topic Re: Identifying a network breach in Network Security

Identifying a network breach

sprocket10 — Thu, 02 Apr 2020 08:09:03 GMT

In the event of a network breach, for example someones device is hacked while on the network, I have been asked to identify what logging we have in place to trace whats happened.

What is required is logging that shows all traffic that passes through the ASA to and from a device on the network so anything malicious can be traced.

Currently we log level4 to syslog.

Can this be done with Syslogs or as I suspect we would need something like netflow.

Re: Identifying a network breach

omz — Thu, 02 Apr 2020 08:57:30 GMT

I guess it depends on how the ASA is configured for threat detection -

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113685-asa-threat-detection.html

Re: Identifying a network breach

Leo Laohoo — Thu, 02 Apr 2020 22:00:12 GMT

@sprocket10 wrote:

Currently we log level4 to syslog.

A lot of the "big hitters" APT (and their scripts) look for syslog server(s) and delete the files found inside.