Detecting the Undetectable Through Your Logs
The strange thing about computer security in the corporate world is that many of the victims don’t even know about their own lapses in security, and only become aware after an attack has happened or if it’s noticed by a third party. In some of the worst cases, the lapses are only found years after the original vulnerability became existent, and after various hackers have already gone and infiltrated the system silently.
What makes things even more odd is that the lapse could have been caught easily because the evidence is found in their own event logs. They didn’t catch it because they simply didn’t look. Many of the big, million-dollar cyber crimes only happened because of this. It’s an issue of poor security due to negligence.
Why Event Logs Are Frequently Ignored
The truth is it’s understandable why many people choose to ignore event logs. Because it’s a pain in the behind. Most alerting systems have 99 is to 1 signal to noise ratio, where the event logs contain information overload from firewalls, IDSes, antimalware consoles, forensics analysis, network flow analysis, honeypots, most of which provide nothing that will help you catch malicious attacks. Only a tiny, miniscule portion actually help but they get lost in the flood of irrelevant data.
One solution to this is creating alerts only on events that are truly indicative of malicious attacks or once that require an immediate investigative response. You have to consider a few things first:
1. Not All Bad Logons Are Malicious – bad logons are pretty normal occurrences. It’s easy for people to make mistakes while typing their passwords, but you should still watch out for ones with very high frequency. One way that can help with this is Microsoft Windows’ “Special Logons” which allow admins to define which groups are considered “Special” and write those groups to each computer to be monitored. So if someone logs on to a monitored computer, a new event is generated and forwarded to the event log collector. It greatly trims down the logs on bad logons, only giving you the ones that truly have the potential to be malicious.
2. Deploy Breach Systems – breach systems can detect computers that are connecting outbound to known command-and-control bot computers. This makes them very effective in catching many modern malware, as new malwares these days have a tendency to connect back to command-and-control servers in order to get instructions and download additional code designed to bypass antimalware scanners.
3. Use Whitelisting Systems for Auditing – technically, whitelisting should increase the risk as malware that infects a whitelisted software could get in. But in terms of logging, you can use whitelisting as a means of auditing new software installs. Take a snapshot of the environment and then enable audit-only mode, allowing it to send out events only when a new software or code is installed and executed.
4. Netflows – as an admin, you should be aware of which computers in your network need to communicate with other computers in the environment. Technically, most servers shouldn’t be talking to most other servers and most workstations shouldn’t be communicating with all servers. You need to take baselines of network flow activity and then check the logs for any strange occurrences.
Conclusion
The basic principle is not to wade through a massive event log looking for potentially malicious events, but to define which events are potentially malicious and only log those events. If you do it right, the network should have an events log that is easier to manage and investigate on a daily basis without compromising security.