Backup logs are the canary in the coal mine. They provide an amazing level of passive situational awareness. If they stop coming in from a server, theres something wrong. If a critical operating system file is changed, you can see exactly what was changed and you can download a copy of the altered binary before you ever have to login to the potentially compromised box.
Backup logs are one of the best tools in your ongoing operational security process, and yet they are more often than not deleted or ignored entirely. One of the best security investments you can make is to build or buy a backup log parser or security event monitor that alerts you to files which have been modified unexpectedly.
One of the biggest mistakes you can ever make is to miss out on the treasure trove of information that analysing backup logs can provide.
I am a telco & internet entrepreneur, nerd wrangler and massive lover of bacon. I was involved in the investigation of and successful conviction of David Noel Cecil – “Evil, The NBN Hacker”.
This article is written from the experiences I had before, during and since the successful execution of Operation Damara. My experiences are from a telco perspective however they are just as applicable to corporate and government networks.
I currently work with several Australian Telco’s and IT businesses, developing Incident Response Plans and helping them ensure the ongoing continuity of their mission critical infrastructure.
If your organisation doesn’t have a strategy for dealing with internet security incidents, I would love to help you out!
Shoot me an email – firstname.lastname@example.org or grab me on Social Media for more information.