Log story short, you only look for the log when it is needed, and by then it may have already rotted away (deleted).
Log files are collections of data that are produced by all, if not most, programs, services, and processes that run within an environment. The information can range from informational to red light swirlingly and siren blaringly important. Although their importance is often underestimated by businesses and organisations, log files provide a large part of the story when investigating an Incident Response engagement, and you don’t want to be caught short without them.
There are four key log types and some examples[1]:
·Networking
o Email
o VPN
o Firewall
System
o PowerShell
o Active Directory
o Authentication
o Endpoint
Technical
o DNS
o Proxy
o FTP
o SQL
Security & Monitoring Tools
o Anti-Virus tools
o System Security Logs
Our Digital Forensics and Incident Response (DFIR) and Security Operations Centre (SOC) team at InPhySec provide security services to both established clients and also new clients who reach out when they require assistance with an incident and one of the key pieces of evidence that we can provide expert analysis on is log files.
That being said, we assist businesses on a regular basis that either:
1. Do not realise the importance of logs, or;
2. Do not have log aggregation policies/procedures in place, or;
3. Do not realise the importance and do not have log aggregation policies/procedures in place.
Logs provide comprehensive and valuable information which can affect a business’s bottom dollar if not identified and used.
They allow us to accurately identify:
1. What has happened?
2. What is the impact?
3. What can we do about it?
An example of a question clients bring to us, with huge potential for problems, is “has data exfiltration occurred?” What can be a quick turnaround from preserving, collecting, and identifying to reporting findings can turn into an epic process as a result of not collecting logs.
According to the CERTNZ 2020 report summary, there was a 65% increase from 2019 in cyber related incidents[2]. If the past is anything to go by, we believe that we will be seeing a similar trend in increasing cases in the future if companies do not better prepare themselves to deal with them.
So, to log or not to log… for us, the answer is fairly obvious. If you need any assistance with checking that you have the correct settings in place for logging, please reach out to us at InPhySec
Written by Rory Wagner, InPhySec Digital Forensics & Incident Response (DFIR) Analyst
[1]https://www.rsa.com/en-us/blog/2016-09/the-realm-of-threat-intelligence-the-logs-are-dead-long-live-the-logs [2]https://www.cert.govt.nz/about/quarterly-report/2020-report-summary/