Day 9 - Identification: Log and Audit Analysis

Published: 2008-10-09
Last Updated: 2008-10-11 01:10:59 UTC
by Marcus Sachs (Version: 1)
0 comment(s)

For the ninth day of Cyber Security Awareness Month we will consider how you can use log and audit analysis to identify an intrusion or incident.  Remember that in step one, Preparation, you should be putting in place automatic logging facilities so that you'll have the ability to look backwards in time to reconstruct an incident.  But what about using those logging facilities to detect an event or series of events that can rise to the level of an incident? 

The classic example of using log analysis to identify a problem is the story behind The Cuckoo's Egg, one of the most popular books on computer security investigations.  By the way, that story is twenty years old now, but if you read the book today it's almost like it could have been written in the past few years because so many of the problems and techniques are still common today.  For a more contemporary essay, see Roger Meyer's GIAC paper in the SANS Reading Room where he explains how he used web application logs to identify an intrusion.

If you have uncovered an incident using log or audit analysis, please send us a note using our contact form and tell us about it.  We'll share your stories with other readers throughout the day by adding them to this diary.

UPDATE 1

An anonymous reader sent us this:

After doing some research on common/popular trojans which steal confidential information in order to:
  1. confirm the IDS systems are doing what they're supposed to
  2. collect communication patterns for behavioral analysis and heuristics

It was decided to test how well these heuristics work.  With couple of simple scripts pattern matches were applied to logs from organization's web proxy infrastructure and uncovered several infected devices which constantly stole any form based data.

Lessons Learned: any kind of additional information about a threat from public or other sources should be, to the extent possible, checked against previously logged data to identify if anything was missed by current security infrastructure.

Marcus H. Sachs
Director, SANS Internet Storm Center

 

Keywords: Awareness2008
0 comment(s)

Comments


Diary Archives