = usually defaults are sensible<br />Select file access = via kernel logging<br />Select process execution = via kernel logging<br />On a typical Windows server:<br />Authentication = failure/success<br />Account changes = failure/success<br />Privilege use = failure/success<br />Others as needed (see MS Recommended Audit Policy)<br />
  29. 29. Database Logs in Incident Response<br />Database and Schema Modifications<br />Data and Object Modifications<br />User and Privileged User Access<br />Database Backups (!)<br />Failures, Crashes and Restarts<br />LOOK AT LOGS! <br />
  30. 30. Proxy Logs in Incident Response<br />Internet access patterns<br />Policy violations<br />Accidental/malicious information disclosure<br />Malware: spyware, trojans, etc<br />Outbound web-hacking<br />
  31. 31. Example: Proxy Logs vs Uploads<br />How?<br />Search for POST requests AND specific document content-types (e.g. msword, powerpoint, etc.)<br />What?<br />Look for a uploads to unusual sites (especially with unresolved IPs), web mail, or for sensitive document names<br />Especially, look for uploads to unusual ports<br />
  32. 32. Antivirus Logs in Incident Response<br />Virus Detection and Clean-up (or lack thereof!)<br />Failed and Successful Antivirus Signature Updates<br />Other Protection Failures and Issues<br />Antivirus Software Crashes and Terminations<br />
  33. 33. Log Forensics<br />
  34. 34. So, What is “Log Forensics”<br />Log analysis is trying to make sense of system and network logs<br />“Computer forensics is application of the scientific method to digital media in order to establish factual information for judicial review.”<br />So….<br />Log Forensics = trying to make sense of system and network logs + in order to establish factual information for judicial review<br />
  35. 35. How Logs Help… Sometimes<br />Logs help to figure out who, where, when, how, what, etc. <br />but …<br />Who as a person or a system? <br />Is where spoofed?<br />When? In what time zone?<br />How? More like ‘how’d you think’…<br />What happened or what got recorded?<br />
  36. 36. Who?<br />Just who is Do you know him?<br />Is a who?<br />Is JSMITH at JSMITHXAMPLE?<br />Is JSMITHauthenticated by an RSA token at JSMITHXAMPLE and also logged to another system as “jsmith” a who?<br />Is JSMITHauthenticated by a fingerprint reader at JSMITHXAMPLE a who?<br />
  37. 37. Solving "Who?”<br />Q: How do you know who? did something in a forensically sound manner?<br />A: Offline evidence: we (or camera) see that he did it<br />
  38. 38. When?<br />Got timestamp?  - challenges to log timing!<br />Completely false timestamp in logs <br />It’s always 5PM somewhere: time zone<br />Are you in drift? NTP might be<br />Syslog forwarder delays<br />Systems with two timestamps!<br />It got logged at 5:17AM. When did it happen? <br />Yes, even, 24 vs. 12 time<br />Lying NTP? Is it possible?<br />
  39. 39. Solving “When?”<br />Q: How do you know when something occurred in a forensically sound manner?<br />A: NTP sync religiously, make note of time zones, know the logging systems and keep logs secure to prevent timestamp modification<br />
  40. 40. Where?<br />The attack came from X.1.1.2, which belongs to Guanjou Internet Alliance, Beijing China<br />The stolen data then went to X.2.2.1 which belongs to PakNet ISP in Karachi, Pakistan<br />Result: Romanian hackers attack! <br />or <br />Result: it was a guy from the office on the 3rd floor?<br />or …<br />
  41. 41. Solving “Where?”<br />Q: How do you know wheredid something happen in a forensically sound manner?<br />A: Only offline evidence can help: we (or camera) see that he did it! For remote access: unlikely to be available<br />
  42. 42. Conclusions <br />Turn ON Logging!!!<br />Make sure logs are there when you need them <br />When going into the incident-induced panic think ‘its all logged somewhere – we just need to dig it out’ <br />Review logs to know your environment!<br />Logs for Forensics <br />Logs can tell you things, but are they “good evidence”?<br />Logs become evidence only if precautions are taken<br />
  43. 43. Questions?<br />Dr. Anton Chuvakin <br />SecurityWarrior LLC<br /><br />Site:<br />Blog:<br />Twitter:@anton_chuvakin<br />Consulting:<br />
  44. 44. More Resources<br />Blog:<br />SANS SEC434 Log Management Class<br />Podcast: look for “LogChat” on iTunes<br />Slides:<br />Papers: and<br />Consulting:<br />
  45. 45. More on Anton<br />Consultant:<br />Book author: “Security Warrior”, “PCI Compliance”, “Information Security Management Handbook”, “Know Your Enemy II”, “Hacker’s Challenge 3”, etc<br />Conference speaker: SANS, FIRST, GFIRST, ISSA, CSI, RSA, Interop, many, many others worldwide<br />Standard developer: CEE, CVSS, OVAL, etc<br />Community role: SANS, Honeynet Project, WASC, CSI, ISSA, OSSTMM, InfraGard, ISSA, others<br />Past roles: Researcher, Security Analyst, Strategist, Evangelist, Product Manager<br />