Digital Evidence Sources: Security Solutions PDF
Document Details
Uploaded by barrejamesteacher
null
Tags
Related
- IoT Security: Security Solutions for the Internet of Things PDF
- Changes in Earnings Models Through Digital Product-Service Systems: The Example of dormakaba PDF
- Revision Document - Digital Solutions External PDF
- European Commission White Paper on Digital Infrastructure PDF
- Broadcom 250-586 Exam Guide PDF
- IT Governance Summary PDF
Summary
This document discusses digital evidence sources and security solutions, specifically focusing on SIEM dashboards, sensors, and automated alerts. It describes how these tools can help security specialists and investigators analyze current cybersecurity data and identify potential threats or unusual patterns.
Full Transcript
Certified Cybersecurity Technician Exam 212-82 Computer Forensics SIEM Dashboards...
Certified Cybersecurity Technician Exam 212-82 Computer Forensics SIEM Dashboards '\\%{/ )+ » SIEM dashboards visualize actionable data from various log events that \f_/' assist investigators in analyzing current log data and identifying abnormal behavior patterns Sensors »* Sensors aggregate logs from various neighboring sources and correlate them with device data, which are then used by investigators to identify patterns that deviate from the normal activities of a user or the usual traffic flow in a network Sensitivity *» Security specialists apply correction rules to assign sensitivity levels to aggregated data; it can also be achieved by implementing Al and ML capabilities in security solutions * This type of segregation based on the sensitivity level facilitates log analysis during investigations ARutomated Alerts Correlation v’ Alerts are generated by the sensors implemented in v’ Security solutions apply correlation rules to integrate security solutions and network hardware appliances multiple log sources and transform the data into useful when they encounter attack signatures information vv’ They are classified based on the threat severity level v v’ Correlated logs help investigators to track the timeline of (low, medium, and high), which includes warning the events that led to a security incident alert, critical level alert, compliance alert, action object alert, alert overview, and alert rules I Y Y = Copyrigh © byt EC-Coumcil Copyright EC-omcL ANAX Rights Reserved. Reproductionis Reproduction i Strictly Stricty Prohibited. Digital Evidence Sources: Security Solutions == SIEM Dashboards S|IEM Dashboards SIEM dashboards visualize actionable data from various log events and represent the information in a chart or graphical format. These dashboards contain the auto-update or auto alert feature that assists security specialists or investigators in analyzing current log data and identifying abnormal behavior patterns. Module 20 Page 2232 Certified Cybersecurity Technician Copyright © by EG-Council EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Computer Forensics Sensors Sensors are important components of security solutions such as Intrusion Prevention System (IPS) and Intrusion Detection System (IDP), which can actively identify unusual behavior patterns. These sensors aggregate logs from various neighboring sources and correlate them with device data; this information can be used by investigators to identify patterns that deviate from the normal activities of a user and the usual traffic flow in a network. The potentiality of sensors may depend on the internal architecture of the network and their deployment. Sensitivity One of the major challenges in security solutions involves assigning sensitivity levels to minimize false incidents from being reported as risky events. When the SOC of an organization implements security solutions such as SIEM on premise, it generates everything as an event when the sensitivity is not tuned, which can make it difficult to analyze high-risk incidents. Security specialists apply correction rules to assign sensitivity to aggregated data; this can also be achieved by implementing Al and ML capabilities in security solutions. This type of segregation based on sensitivity level will facilitate log analysis for investigating an incident. Automated Alerts Alerting is a process that automates the evaluation of correlated events and triggers security alerts to notify security specialists via a dashboard or email. Alerts are generated by the sensors implemented in security solutions and network hardware appliances when they encounter an attack signature. They are classified based on the threat severity level (low, medium, and high), which includes warning alert, critical level alert, compliance alert, action object alert, alert overview, and alert rules. Depending on the severity level of an alert, security professionals or investigators analyze the events and take necessary actions to defend and remediate the cyberattacks. Correlation Correlation is a method that determines generic attributes and merges events into a meaningful package. Security solutions apply correlation rules to integrate multiple log sources and transform data into useful information. These correlation rules allow security specialists to take appropriate actions (such as turning off the system and limiting system availability) to mitigate cyberattacks when an adversary event is triggered. Correlated logs help investigators to track the timeline of events that led to a security incident. Module 20 Page 2233 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Computer Forensics Digital Evidence Sources: Bandwidth Monitors and Metadata Bandwidth Monitors Metadata | » Network traffic analysis using | bandwidth monitors provides insights into incidents and evidence, discovers the footprints of attackers, and identifies the degree of damage » Using tools such as SolarWinds Network Bandwidth Analyzer Pack, investigators can perceive the events in a network by comparing the network behavior with the standard baseline Copyright Copyright ©© by by All All Rights Rights Reserved. Reserved, Reproduction Reproduction sIs strictly Prohibited. Strictly Prohibited. | Digital Evidence Sources: Bandwidth Monitors Bandwidth monitors are tools used to evaluate the available bandwidth from the allocated bandwidth on a local system. Bandwidth monitoring is a familiar method to obtain a better perspective of the actual range of the network traffic. Using these tools, investigators can perceive the events of a network by comparing the network behavior with the standard baseline. Network traffic analysis using bandwidth monitors provides clear insights into an incident; moreover, it provides evidence, discovers the footprints of attackers, and identifies the degree of damage. Unintended bandwidth utilization can be an indicator of data exfiltration. Flow collectors generally create this bandwidth utilization report for analysis. Network traffic analysis using bandwidth monitors assists an organization in recreating an outline of an attack and understand how the attacker progressed across the network. This type of analysis discloses timestamps, port numbers, and malicious packets. Using this information, security professionals can understand the scope of breach, mechanics of the initial exploitation, and the possible damage caused by the breach. Investigators can use tools such as SolarWinds Network Bandwidth Analyzer Pack, NetFlow Traffic Analyzer, and PRTG Network Monitor to analyze the bandwidth usage. Digital Evidence Sources: Metadata Most computing systems, applications, and storage media create some type of long-lasting metadata that might be investigated during incident analysis. The metadata present in file system snapshots can help in easily understanding incidents during the investigation process, which might include unapproved deletion and modification of files. With the combination of digital forensic software and scanning tools, file systems provide information about the Module 20 Page 2234 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Computer Forensics potential malware, auditing data, and access management systems. They also assist in retracing previous activities with a subset of information. Investigators can use tools such as Metadata Assistant, Paraben P2 Commander, and Metashield to analyze metadata. Metadata can be acquired from various data sources such as: Email: Email is one of the most familiar communication formats that is becoming an increasingly significant source of investigative data for intelligence analysts. The analysis of emails is often considered to be a task that requires forensic expertise owing to the challenges encountered in converting and modeling this type of data. An email sent or received contains an internet header that provides detailed information regarding the message, recipient, sender address, and hosts it has transmitted through. Because an email is routed through multiple Message Transfer Agents (MTAs), every MTA appends significant information in each received header such as spam results and other metadata, which can be analyzed during the investigation process. Mobile: Mobile devices contain information including incoming and outgoing call history, contacts, SMS, pictures, videos, app data, system files, usage logs, and other metadata. Incident responders perform mobile forensics to discover digital evidence from mobile devices. The device location history (a sort of metadata) can be identified by the used cell tower, which can help in analyzing malicious insider attacks. Mobile call details can be accessed by specific law enforcement agencies based on a set of policies and with the consent of device owner. Following the right procedures and guidelines is an important prerequisite for the inspection of mobile devices. Web: The internet provides a significant challenge to the collection and preservation of metadata. A webpage is a file that comprises content and links, which are structured with HTML. The accessible webpages are situated on a webserver and can be with a website address. For an investigator, webpage artifacts that are stored on a device may act as evidence in an investigation. These artifacts include internet browser history, downloaded files, and cookie files. Based on the investigation, an investigator might inspect servers for evidence. Server- side information might constitute files, which include log files, software codes, and databases. This information might connect to webpages or files on a device. An investigator can inspect server-side headers, their properties, and other files by examining the relationship between the webpage and browser on the user device. The header contents can also be investigated by the standard tools implemented on the browser. The investigator might also examine server logs for information such as IP address and user account activities. File System: File system tracing has the widest capability of providing investigators with information related to the events in a system. File systems leave a forensic footprint that might contain data that include a modification in a file, creation or deletion of a file, increase or decrease in space utilization, and log of process events. Module 20 Page 2235 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Computer Forensics The collection of file system data depends on the OS used and the state of the system. In all cases, a file system must be preserved as close to the condition where it was first impacted as possible. Changes are indefinite; when a system boots, it can significantly change the file system access times, file size, and other essential information during reconstruction. File system activities on files will not delete a file entirely; they are forensically available for a certain period. Module 20 Page 2236 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Computer Forensics Digital Evidence Sources: NetFlow O NetFlow is a network protocol used to ;) itor, and flow as it passes through load balancers, switches, and other routing devices QQO It inspects the traffic flow and Itinspects istics i that help investigators in bandwidth monitoring, threat detection, aggregation, and forensic analysis NetFlow-enabled Device Traffic flow Device Traffic flow o4 B § =g AFFy Traffic Traffic flow ----'5_. B N * Source/Destination 1P NetFlow cache addresses dd = = RS Flow information Packet Packet/Bytes * IPversion == Source/Destination Source/Destination Addresses, ports.. (11003 1435 port numbers Next entry.. Next entry.. = Source Interface Source Interface Creating a flow record * Packets Packets or bytes Copyright © by E Digital Evidence Sources: NetFlow NetFlow is a network protocol used to gather, monitor, and analyze the network traffic flow as it passes through load balancers, switches, and other routing devices. Instead of analyzing each packet, NetFlow helps security investigators to analyze the entire traffic flow. These flows include a group of unidirectional sequence of packets or datagrams that have some common traits such as source/destination address, port number, or other fields. Consequently, instead of maintaining the record of every single packet, a single record for the entire flow or conversation is recorded. NetFlow-enabled network devices (such as routers) process all IP datagrams entering and exiting their interface. Then, NetFlow inspects the traffic flow and generates flow statistics that help investigators in bandwidth monitoring, threat detection, aggregation, and forensic analysis. NetFlow utilizes matching criteria to detect new flows in the network. For each flow, it collects and records packets into flows depending on the following criteria: = Source/destination IP address = |P protocol version »= Source/destination port number (such as TCP/UDP) = Source Interface = Packets or bytes Each data packet that is ready to be processed is analyzed for the aforementioned criteria. The initial packet generates a flow record in the NetFlow cache. The packet is then transmitted from the NetFlow-enabled device. The remaining packets matching the same criteria are Module 20 Page 2237 Certified Cybersecurity Technician Copyright © by EG-Council EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Computer Forensics accumulated to this flow record and the byte/packet counter is incremented for each additional entry until the communication between the hosts involved in a flow is terminated. NetFlow-enabled Device Traffic flow Traffic flow Traffic flow Traffic flow ----E_.- [00 [0OO [0 T * Source/Destination IP NetFlow cache addresses T; ” Flow information Packet Packet/Bytes * |Pversion |P version s Source/Destination Addresses, ports.. (11003 1435 port numbers Next entry.. * Source Interface Creating a flow record * Packets or bytes Figure 20.4: Working of NetFlow Module 20 Page 2238 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited.