An incident investigator asks to receive a copy of the event logs from all firewalls, proxy servers, and Intrusion Detection Systems (IDS) on the network of an organization that has experienced a possible breach of security. When the investigator attempts to correlate the information in all of the logs, the sequence of many of the logged events do not match up.
What is the most likely cause?
If the network devices are not all synchronized, the timestamps in the event logs from different devices will not match up correctly. This lack of synchronization can cause discrepancies in the sequence of events when the logs are correlated, even if all events are properly logged and unaltered. Synchronizing the clocks of all network devices using a protocol like NTP (Network Time Protocol) ensures that all logged events have consistent timestamps, allowing for accurate correlation and analysis.
The answer is A, no attack by an attacker was mentioned in the question. The question bordered on event logs only. Let's not be faster than the examiners...
it says this is an incident investigation. so there should be an attack. i guess the answer is C
The question states that the logs are in the wrong sequence, key word sequence. If the answer was C the logs would have been "missing"
The question states that the logs are in the wrong sequence, key word sequence. If the answer was C the logs would have been "missing"
the big keyword here is "many" of the logged events do not match up. If it was NTP, then all of the logs wouldn't match up. I'd suggest C as the correct answer. however, there is such a thing as the 'eccouncil box' and a "theme" that goes throughout the exam and course. which may suggest that A is the best "eccouncil" answer ;-)
this is a great call out. excellent point.
Time synchronization is an important middleware service of distributed systems, amongst which Distributed Intrusion Detection System (DIDS) makes extensive use of time synchronization in particular.
The CEH course taught me that "an attacker may erase logs to avoid being caught". I'll be damned if the answer is not C?!? Time isnt even mentioned in the question.
the mention of synchronization can indicate the NTP is not set correctly. You do have validity to your point as if an attacker erased logs then they wouldn't match up later. This one merits additional research.
I agreed, C is the rigth Answer acording to Infosec course. An Attacker may delete logs to erase trace.
If the attacker erased the log there will be no correlation of the information. Answer is A, its about NTP (time) not synchronized
A is correct. Time sync
p.2874 Unsynchronized System Clocks can affect the working of automated tasks; The network administrator cannot accurately analyze the log files for any malicious activity, if the timestamps are mismatched
I go with C, an attacker can change time stamps to cover tracks
(A) time synchronization is off.
Unsynchronized System Clocks fUnsynchronized System Clocks Timestamp inaccuracy constitutes the network administrator unable to analyze the log files for any malicious activity accurately. (P.2880/2864)
if the company experienced a breach the correct answer should be C since the attacker most likely covered up their tracks
Wouldn't the attacker rather delete events completely from the logs instead of just changing the timeline? As I read the question the events are there, but the timeline is messed up (between devices), indicating a time sync problem.
I can see that standpoint and get behind it.
I can see that standpoint and get behind it.
If the assumption is Time Sync, then Answer A makes sense, however, it appears devices sync type, which makes answer C
"the sequence of many of the logged events do not match up" C would have been correct if some events were not on some logs
i go with A.
Answer will be A. If NTP is not utilized on all the logging servers then the event's will not correlate.
A is best answer. p2864 Unsynchronized System Clocks
A is the ans
The best answer is A.
The time is not properly synchronized
An attacker is expected to clear the logs. But this time, it is mismatch, not the lack of logs.