Gather threat data

Submitted by shevorne.desil… on Thu, 12/28/2023 - 15:49
Sub Topics

This topic will introduce organisational and industry requirements for threat data logging and strategies for processing. You will also gain hands-on skills to collect logs from network devices in a simulated networking environment.

In this topic, you will learn about:

  • data log requirements
  • strategies for processing data
  • collecting information from network devices
  • using NetFlow in Cisco Packet Tracer.

Let us begin.

Establishing data log requirements

Establishing data log requirements is crucial for effective threat data analysis. Clear log guidelines ensure comprehensive data collection and enable the identification of potential security threats. Properly formatted logs provide a detailed chronological record of system activities, aiding in forensic investigations and threat detection. Analysing logs helps cybersecurity professionals recognise abnormal patterns, detect unauthorised access, and respond promptly to mitigate potential risks. Without well-defined data log requirements, the analysis process becomes challenging, hindering the ability to identify, assess, and address security threats in a timely manner, leaving systems vulnerable to potential breaches and compromising overall cybersecurity resilience.

The following two data breach examples demonstrate what data needs to be collected to conduct effective threat data analysis and emphasise the importance of having the proper logging and monitoring controls in organisational systems.

Data breach example 1

Data breach example 2

Knowledge Check

Complete the following activity to check your knowledge and understanding of the key concepts of this topic. You may repeat this activity as often as you like. Use the arrows to move between the different activities.

Security monitoring and logging failures

It is important to remember that without sufficient logging and monitoring, breaches cannot be detected.

The following video emphasises some of the common failures concerning security monitoring and logging that cyber security analysts should be aware of.

What is sufficient logging?

Sufficient security logging involves capturing comprehensive records of system and network activities, including user actions, access attempts, and potential security incidents. It ensures timely detection, analysis, and response to security threats, aiding in forensic investigations and proactive risk management.

Discuss and confirm log requirements

Once all logging requirements are documented or noted, this needs to be discussed and confirmed with the required personnel in an organisation.

Discussing and confirming threat data log requirements with relevant personnel and stakeholders is essential for aligning security strategies with organisational needs. Collaborating ensures that the collected data meets both security and operational objectives. Involving key stakeholders, such as IT administrators and compliance officers, helps tailor log requirements to regulatory standards and specific organisational risks. This proactive communication fosters a shared understanding of security goals, promoting a unified threat detection and response approach. Ultimately, engaging with personnel ensures that the data logs generated align with organisational priorities, enhancing the effectiveness of threat analysis and bolstering overall cybersecurity resilience.

Tech engineer creating machine learning software to be used as an autonomous virtual entity

Active monitoring and alerting

Active monitoring and alerting in cybersecurity involve real-time scrutiny of network activities for abnormal behaviour or potential threats. Automated systems generate alerts when suspicious patterns are detected, enabling rapid response to mitigate risks. This proactive approach enhances the ability to identify and thwart cyber threats before they cause significant damage.

Requirements for detecting incidents

Detecting cyber threat incidents requires robust monitoring tools, intrusion detection systems, and log analysis capabilities. Real-time analysis of network traffic, system logs, and user activities helps identify anomalies. Additionally, threat intelligence integration and continuous updates to security protocols enhance the ability to detect and respond to evolving cyber threats promptly.

The following video outlines what is involved when detecting incidents.

Monitoring and managing log files

The following video discusses the types of log files that can be collected from various sources in an organisation's network. It also discusses the compliance requirements when collecting and storing log files.

Knowledge Check

Complete the following activity to check your knowledge and understanding of the key concepts of this topic. You may repeat this activity as often as you like. Use the arrows to move between the different activities.

Programmer working in a software development and coding technologies. Website design.Technology concept.

Logging from single security devices

Single security devices include devices such as firewalls, intrusion detection systems (IDS), and antivirus software, that focus on specific threat vectors.

Logging from a single security involves recording events specific to that device, aiding in localised analysis.

Router logs

Logging from routers involves recording events and activities occurring on the network, such as connection attempts, routing changes, or security incidents. These logs are crucial for monitoring network health, troubleshooting issues, and identifying potential security threats. Analysing router logs enhances overall network management and security.

Firewall logs

Firewall logging captures and records network traffic data passing through a firewall. These logs include information about allowed or denied connections, source and destination IP addresses, and port numbers. Analysing firewall logs helps detect and respond to unauthorised access, potential threats, and security incidents, contributing to robust network security.

Explore

Refer to information from the device manufacturers (e.g. Cisco) on how to interpret log messages from devices such as routers and firewalls:

Cisco System Messages Overview

Log servers

Log servers centralise and store logs from various network devices, applications, and security tools. They facilitate efficient analysis, correlation, and storage of threat data, aiding in detecting patterns and anomalies. Log servers play a vital role in incident response, compliance, and overall cybersecurity by providing a consolidated view of diverse log sources.

Logging network flows

Logging network flows involves recording data about communication sessions between devices, including source and destination IP addresses, ports, and duration. Analysing flow logs aids in detecting abnormal patterns, identifying potential threats, and enhancing network security. This data is valuable for incident response, forensic analysis, and proactive threat mitigation.

The following video explains how network packet data can be captured and analysed to identify network protocol header information.

Collecting reported events

User access logs

The following video outlines how authentication, authorisation and accounting systems work and what information will be captured in logs collected from these systems.

Access Control Systems

The following video introduces the basic industry terms and definitions used in access control systems.

Practice
Read through the Guidelines for System Monitoring | Cyber.gov.au find out the types of event logs that should be retained to facilitate system monitoring, hunting and cyber security incident response activities.
Young female programmer working at home

Using NetFlow in Cisco Packet Tracer

In Cisco Packet Tracer, NetFlow is a network monitoring feature that enables the collection and analysis of IP traffic data. It provides insights into network traffic patterns, helping troubleshoot issues, optimise performance, and enhance security by identifying and mitigating anomalies in the flow of data within the simulated network environment.

Challenge activity

The following video outlines a challenge activity. Complete the activity using the Cisco packet tracer file provided by the video resources.

Download the exercise files by accessing this video Challenge: Using NetFlow in Packet Tracer in LinkedIn Learning

Solution

How did you go?

Congratulations on completing the topic Gather threat data . You should now understand what is involved when establishing data log requirements, collecting security device logs and hands-on skills for using the network simulation software Cisco Packet Tracer.

In this topic, you learnt about:

  • data log requirements
  • strategies for processing data
  • collecting information from network devices
  • using NetFlow in Cisco Packet Tracer.

Assessments

Now that you have learnt the basic knowledge and skills for this module, you are ready to complete the following assessment event.

Assessment 3 (Portfolio)

Module Linking
Main Topic Image
Caucasian Woman Coding on Desktop PC and Laptop Setup With Multiple Displays in Spacious Office
Is Study Guide?
Off
Is Assessment Consultation?
Off