8. The Means of Cybersecurity: Access Control 213 and when it was last modified. The Windows OS saves deleted files in a trash folder for a period of time. These records can also be valuable sources of accounting information. On a local area network, network appliances such as routers and firewalls log information about packets sent and received. These logs might contain information about websites visited, computers logged into, and data accessed. This data can be associated with users through the IP addresses of the devices the user signed into. Packet sniffers like Wireshark are also a type of logging. They record packets sent and received in a packet capture (PCAP) file. Packet sniffers record entire packets so PCAP files can grow large quickly. They can be used with filters to only record packets meeting specific criteria to narrow their scope. For logging purposes, packet sniffers are likely only used for a set period of time and for a particular purpose. Network logging is important for network maintenance and support because it provides information about the resources being used. For example, logs can record user connections to a wireless network access point (AP). If an AP can only support 100 connections at once and it is commonly handling 90 or more, this is an indication that the wireless network infrastructure might need to be upgraded. Similarly, printers, copiers, and voice-over-IP (VOIP) phones can keep logs of all their activity. These logs are important for IT support purposes, but they can also be useful for accounting. Logs are not only kept and controlled by users and systems and network administrators on local devices and networks. Logs are also kept in cyberspace by third parties. These logs are invisible to users and are outside of their control. More on this in Section 9.2.5.4. 8.3.1 Analyzing Logs Logging is a key part of accounting, but accounting also includes the processing and analysis of logs. Logs can be analyzed to create detailed pictures of cyberspace activity. This is vital for cybersecurity because bad actors leave behind breadcrumbs in the form of explicit and implicit logs. Logs can be analyzed actively for indicators of compromise (IOCs) to determine that a cyber incident has occurred, and they can also be analyzed after a known incident by cyber forensic experts to determine how it happened and what the hacker did with his unauthorized access. After an incident logs can reveal what dates hackers were active and what data they accessed, modified, deleted, and exfiltrated. Logs can also be used to uncover the real-life identity of hackers so that they can be arrested, and logs can serve as evidence in a court of law to help convict bad actors. Using logs to identify if an incident has occurred or if hackers are probing an organization is an active and ongoing process. Experienced hackers use tradecraft to remain as quiet as possible and to make it difficult for their activity to be noticed and flagged, while inexperienced hackers may “make a lot of noise” as they bump around within the cyberspace of an organization. Logs need to be analyzed to discover all kinds of suspicious activity, but the massive volume of data generated by logs is mostly filled with normal events. How does one find the proverbial needles in the haystack that might need to be investigated?
RkJQdWJsaXNoZXIy MTM4ODY=