DNS and DHCP Logs Are Critical To Breach Investigations

Breach investigations are by their nature somewhat chaotic. There is a flurry of activity by the HR, IT, Legal, Communications and line of business departments. The ability to quickly determine what happened, who or what was impacted and what the next steps are can be thwarted by a lack of information. Logs are critical in helping understand all aspects of a breach. 

In the past we have talked about the importance of logs from firewalls, routers and layer 3 switches, server or workstation event logs and intrusion detection logs. Two logs which are commonly overlooked are DNS and DHCP logs. 

At 2am in the morning it is much easier to simply pull up a DHCP log and determine that machine HQ5678A was assigned 10.1.25.163 on 03/03/2015 at 9:53am rather than having to query registry entries or sift through event logs hoping to find a trace.  It is also helpful if systems hold their DHCP leases for 30 days or longer. It keeps the logs shorter and helps investigators more easily spot trends of activity, whether that be normal or abnormal activity. 

It is also easier to have firewalls record DNS entries and have the log contain both an IP address along with a DNS entry so you can quickly tell that a user on computer HQ5678A was using ebay on port 443 versus a virus using port 443 to communicate with hackme dot com that same port. Much time is spent tracking an IP address to a hostname simply to discover that the communication is to or from a known and approved host. 

Time is something you have precious little of during a cyber-security or breach investigation. Taking action before the security investigation begins can save you a lot of time and keep you from running down rabbit trails during your investigation.