Any system connected to the Internet is vulnerable to malicious attacks and breaches. If it’s online, there’s someone out there trying to break into it and do something bad with it (usually stealing data). Plain and simple. To protect your most valuable assets, you need bulletproof security measures, a skilled SecOps team, robust investigation tools, and reliable prevention/mitigation strategies. Forensic analysis is one of those highly reliable approaches to enforce a strong cybersecurity posture, and can be made even more scientific when coupled with wise log management.
If you need to spot a potentially threatening anomaly somewhere in your infrastructure, if you want to hit the bullseye, you need to start parsing logs first and foremost. Events and logs represent a precious resource during your forensic analysis efforts. They are the first place you should want to drill into when looking for the cause of your issues or detecting a potential vulnerability. Log analysis provides your investigators with the much-needed knowledge of your system status, your network’s landscape, and they always are a starting point for any root cause investigation.
What is a forensic analysis?
To better understand what forensic analysis is, think about how a crime investigation is conducted in CSI. Starting from crime scene analysts down to detectives and coroners, everyone involved in the forensic process collects and analyzes evidence that is used to reconstruct the events surrounding the crime. In a nutshell, each bit of information represents a data point that helps the analysts with a better overview of the series of events that caused the breach.
The purpose of digital forensic models is to understand what happened before, during, and after the hack. Instead of looking for the bullets around a dead body, cybersecurity experts investigate the cybercrime scene to spot digital evidence. In defining how a cyberattack was carried out, the digital forensic investigator understands where the attack originated, the method used to breach your defenses, and the weak spots in the security perimeter. The purpose is to understand how the malicious actor got access to the network, which vulnerabilities have been exploited, the extent of damage that has been caused, and if there’s still some lingering code left behind.
Why log data is a precious source of information in digital forensics?
To improve your cybersecurity and mitigate threats with log forensic analysis, you need to examine the evidence and search for relevant information about the attack, the damage it caused, and the malicious actor’s access points. Logs constitute this evidence, as well as the basic resource you will use to fuel your security information and event management (SIEM) solutions later on. All the event information that is collected from logs must be parsed and analyzed to be integrated into the SIEM and SOAR solutions, and prevent bad stuff from occurring once again.
Naturally, if logs are not centralized and aggregated, this task is nighly impossible and will require a lot more time (not to talk you’re going to miss a lot of vital information). If enough logs are ingested and valuable information is extracted, all this data can be used to refine your automated log collection processes. This way, you can use Graylog’s log correlation features to send you an alert whenever an anomaly that resembles that previous cyberattack is found, helping you put a proactive defense strategy in place.
Log forensic analysis: best practices
While analyzing an incident, you must be sure not to destroy or alter your evidence. Just like the police, no one should touch anything in the crime scene. Here are some best practices you want to follow to collect the right logs at the right time:
• Always collect the logs before formatting or even just rebooting the system.
• Do not carry out any system-wide activity such as installing a new tool on the infected machine before the forensic analysis is carried out.
• Windows Operating System logs: Save the application, security, and system logs from the event viewer.
• Linux Operating System logs: save boot.log, auth.log, kern.log, message, utmp, and wtmp from the /var/log/ directory.
• Save the antivirus logs in case of a malware attack
• If you’re dealing with an unauthorized access, collect all app server logs, application logs, web server logs, database logs, firewall logs, switch or router logs, and any other logs where an authorization was present.
• In case of a network hack, collect logs of all the other devices found in the route of the hacked one. ISP router logs are also useful.
Mitigating threats requires a multi-layer cybersecurity approach that starts with watertight prevention strategies, and ends with robust digital forensic models. As cyberattacks will likely strike your enterprise at some point, drawing information from event logs will be instrumental in your cybersecurity strategy to mitigate them as well as reestablish your system to its normal operation.