According to the CISSP CBK Official Study Guide1, the advantage of network-based logging over host-based logging when reviewing malicious activity about a victim machine is that properly handled network-based logs may be more reliable and valid. Logging is the process of recording or documenting the events or the activities that occur or happen in the system or the network, such as the access, the communication, or the operation of the system or the network. Logging can be classified into two types, which are:
Network-based logging: Logging that is performed or conducted by the network devices or components, such as the firewalls, the routers, or the switches, which capture or collect the traffic or the data that passes through the network, such as the source, the destination, the protocol, or the port of the traffic or the data.
Host-based logging: Logging that is performed or conducted by the host devices or components, such as the servers, the workstations, or the applications, which capture or collect the events or the activities that occur or happen on the host, such as the login, the logout, the execution, or the modification of the events or the activities.
The advantage of network-based logging over host-based logging when reviewing malicious activity about a victim machine is that properly handled network-based logs may be more reliable and valid, as they may provide a more accurate, complete, and consistent record or documentation of the malicious activity, as well as a more independent, objective, and verifiable evidence or proof of the malicious activity. Properly handled network-based logs may be more reliable and valid, as they may:
Provide a more accurate, complete, and consistent record or documentation of the malicious activity, as they may capture or collect the traffic or the data that passes through the network, which may include or reveal the source, the destination, the protocol, or the port of the malicious activity, as well as the content, the payload, or the signature of the malicious activity, which may help to identify and analyze the malicious activity, as well as to determine and measure the impact or the consequence of the malicious activity.
Provide a more independent, objective, and verifiable evidence or proof of the malicious activity, as they may be stored or preserved in a separate or a remote location or device, which may be protected or secured from the access or the manipulation of the malicious users or attackers, as well as the tampering or the alteration of the malicious users or attackers, which may help to verify and validate the malicious activity, as well as to support and assist the investigation or the prosecution of the malicious activity.
Addresses and protocols of network-based logs are analyzed is not the advantage of network-based logging over host-based logging when reviewing malicious activity about a victim machine, although it may be a benefit or a consequence of network-based logging. Analyzing the addresses and protocols of network-based logs is the process of examining or evaluating the traffic or the data that passes through the network, which may include or reveal the source, the destination, the protocol, or the port of the traffic or the data, by applying the appropriate tools or techniques, such as the packet capture, the packet analysis, or the packet filtering tools or techniques. Analyzing the addresses and protocols of network-based logs may help to identify and analyze the malicious activity, as well as to determine and measure the impact or the consequence of the malicious activity. Analyzing the addresses and protocols of network-based logs may be a benefit or a consequence of network-based logging, as network-based logging may provide the traffic or the data that passes through the network, which may include or reveal the source, the destination, the protocol, or the port of the traffic or the data. However, analyzing the addresses and protocols of network-based logs is not the advantage of network-based logging over host-based logging when reviewing malicious activity about a victim machine, as it is not the reason or the factor that makes network-based logging superior or preferable to host-based logging when reviewing malicious activity about a victim machine. Host-based system logging has files stored in multiple locations is not the advantage of network
Submit