There are network log sources that can provide CSIRT personnel and incident responders with good information. Each network device provides a different evidence based upon its manufacturer and model. As a preparation task, CSIRT personnel should become familiar with how to access these devices in order to obtain the necessary evidence or should have existing communication structures in place to engage IT personnel to assist with the proper response techniques during an incident.
Network devices such as switches, routers, and firewalls also have their own internal logs that maintain data on who accessed the device and made changes. Incident responders should become familiar with the types of network device on their organization's network and should be able to access these logs in the event of an incident:
- Switches: These are spread throughout a network through a combination of core switches that handle traffic from a range of network segments and edge switches that handle traffic for individual segments. As a result, traffic that originates on a host and travels out of the internal network will traverse a number of switches. Switches have two key points of evidence that should be addressed by incident responders. First is the Content Addressable Memory (CAM) table. This CAM table maps the physical ports on the switch to the Network Interface Card (NIC) on each device connected to the switch. Incident responders tracing connections to specific network jacks can utilize this information. This can aid the identification of possible rogue devices such as wireless access points or systems connected to the internal network by an adversary. The second way in which switches can aid an incident investigation is through facilitating network traffic capture.
- Routers: Routers allow organizations to connect multiple LANs into either a Metropolitan Area Network (MAN) or a Wide Area Network (WAN). As a result, they handle an extensive amount of traffic. The key piece of evidentiary information that routers contain is the routing table. This table holds the information for specific physical ports that map to the networks. Routers can also be configured to deny specific traffic between networks and maintain logs on allowed traffic and data flows. Another significant source of evidence that routers can provide is NetFlow data. NetFlow provides data on IP addresses, ports, and protocols of network traffic. This data can be utilized to determine the flow of traffic from various segments of the network (NetFlow will be covered in greater detail later in this chapter).
- Firewalls: Firewalls have changed significantly since the days when they were just considered to be a different type of router. Next-generation firewalls contain a wide variety of features such as intrusion detection and prevention, web filtering, data loss prevention, and detailed logs about allowed and denied traffic. Often, firewalls serve as a detection mechanism that alerts security personnel to potential incidents. This can include alerts from features such as IDS/IPS systems, blacklists of known bad URLs or IP addresses, or alerts flagging configuration changes to the firewall without the knowledge of IT personnel. Incident responders should have as much visibility as possible of how their organization's firewalls function and what data can be obtained prior to an incident.
- Network intrusion detection and prevention systems: These systems were purposefully designed to provide security personnel and incident responders with information concerning potential malicious activity on the network infrastructure. These systems utilize a combination of network monitoring and rulesets to determine whether there is any malicious activity. Intrusion Detection Systems (IDSes) are often configured to alert you to a specific malicious activity while an Intrusion Prevention System (IPS) can detect, but also block, potential malicious activity. In either case, both types of platform log are an excellent place for incident responders to locate specific evidence on malicious activity.
- Web proxy servers: Organizations often utilize web proxy servers to control how users interact with websites and other internet-based resources. As a result, these devices can give an enterprise-wide picture of web traffic that both originates with and is destined for internal hosts. Web proxies also have additional features such as alerting security personnel to connections to known malware C2 servers or websites that serve up malware. A review of web proxy logs in conjunction with a possibly compromised host may identify a source of malicious traffic or a C2 server exerting control over the host.
- Domain controllers or authentication servers: Serving the entire network domain, authentication servers are the primary location that incident responders can leverage for details on successful or unsuccessful logins, credential manipulation, or other credential uses.
- DHCP server: Maintaining a list of assigned IP addresses for workstations or laptops within the organization requires an inordinate amount of upkeep. The use of Dynamic Host Configuration Protocol (DHCP) allows for the dynamic assignment of IP addresses to systems on the LAN. DHCP servers often contain logs on the assignment of IP addresses mapped to the MAC address of the host's NIC. This becomes important if an incident responder has to track down a specific workstation or laptop that was connected to the network at a specific date and time.
- Application servers: A wide range of applications from email to web applications is housed on network servers. Each of these can provide logs that are specific to the type of application. Also of interest during an incident investigation are any logs pertaining to remote connections. Adversaries will often pivot from a compromised system to servers in order to gain access to confidential data or for other follow-up activities.