For the ninth day of Cyber Security Awareness Month we will consider how you can use log and audit analysis to identify an intrusion or incident. Remember that in step one, Preparation, you should be putting in place automatic logging facilities so that you'll have the ability to look backwards in time to reconstruct an incident. But what about using those logging facilities to detect an event or series of events that can rise to the level of an incident?
The classic example of using log analysis to identify a problem is the story behind The Cuckoo's Egg, one of the most popular books on computer security investigations. By the way, that story is twenty years old now, but if you read the book today it's almost like it could have been written in the past few years because so many of the problems and techniques are still common today. For a more contemporary essay, see Roger Meyer's GIAC paper in the SANS Reading Room where he explains how he used web application logs to identify an intrusion.
If you have uncovered an incident using log or audit analysis, please send us a note using our contact form and tell us about it. We'll share your stories with other readers throughout the day by adding them to this diary.
An anonymous reader sent us this:
After doing some research on common/popular trojans which steal confidential information in order to:
Marcus H. Sachs
Oct 9th 2008
Oct 9th 2008
1 decade ago