1 00:00:00,240 --> 00:00:02,210 Investigative data. 2 00:00:02,210 --> 00:00:03,770 In this lesson, we're going to talk about 3 00:00:03,770 --> 00:00:06,390 some of the different pieces of information you may use 4 00:00:06,390 --> 00:00:08,910 when you're conducting an incident response. 5 00:00:08,910 --> 00:00:10,150 Now for the exam, 6 00:00:10,150 --> 00:00:12,080 you don't need to be an expert in all of these 7 00:00:12,080 --> 00:00:14,690 different tools or areas that we're going to talk about, 8 00:00:14,690 --> 00:00:16,900 but instead you need to be able to understand 9 00:00:16,900 --> 00:00:19,000 what sources are available to you 10 00:00:19,000 --> 00:00:22,000 and pick the right one based on a given scenario. 11 00:00:22,000 --> 00:00:23,150 So, as we look at this, 12 00:00:23,150 --> 00:00:24,940 you have to remember that when we look at a network, 13 00:00:24,940 --> 00:00:27,750 there are tons and tons of pieces of data. 14 00:00:27,750 --> 00:00:29,100 And as a security analyst, 15 00:00:29,100 --> 00:00:31,410 it's our job to take that information in 16 00:00:31,410 --> 00:00:33,730 and create a consolidated picture. 17 00:00:33,730 --> 00:00:34,930 Based on that picture, 18 00:00:34,930 --> 00:00:36,470 we're going to be able to understand better 19 00:00:36,470 --> 00:00:38,260 what is happening inside our network 20 00:00:38,260 --> 00:00:41,150 and in response to the event we're working on. 21 00:00:41,150 --> 00:00:43,430 Now, the first thing we're going to talk about is a SIEM. 22 00:00:43,430 --> 00:00:45,150 Now we've talked about SIEMs before, 23 00:00:45,150 --> 00:00:47,110 but a SIEM is a Security Information 24 00:00:47,110 --> 00:00:48,740 and Event Monitoring System. 25 00:00:48,740 --> 00:00:51,240 Now, this is important because it's going to be a combination 26 00:00:51,240 --> 00:00:54,950 of a lot of different data sources into this one SIEM tool. 27 00:00:54,950 --> 00:00:57,000 And this provides us with real time analysis 28 00:00:57,000 --> 00:00:59,620 of security alerts that are generated by applications 29 00:00:59,620 --> 00:01:01,350 and network hardware. 30 00:01:01,350 --> 00:01:02,260 As we go through, 31 00:01:02,260 --> 00:01:04,600 we're going to be able to see a SIEM dashboard. 32 00:01:04,600 --> 00:01:06,130 Now from that dashboard, we can see 33 00:01:06,130 --> 00:01:07,250 the number of hosts we have, 34 00:01:07,250 --> 00:01:09,050 the number of authentications that have happened. 35 00:01:09,050 --> 00:01:10,680 The number of unique IPS we're seeing, 36 00:01:10,680 --> 00:01:12,230 all the different hosts in our network, 37 00:01:12,230 --> 00:01:13,930 and we can cut through that data, 38 00:01:13,930 --> 00:01:15,450 using different search parameters 39 00:01:15,450 --> 00:01:17,320 to find the information we need. 40 00:01:17,320 --> 00:01:18,690 When you're doing an incident response, 41 00:01:18,690 --> 00:01:21,480 a SIEM is a really helpful thing for you. 42 00:01:21,480 --> 00:01:22,810 Now, when you think about a SIEM, 43 00:01:22,810 --> 00:01:24,990 there are lots of different pieces of information 44 00:01:24,990 --> 00:01:27,560 and a lot of ways for this information to get there. 45 00:01:27,560 --> 00:01:29,850 The first thing we have to think about is our sensor. 46 00:01:29,850 --> 00:01:32,530 This is the actual end point that's being monitored. 47 00:01:32,530 --> 00:01:35,760 That sensor can then feed that data up into the SIEM. 48 00:01:35,760 --> 00:01:37,200 Another thing we have to think about with our SIEMs 49 00:01:37,200 --> 00:01:38,610 is their sensitivity. 50 00:01:38,610 --> 00:01:41,330 Now the sensitivity is focused on how much 51 00:01:41,330 --> 00:01:43,370 or how little you're going to be logging. 52 00:01:43,370 --> 00:01:45,420 Based on how you configure that sensor, 53 00:01:45,420 --> 00:01:46,860 that's going to determine how much data 54 00:01:46,860 --> 00:01:48,280 is being sent to the SIEM. 55 00:01:48,280 --> 00:01:50,470 Now you may think it's great to send everything to the SIEM 56 00:01:50,470 --> 00:01:52,220 and in a lot of cases, it is, 57 00:01:52,220 --> 00:01:54,710 but you have to remember that a SIEM can become overloaded 58 00:01:54,710 --> 00:01:56,370 with too much information. 59 00:01:56,370 --> 00:01:58,590 All that information takes processing power. 60 00:01:58,590 --> 00:02:01,210 It takes network bandwidth, and it takes storage to hold it. 61 00:02:01,210 --> 00:02:02,380 So you have to think about these things 62 00:02:02,380 --> 00:02:03,860 as you're configuring your system 63 00:02:03,860 --> 00:02:05,820 and creating the right sensitivity levels. 64 00:02:05,820 --> 00:02:07,780 Another thing we to think about is trends. 65 00:02:07,780 --> 00:02:09,900 By using a SIEM and its graphical ability 66 00:02:09,900 --> 00:02:11,280 to look across these logs, 67 00:02:11,280 --> 00:02:13,500 we can start seeing trends in our network. 68 00:02:13,500 --> 00:02:14,610 For instance, we may see 69 00:02:14,610 --> 00:02:17,220 the number of failed authentication attempts going up. 70 00:02:17,220 --> 00:02:18,330 That might be the indication 71 00:02:18,330 --> 00:02:20,320 that's someone's trynna brute force our network. 72 00:02:20,320 --> 00:02:22,680 These trends are very useful to us. 73 00:02:22,680 --> 00:02:24,740 Another thing we think about is the alerts. 74 00:02:24,740 --> 00:02:26,370 Inside the SIEM, we can set it up 75 00:02:26,370 --> 00:02:28,000 so that there's certain alerts that happen 76 00:02:28,000 --> 00:02:29,610 based on certain parameters. 77 00:02:29,610 --> 00:02:32,060 For example, using the failed log in attempts. 78 00:02:32,060 --> 00:02:33,630 We can use that as a good example. 79 00:02:33,630 --> 00:02:34,870 We might say that every time 80 00:02:34,870 --> 00:02:36,620 there is five failed login attempts, 81 00:02:36,620 --> 00:02:38,800 I want to have an alert sent to a system administrator 82 00:02:38,800 --> 00:02:40,190 to look into that account. 83 00:02:40,190 --> 00:02:41,570 That would be an example of an alert 84 00:02:41,570 --> 00:02:44,060 based on different inputs across the SIEM. 85 00:02:44,060 --> 00:02:45,750 And then finally correlation. 86 00:02:45,750 --> 00:02:47,540 This is one of the big things within a SIEM 87 00:02:47,540 --> 00:02:49,310 because we're getting data from all sorts 88 00:02:49,310 --> 00:02:52,020 of different sources, across all different types of hosts 89 00:02:52,020 --> 00:02:53,210 and network devices. 90 00:02:53,210 --> 00:02:54,970 All these things need to be correlated 91 00:02:54,970 --> 00:02:57,910 so that we have a good picture of what is really happening. 92 00:02:57,910 --> 00:02:59,920 This includes making sure that the IPS 93 00:02:59,920 --> 00:03:02,520 and host names are all using the same format. 94 00:03:02,520 --> 00:03:04,420 This also may be things like time. 95 00:03:04,420 --> 00:03:06,640 If one system is using universal time, 96 00:03:06,640 --> 00:03:08,490 another one is using Greenwich meantime 97 00:03:08,490 --> 00:03:10,020 another ones using European time 98 00:03:10,020 --> 00:03:11,700 and another one's using New York time, 99 00:03:11,700 --> 00:03:13,480 that can actually be a big issue for us. 100 00:03:13,480 --> 00:03:15,920 So we want to correlate those all to a common standard. 101 00:03:15,920 --> 00:03:19,920 And normally we do that using UTC, Universal Time. 102 00:03:19,920 --> 00:03:22,510 Now, the next thing we want to talk about is log files. 103 00:03:22,510 --> 00:03:23,900 When we talk about log files, 104 00:03:23,900 --> 00:03:26,100 this is any file that records either events 105 00:03:26,100 --> 00:03:27,620 that occur in an operating system 106 00:03:27,620 --> 00:03:29,280 or other software that's running 107 00:03:29,280 --> 00:03:31,480 or messages between different users 108 00:03:31,480 --> 00:03:33,310 of a communication software. 109 00:03:33,310 --> 00:03:35,570 Essentially, we're going to write something down. 110 00:03:35,570 --> 00:03:36,910 Now we're going to digitally write it down. 111 00:03:36,910 --> 00:03:38,660 And that's what a log file is. 112 00:03:38,660 --> 00:03:41,030 Now there's lots of different types of log files out there. 113 00:03:41,030 --> 00:03:43,070 For example, we have network log files 114 00:03:43,070 --> 00:03:44,740 that are going to keep track of all of the things 115 00:03:44,740 --> 00:03:46,880 that are going through our routers and our switches. 116 00:03:46,880 --> 00:03:49,260 We have system log files that tell us what's happening 117 00:03:49,260 --> 00:03:51,230 on an individual host or server. 118 00:03:51,230 --> 00:03:53,710 We have application log files that tell us exactly 119 00:03:53,710 --> 00:03:56,240 what each application is doing on a given system. 120 00:03:56,240 --> 00:03:57,760 We have security log files. 121 00:03:57,760 --> 00:03:59,980 They're going to monitor things like failed log-ins 122 00:03:59,980 --> 00:04:02,930 and logins successful attempts and other things like that. 123 00:04:02,930 --> 00:04:04,340 We have web blog files, 124 00:04:04,340 --> 00:04:06,530 and this might be like your proxy server logs, 125 00:04:06,530 --> 00:04:08,360 where we could see what websites have been accessed 126 00:04:08,360 --> 00:04:10,930 by your users, or if you're running a web server, 127 00:04:10,930 --> 00:04:13,510 what files are being touched by an outsider 128 00:04:13,510 --> 00:04:14,980 as they're accessing that server. 129 00:04:14,980 --> 00:04:17,800 We also have DNS logs and these are going to be used to tell us 130 00:04:17,800 --> 00:04:20,340 what requests been made of that DNS server. 131 00:04:20,340 --> 00:04:22,700 So we can see who's trying to get what IP addresses 132 00:04:22,700 --> 00:04:24,130 from what domain names. 133 00:04:24,130 --> 00:04:26,080 We're also going to have authentication logs. 134 00:04:26,080 --> 00:04:28,380 This is going to tell us who has successfully logged in, 135 00:04:28,380 --> 00:04:30,010 who has successfully logged out 136 00:04:30,010 --> 00:04:32,180 or who has failed to log in or logged out. 137 00:04:32,180 --> 00:04:33,720 It'll tell us any kind of authentication 138 00:04:33,720 --> 00:04:36,780 across all of our files, our systems and our servers. 139 00:04:36,780 --> 00:04:38,210 We also have dump files. 140 00:04:38,210 --> 00:04:40,910 Now dump files are when things happen to crash. 141 00:04:40,910 --> 00:04:43,440 For instance, if I have a host and it crashes, 142 00:04:43,440 --> 00:04:45,570 it can actually dump the memory contents 143 00:04:45,570 --> 00:04:47,350 to disc while it's crashing, 144 00:04:47,350 --> 00:04:50,610 that can actually be uploaded as a log file into our system 145 00:04:50,610 --> 00:04:52,910 for us to use that for analysis as well. 146 00:04:52,910 --> 00:04:54,640 We also have things like VoIP. 147 00:04:54,640 --> 00:04:57,740 Now, a lot of our systems nowadays are using VoIP as well. 148 00:04:57,740 --> 00:05:00,120 And this can be captured as part of our network log files, 149 00:05:00,120 --> 00:05:03,820 or specifically as voiceover IP devices. 150 00:05:03,820 --> 00:05:06,330 This way we can get metadata about the calls being made. 151 00:05:06,330 --> 00:05:08,030 And if we go into the call manager, 152 00:05:08,030 --> 00:05:10,320 we can actually record calls as well. 153 00:05:10,320 --> 00:05:12,760 This is one of those things that VoIP gives us that ability 154 00:05:12,760 --> 00:05:14,600 we can see exactly who's been calling, 155 00:05:14,600 --> 00:05:15,890 how long they were calling 156 00:05:15,890 --> 00:05:18,380 and even what the contents of that conversation were, 157 00:05:18,380 --> 00:05:21,340 if we have that allowed by our policies and procedures. 158 00:05:21,340 --> 00:05:24,460 Now, the next thing we want to talk about is syslog, 159 00:05:24,460 --> 00:05:27,040 rsyslog and syslog-ng. 160 00:05:27,040 --> 00:05:29,490 Now all three of these are basically three variations 161 00:05:29,490 --> 00:05:30,930 that do the same thing. 162 00:05:30,930 --> 00:05:32,790 They all are going to permit logging of data 163 00:05:32,790 --> 00:05:36,180 from different types of systems into a central repository. 164 00:05:36,180 --> 00:05:38,970 One of the things our SIEM relies heavily on is using 165 00:05:38,970 --> 00:05:42,660 syslog or rsyslog or syslog-ng to grab that information 166 00:05:42,660 --> 00:05:46,380 from all the various end points and dump it into our SIEM. 167 00:05:46,380 --> 00:05:48,760 Now, again, there are three different variations of this 168 00:05:48,760 --> 00:05:50,700 and you really don't need to know the difference of them, 169 00:05:50,700 --> 00:05:53,490 except for the fact that syslog was the oldest one. 170 00:05:53,490 --> 00:05:55,180 Rsyslog was the second version 171 00:05:55,180 --> 00:05:58,650 and syslog-ng is the third version that has more capability. 172 00:05:58,650 --> 00:06:01,330 The next tool we want to talk about is journalctl. 173 00:06:01,330 --> 00:06:03,780 And this is actually a Linux command line utility 174 00:06:03,780 --> 00:06:05,920 that's used for querying and displaying logs 175 00:06:05,920 --> 00:06:07,443 from the journald which is the journal Damon, 176 00:06:08,455 --> 00:06:11,610 which is basically the logging service for systemd 177 00:06:11,610 --> 00:06:13,060 on a Linux machine. 178 00:06:13,060 --> 00:06:14,750 And so if you want to be able to look at the logs 179 00:06:14,750 --> 00:06:18,390 on a Linux machine, you can use journalctl to do it. 180 00:06:18,390 --> 00:06:20,640 The next one we're going to talk about is nxlog. 181 00:06:20,640 --> 00:06:23,530 Now this is a multi-platform log management tool 182 00:06:23,530 --> 00:06:26,130 that helps us to easily identify security risks, 183 00:06:26,130 --> 00:06:28,780 policy breaches, or analyze operational problems 184 00:06:28,780 --> 00:06:31,360 and server logs, operational system logs, 185 00:06:31,360 --> 00:06:33,010 and application logs. 186 00:06:33,010 --> 00:06:34,410 Now, when you think about nxlog, 187 00:06:34,410 --> 00:06:36,510 I want you to remember that it is a multi-platform 188 00:06:36,510 --> 00:06:39,760 or cross-platform tool, and it's also open source. 189 00:06:39,760 --> 00:06:41,980 This also means that it has a lot of similarities 190 00:06:41,980 --> 00:06:44,370 with our syslog or syslog-ng. 191 00:06:44,370 --> 00:06:45,650 So what's the difference? 192 00:06:45,650 --> 00:06:48,780 Well, rsyslog and syslog-ng only work on Linux 193 00:06:48,780 --> 00:06:51,840 and Unix systems, but nxlog is cross-platform. 194 00:06:51,840 --> 00:06:54,720 So you can use on Unix, Linux, and Windows too. 195 00:06:54,720 --> 00:06:57,230 The next thing we're going to talk about is netflow. 196 00:06:57,230 --> 00:06:59,230 Now netflow is used in networking 197 00:06:59,230 --> 00:07:00,870 and it's a network protocol system 198 00:07:00,870 --> 00:07:01,990 that was created by Cisco. 199 00:07:01,990 --> 00:07:04,470 And it's going to collect active IP network traffic 200 00:07:04,470 --> 00:07:07,060 as it's flowing into or out of an interface. 201 00:07:07,060 --> 00:07:08,740 So as you start thinking about things going into 202 00:07:08,740 --> 00:07:10,580 or out of your network, through the firewall 203 00:07:10,580 --> 00:07:11,700 or through a router, 204 00:07:11,700 --> 00:07:13,780 netflow can actually capture that information. 205 00:07:13,780 --> 00:07:15,310 Now, some of the information that captures 206 00:07:15,310 --> 00:07:17,860 is things like the point of origin, the destination, 207 00:07:17,860 --> 00:07:20,110 the volume, and the pass on the network. 208 00:07:20,110 --> 00:07:21,710 This is not a packet capture. 209 00:07:21,710 --> 00:07:23,430 We're not capturing everything, 210 00:07:23,430 --> 00:07:26,100 every single one and zero is going in or out of our network. 211 00:07:26,100 --> 00:07:29,620 Instead, netflow is more of a summarization of that data 212 00:07:29,620 --> 00:07:31,270 that's going in and out of our network. 213 00:07:31,270 --> 00:07:32,910 It can help us with things like understanding 214 00:07:32,910 --> 00:07:34,370 who's using the most bandwidth 215 00:07:34,370 --> 00:07:35,810 or where there are traffic spikes, 216 00:07:35,810 --> 00:07:38,270 but it can't tell us exactly the file that went into 217 00:07:38,270 --> 00:07:39,530 or out of our network. 218 00:07:39,530 --> 00:07:42,220 For that we would need to have a full packet capture. 219 00:07:42,220 --> 00:07:43,980 Now, the next one we have is sflow. 220 00:07:43,980 --> 00:07:46,130 And this stands for Sampled Flow. 221 00:07:46,130 --> 00:07:49,410 Essentially, this was an open source version of netflow, 222 00:07:49,410 --> 00:07:52,110 where netflow is made by Cisco and it's proprietary, 223 00:07:52,110 --> 00:07:54,350 sflow was more of the generic version. 224 00:07:54,350 --> 00:07:57,060 It's to provide a means for exporting truncated packets, 225 00:07:57,060 --> 00:07:58,950 as well as having an interface counter 226 00:07:58,950 --> 00:08:00,930 that is going to be used for network monitoring. 227 00:08:00,930 --> 00:08:04,010 So again, we're not going to have full packet capture here. 228 00:08:04,010 --> 00:08:06,150 We're just going to get some of the sample flow. 229 00:08:06,150 --> 00:08:07,410 So when we talk about sflow, 230 00:08:07,410 --> 00:08:09,780 a lot of times what it'll do, is it'll do packet captures 231 00:08:09,780 --> 00:08:11,440 where it captures one out of a hundred 232 00:08:11,440 --> 00:08:13,450 or one out of a thousand packets 233 00:08:13,450 --> 00:08:14,990 that will help us reduce the size, 234 00:08:14,990 --> 00:08:15,960 while still give you an idea 235 00:08:15,960 --> 00:08:18,080 of what's going through our networks. 236 00:08:18,080 --> 00:08:20,090 The next thing we have is IPfix, 237 00:08:20,090 --> 00:08:23,350 which is the internet protocol flow information export. 238 00:08:23,350 --> 00:08:25,650 Now, this is a universal standard for the export 239 00:08:25,650 --> 00:08:28,410 of internet protocol flow information from your routers, 240 00:08:28,410 --> 00:08:30,230 your probes and other devices. 241 00:08:30,230 --> 00:08:32,270 That's going to be used by mediation systems, 242 00:08:32,270 --> 00:08:33,720 accounting and billing systems 243 00:08:33,720 --> 00:08:35,230 and network management systems 244 00:08:35,230 --> 00:08:37,420 to facilitate services such as measurement, 245 00:08:37,420 --> 00:08:40,740 accounting and billing by defining how IP flow information 246 00:08:40,740 --> 00:08:43,580 is to be format and transferred from an exporter 247 00:08:43,580 --> 00:08:44,780 to a collector. 248 00:08:44,780 --> 00:08:46,370 Wow, that is a mouthful. 249 00:08:46,370 --> 00:08:48,780 And you may be wondering, what did I just say? 250 00:08:48,780 --> 00:08:51,390 Well, really what IPfix is used for 251 00:08:51,390 --> 00:08:53,560 is on the back end of service management. 252 00:08:53,560 --> 00:08:54,450 Let's say for instance, 253 00:08:54,450 --> 00:08:56,100 that I was running a cell phone company 254 00:08:56,100 --> 00:08:58,910 and I was going to charge you $10 for every gigabyte of data 255 00:08:58,910 --> 00:09:00,410 that you transfer per month. 256 00:09:00,410 --> 00:09:02,840 Well, if I'm using IPfix, I can count up 257 00:09:02,840 --> 00:09:04,430 until I get to one gigabyte, 258 00:09:04,430 --> 00:09:06,800 pass that to the billing system in the standard format 259 00:09:06,800 --> 00:09:09,750 and then my system can charge you that $10. 260 00:09:09,750 --> 00:09:11,740 That's what IPfix is used for. 261 00:09:11,740 --> 00:09:13,340 Now, all three of these tools, 262 00:09:13,340 --> 00:09:17,150 netflow, sflow and IPfix can give you a good idea 263 00:09:17,150 --> 00:09:19,710 of how much bandwidth is being used in your environment. 264 00:09:19,710 --> 00:09:20,920 You can use a lot of different tools 265 00:09:20,920 --> 00:09:22,580 that actually make this in a graphical format 266 00:09:22,580 --> 00:09:24,010 like you see here. 267 00:09:24,010 --> 00:09:26,540 Now here, you can notice that there's one big spike. 268 00:09:26,540 --> 00:09:28,380 This tells me as I'm monitoring my bandwidth, 269 00:09:28,380 --> 00:09:30,910 that that point had the largest amount of usage. 270 00:09:30,910 --> 00:09:32,700 And this was traffic outbound. 271 00:09:32,700 --> 00:09:34,690 Now it's significantly higher than the other ones. 272 00:09:34,690 --> 00:09:36,180 So as an analyst, I might go, 273 00:09:36,180 --> 00:09:38,420 hey, something doesn't seem right there. 274 00:09:38,420 --> 00:09:40,900 Why did we just double or triple the amount of traffic 275 00:09:40,900 --> 00:09:41,930 leaving our network? 276 00:09:41,930 --> 00:09:43,840 And I can go back and pull that time, 277 00:09:43,840 --> 00:09:46,350 which in this case, it says 20.11. 278 00:09:46,350 --> 00:09:48,140 And as I pull that information, 279 00:09:48,140 --> 00:09:50,470 we can then look through our SIEM to figure out, 280 00:09:50,470 --> 00:09:52,530 was there one host that was sending a lot of data? 281 00:09:52,530 --> 00:09:54,420 If so, maybe it's been infected 282 00:09:54,420 --> 00:09:56,250 and it's doing a data exfiltration, 283 00:09:56,250 --> 00:09:57,850 or was it a lot of hosts? 284 00:09:57,850 --> 00:09:58,990 Maybe it was just the fact 285 00:09:58,990 --> 00:10:00,760 that there was some kind of a big sale on Amazon 286 00:10:00,760 --> 00:10:03,070 and everybody logged on to start buying things. 287 00:10:03,070 --> 00:10:05,400 So data was leaving the network with their credit card 288 00:10:05,400 --> 00:10:07,810 and their queries to try to get information. 289 00:10:07,810 --> 00:10:09,080 These are the things you have to think about 290 00:10:09,080 --> 00:10:11,090 as a cybersecurity analyst. 291 00:10:11,090 --> 00:10:13,920 Now, the next thing we're going to talk about is metadata. 292 00:10:13,920 --> 00:10:17,300 Metadata is going to be data that describes other data, 293 00:10:17,300 --> 00:10:19,500 basically by providing an underlying definition 294 00:10:19,500 --> 00:10:22,270 or description by summarizing basic information 295 00:10:22,270 --> 00:10:24,100 about the data that makes finding 296 00:10:24,100 --> 00:10:27,420 and working with particular instances of data, much easier. 297 00:10:27,420 --> 00:10:29,370 Essentially, when you think about metadata, 298 00:10:29,370 --> 00:10:31,680 this is data about the data. 299 00:10:31,680 --> 00:10:34,190 So the easiest way to think about this is something like, 300 00:10:34,190 --> 00:10:35,320 your cell phone. 301 00:10:35,320 --> 00:10:36,930 If you think about your end of the month bill, 302 00:10:36,930 --> 00:10:38,190 you can get from your cell phone, 303 00:10:38,190 --> 00:10:40,950 it will show you the day and time of each of your calls, 304 00:10:40,950 --> 00:10:43,830 the number you called and the length of that call 305 00:10:43,830 --> 00:10:46,930 that is metadata it's data about the call. 306 00:10:46,930 --> 00:10:49,010 It doesn't tell you what you said on that call, 307 00:10:49,010 --> 00:10:51,600 but it could remind you that on August 8th, 308 00:10:51,600 --> 00:10:53,770 I talked to my mother for five minutes 309 00:10:53,770 --> 00:10:55,070 and that would tell me that, 310 00:10:55,070 --> 00:10:57,050 because I could see the time I used it, 311 00:10:57,050 --> 00:10:59,780 what number I called and how long that call lasted, 312 00:10:59,780 --> 00:11:01,680 but I won't know exactly what was said. 313 00:11:01,680 --> 00:11:03,270 That's the idea with metadata. 314 00:11:03,270 --> 00:11:05,320 Now, does that mean metadata isn't useful? 315 00:11:05,320 --> 00:11:06,330 Of course not. 316 00:11:06,330 --> 00:11:07,600 As a cybersecurity analyst, 317 00:11:07,600 --> 00:11:09,737 metadata is extremely useful to us 318 00:11:09,737 --> 00:11:11,210 and there's lots of different places 319 00:11:11,210 --> 00:11:13,560 you can look at this metadata to get information 320 00:11:13,560 --> 00:11:14,600 about things. 321 00:11:14,600 --> 00:11:16,860 For instance, you may be looking at email. 322 00:11:16,860 --> 00:11:18,440 If you had somebody who sent an email 323 00:11:18,440 --> 00:11:20,060 that was part of a phishing campaign, 324 00:11:20,060 --> 00:11:21,970 you can look at the metadata about that, 325 00:11:21,970 --> 00:11:23,600 such as the time it was sent, who sent it, 326 00:11:23,600 --> 00:11:25,860 which servers it came from, 327 00:11:25,860 --> 00:11:27,560 which servers that transited through 328 00:11:27,560 --> 00:11:28,920 and all that information, 329 00:11:28,920 --> 00:11:30,920 to be able to figure out exactly what happened 330 00:11:30,920 --> 00:11:31,753 with that email. 331 00:11:31,753 --> 00:11:34,380 Even if you didn't look at the content of the email itself. 332 00:11:34,380 --> 00:11:36,460 You might also look at mobile metadata. 333 00:11:36,460 --> 00:11:38,360 Again, using the example of a cell phone. 334 00:11:38,360 --> 00:11:39,940 You can know how much data was transferred 335 00:11:39,940 --> 00:11:43,120 or how long the calls were and who those people are calling 336 00:11:43,120 --> 00:11:44,880 and who they're talking to. 337 00:11:44,880 --> 00:11:47,440 In the case of web, we might look at things like 338 00:11:47,440 --> 00:11:48,850 which websites are you visiting? 339 00:11:48,850 --> 00:11:50,760 And how long are you staying on them? 340 00:11:50,760 --> 00:11:52,420 This is something marketers are learning about you 341 00:11:52,420 --> 00:11:53,460 all the time. 342 00:11:53,460 --> 00:11:55,660 They don't know exactly what you clicked on necessarily 343 00:11:55,660 --> 00:11:57,700 or where your eyes were looking on the screen, 344 00:11:57,700 --> 00:11:59,980 but they do know how long you are on a particular page 345 00:11:59,980 --> 00:12:01,430 before you clicked away. 346 00:12:01,430 --> 00:12:04,020 And this is metadata they use to re-target you 347 00:12:04,020 --> 00:12:06,820 and work their systems to try to sell you more stuff. 348 00:12:06,820 --> 00:12:09,130 Another thing we have is file metadata. 349 00:12:09,130 --> 00:12:11,480 When I look at a particular file, like a video, 350 00:12:11,480 --> 00:12:14,190 that has a lot of metadata associated with it too, 351 00:12:14,190 --> 00:12:15,120 who created it? 352 00:12:15,120 --> 00:12:16,250 When did they create it? 353 00:12:16,250 --> 00:12:17,920 When was the last time it was watched? 354 00:12:17,920 --> 00:12:20,020 How long do people watch that file for? 355 00:12:20,020 --> 00:12:23,500 All this stuff is data about the data, this is all metadata, 356 00:12:23,500 --> 00:12:24,600 and it can be very helpful 357 00:12:24,600 --> 00:12:26,060 as you're going through an investigation 358 00:12:26,060 --> 00:12:27,610 and doing an incident response.