Tuesday, August 11, 2015

Log Jam

Today's post was born from a question posed to me during a recent interview. Given my druthers, what log sources would I deem most "important" when performing an assessment for a client?

To say I've worked with a few logs would be like saying Ted Bundy only killed a few people. I need to find a cuddlier metaphor...Problem being, I was never in a position to be the architect of that log ingestion. I got what I got and I was the analyst so shut up and deal with it monkey.  However, if I had my way and could get whatever I wanted from the client, which logs are most valuable when either performing an assessment of a company's security posture or with a mind to future investigations?

I came up with the following list. This was my official answer to the question and while I had some help from my peers when dealing with perspective, the actual list is my own opinion and by no means exhaustive. YMMV as to what constitutes important and I'm always open to different perspectives. I divided these up over Network and Host, using the Kill Chain as a guide.


What: Firewall logs
Why: Track the state of connections, get metrics on denied connections (recon attempts?), auditing for changes.
Kill Chain: Recon

What: DNS Logs
Why: Who's calling out to what and how often. Is DNS traffic being used to mask evil?
Kill Chain: C2

What: Internal Authentication logs (2FA, Auth Proxy, etc..)
Why: APT type actors try to disappear in normal traffic. Bob always auth's to 3 specific servers, why is he suddenly reaching out to 3 new ones?
Kill Chain: AOB

What: Proxy
Why: Traffic Info, GET/POST, bytes in/out. 
Kill Chain: C2, Delivery

What: Email
Why: Phishing
Kill Chain: Delivery, Recon

What: Netflow
Why: Session data. 
Kill Chain: Recon, Delivery, C2


What: Windows Application/Security/System Logs (anything that logs system changes)
Why: This where your attacker is going to do his damage. Reg keys/processes/files dropped.  I'd think you'd have to create some kind of filter to only log certain things that you know would be indicative of a compromise. 
Kill Chain: Exploitation / Installation

What: Endpoint Protection/Monitoring Logs 
Why: I'd want to see what they're downloading, if the download was successful, file names/hashes, commodity malware. 
Kill Chain: Exploitation / Installation / AOB

What: Sysmon (not installed by default, great if you can get it)
Why: Process creation, network connections, boot process events with an eye on kernel-mode malware.
Kill Chain: AOB

Naturally I pinged some people who have been at this far longer than I, asking if I was on the right track. Some general pointers I received add much needed context to the issue. 

  • A logs importance would be relative to the goals o the client. For example, if the client doesn't have reason to be as concerned with APT, your scope changes. 
  • Some logs are more valuable for initial detection (proxy) while others are more valuable for an investigation after you already have an alert (windows logs). 
  • Are they just checking relative health? Maybe start towards the end of the Kill Chain. C2, lateral movement, exfil with Auth and Proxy logs being a priority. 

Thank you as always to my go to experts. 

@tigercat6795 (I wish you'd tweet/blog more. You're so friggin' smart)
Ryan Reed (where's your Twitter, fool!?)

1 comment:

  1. Excellent post. Thanks!

    Next in the maturity path: Application logs (SharePoint, proprietary apps, etc).