Log files can potentially be available which will reveal every phase of an attack from the initial delivery of a phishing email through to the exfiltration of sensitive data.
Consequently, log analysis frequently comes complete with its own set of problems to be solved:
- What sources of log data are available?
- How do you best aggregate the data?
- How do you query the data?
Potentially useful sources of data may be: email systems, DNS servers, DHCP servers, VPN logs, Syslog data, routers, firewalls, servers and Windows Event Logs – all of which come in different formats so may not be easy to correlate. A good log analysis platform can overcome these problems and give intrusion analysts access to the data they need in order to perform their job. Having aggregated this data in a suitable analysis system, it becomes possible to see the timeline of an attack as it develops, assuming you know what to look for.
The best intrusion analysts know the mindset of the attacker and know his methods; this helps them to hunt the attacker down. Knowledge of how the attacker will develop his compromise and target his objectives, and the manner in which that will yield certain evidence in log files, is fundamental to uncovering new threats in your environment.