The actions taken by a network intruder manifest themselves in many varied ways, and forensic evidence can be littered throughout the environment. Much of that evidence is contained in the log files of various systems.
Consequently, log analysis frequently comes complete with its own set of problems to be solved:
- What sources of log data are available?
- How do you best aggregate the data?
- How do you query the data?
Potentially useful sources of data may be: email systems, DNS servers, DHCP servers, VPN logs, Syslog data, routers, firewalls, servers and Windows Event Logs – all of which come in different formats so may not be easy to correlate. A good log analysis platform can overcome these problems and give intrusion analysts access to the data they need in order to perform their job. Having aggregated this data in a suitable analysis system, it becomes possible to see the timeline of an attack as it develops, assuming you know what to look for.
The best intrusion analysts know the mindset of the attacker and know his methods; this helps them to hunt the attacker down. Knowledge of how the attacker will develop his compromise and target his objectives, and the manner in which that will yield certain evidence in log files, is fundamental to uncovering new threats in your environment.
Categories