SANS offered an excellent webinar last week, “Catching Hackers through Network Log Forensics”. It was presented by Jonathan Ham, who co-leads the Lake Missoula Group and is a Certified SANS instructor.
In the Webinar, Jonathan showed that the best way to catch malicious activity on your network is through network log analysis and correlation. Hackers will most likely attempt to clear the server event log when they penetrate a system. But there are other ways to follow their tracks. Most network devices come with the ability to log traffic and the best practice is to save these logs along with the server event logs to a remote system for analysis.
Wireless Access Points, DHCP servers, IDS/IPS Systems, Firewalls, Operating System logs and most importantly Web Proxy logs can be saved, correlated and analyzed to catch malicious attackers. Jonathan stressed the importance of using Web Proxies on your network (like Squid) so you can have an enterprise wide browser history and cache log. These systems will not only capture normal port 80/443 traffic, such as user web browsing, e-mail and instant messenger traffic, but it will also capture command and control communication from advanced bots if your system is infected.
The webinar is available in the SANS webcast archive. Check it out, it is very good.