Threat Intelligence Lab

Logs for Incident Response

Logs for Incident Response

Written by

Reza Rafati
— in

ThreatIntelligenceLab.com

Logs are at the heart of any good incident response plan. They’re the detailed records that show us the actions of attackers, helping us track their movements and understand their methods.

This information is crucial not only for stopping the current threat but also for making sure we’re better prepared for the next one. Plus, logs are super important for meeting legal requirements, proving that we’ve done our part to protect our systems.

But having logs isn’t enough; it’s what you do with them that really matters.

This means setting up a good system for managing your logs, making sure you’re keeping track of all the right information from all your systems and devices, and using the right tools to go through all that data.

Connecting dots between different logs can reveal attack patterns we might miss otherwise.

Infected system

Starting Points: Understanding the Role of Logs

  • Every attacker leaves behind clues. That’s a fact!
  • The tricky part is figuring out what those clues are and where to find them.
  • Most of the time, we don’t know why they did what they did.
  • The first place to start looking? Logs.

Types of Logs: Getting your logs right

In the realm of cybersecurity, log data is akin to the lifeblood of incident response and monitoring.

Consequently, these detailed records capture a wealth of information about the activities within an IT environment, thereby offering insights that are critical for detecting, understanding, and responding to security incidents.

Audit Logs

These logs record sequences of activities or changes in systems, providing a trail that can be audited for security and compliance purposes. They are crucial for tracking unauthorized access attempts, changes in user privileges, and other significant events that might indicate a security breach.

Transaction Logs

In the context of databases and business applications, transaction logs record all transactions that have been processed. They help in understanding the flow of data and can be vital in investigating incidents related to data integrity or loss.

Intrusion Logs

Generated by intrusion detection systems (IDS) and intrusion prevention systems (IPS), these logs document potential security breaches, including attempted and successful unauthorized access, malware infections, and other malicious activities.

Connection Logs

These logs keep track of network connections, such as incoming and outgoing connections to and from the network. They can be used to identify unusual patterns of activity that might suggest a cyberattack.

System Performance Records

These logs provide information on the health and performance of systems, including CPU usage, memory use, and disk activity. While not directly related to security, they can help identify potential security incidents impacting system performance. For example, bitcoin miners increase system load.

User Activity Logs

User activity logs monitor and record actions taken by users, such as login attempts, file accesses, and system changes. Monitoring these logs is essential for spotting suspicious behavior that could indicate a compromised account.

Log file showing malicious activity

Sources of Log Data

Starting from network perimeter defenses such as firewalls and intrusion prevention systems, and moving to the core of your IT infrastructure, including servers, databases, and business applications, log data captures a detailed record of events.

Here are some systems where you can get log data:

Firewalls/Intrusion Prevention Systems:

These devices generate logs that detail traffic flow, blocked connections, and potential attacks detected at the network perimeter, thus offering a critical line of defense by monitoring and alerting on potential security threats.

Routers/Switches:

Network devices produce logs that offer visibility into the traffic patterns across the network, helping in the detection of anomalies that could signal an attack.

Intrusion Detection Systems:

IDS actively identify potential security breaches through traffic analysis and known attack signatures, generating logs rich with security incident data.

Servers, Desktops, Mainframes:

Operating systems and applications on these devices log various activities, such as system errors, access attempts, and configuration changes. As a result, they provide a comprehensive view of the security state of these systems, allowing for a thorough understanding and monitoring of potential vulnerabilities.

Logs for Servers, Desktops, Mainframes

Business Applications:

Business-specific applications generate logs that reveal unauthorized access attempts, data manipulation, and other actions that could compromise business integrity.

Databases:

Database logs track all queries and transactions, which becomes crucial for investigating unauthorized data access or modifications. This tracking thus plays a key role in safeguarding data integrity and security.

Anti-Virus:

Anti-virus software logs record detected malware, scan results, and cleanup actions, crucial for grasping the malware threat landscape within the organization.

VPNs:

Virtual Private Network logs contain details about user connections, thereby providing insights into remote access activities and potential unauthorized access through VPN services. Consequently, this information becomes essential for monitoring and securing remote connectivity, offering a foundational layer of defense against potential cyber threats exploiting VPN services.

Windows logging

Windows event log files serve as centralized repositories for the OS and applications to record important software, security, and system events.

Application Log

This log records events related to Windows applications. It includes errors, informational events, and warnings generated by software applications. For cybersecurity and IT professionals, the application log is a treasure trove of information about application behavior, failures, and operational issues that could indicate problems or security concerns within the software environment.

Security Log

The security log is critical for monitoring and identifying security-related activities on Windows systems. It tracks events such as successful and failed login attempts, changes to user privileges, and other security actions. This log is invaluable for detecting unauthorized access attempts, understanding user activity patterns, and ensuring compliance with security policies.

System Log

This log records events related to the Windows operating system, including system startup, shutdown, driver failures, hardware malfunctions, and other system-level events. It helps analyze the system’s operational integrity and security issues, aiding in effectively addressing and mitigating risks.

File Replication Service (FRS) Log

Located on Domain Controllers, this log records events specific to the Windows operating system, including system startup and shutdown, driver failures, hardware malfunctions, and other system-level events. Consequently, it plays a crucial role in monitoring and maintaining the health and security of the domain, providing insights necessary for proactive management and response.

DNS Server Logs

Domain controllers often serve as DNS servers, translating domain names into IP addresses. The DNS server logs record activities related to DNS operations, such as query requests and responses.

Summary

In summary, organizations can boost resilience against cyber threats and safeguard their systems and data by managing log files effectively, following structured incident response methods, and using available log data wisely.

Written by

Reza Rafati
Reza Rafati is an experienced cyber security professional. He is the founder of Threat Intelligence Lab. He has extensive experience in the field of cyber threat intelligence, cyber takedowns, and cyber threat landscapes.