Preserving Attack Evidence | Ethical Hacking Training
Pluralsight blog Where devs, IT admins & creative pros go for news, tips, videos and more.
3,500+ tech & creative courses authored by experts - unlimited & online Get it now →
November 15, 2012

Ethical Hacking: Techniques to Preserve Evidence of an Attack

By

Watch these Ethical Hacking videos, and you’ll understand skills like network sniffing, social engineering, wireless attacks, and more. With these tactics of ethical hacking you’ll learn security techniques through the mind of an attacker.

Transcription

On the network defense side, the best ways I find to preserve evidence of attack are going to be things like honeypots, firewalls and intrusion detection systems. Why? Because those are all designed, as you heard earlier, to watch for specific patterns in traffic, to watch for attacks, to watch for unauthorized access, and then the moment they see it, begin preserving evidence and alerting administrators. Whether they’re stopping the attack, or even encouraging the attack to continue, actually depends very heavily on the technique and the software that you’re using and the systems that you’re using. But, by and large, the best ways that administrators can actually defend against a network is by detecting the attack and actually preserving evidence for potential later analysis, and possibly for law enforcement reporting.

Group Policy

In addition, you saw the techniques around event log clearing. There are ways through group policy, and a couple of other ways, to actually prevent users from clearing event log entries. Those are important for administrators to remember. It’s actually pretty straightforward and easy as part of group policy and protecting the log collection point.

Log Collection

If an administrator is using log collection as a security evidence collection system, which hopefully is not the case, then you want to consider protecting the log collection point, ensuring that only a small set of very authorized users can clear that log. You want to ensure that they can only do so when the evidence is actually collected and protected for long term.

About the Author

has worked in the IT field for more than 20 years. He is an award-winning author, public speaker, and instructor on a variety of technology topics including security, virtualization, cloud computing, wireless and wired networking, and IT lifecycle processes. His operations experience includes managing the Xbox LIVE operations team, the largest cloud computing operations team in the world, and consulting on operations efficiency with countless clients around the world. Mike has published several books (including two for O’Reilly) and numerous papers. He is a frequent conference speaker and classroom instructor on IT operations, computer security, and technology frameworks. Mike holds a number of certifications and accreditations including Certified Information Systems Security Professional (CISSP) practitioner and instructor.

Author's Website: http://www.nextdirectiontech.com/


Discussion