This morning, I read this story on ZDNet about a report from Carbon Black. The report indicates that 72% of Carbon Black’s incident response group reported working on cases where the adversary destroyed logs. Generally, such stats aren’t particularly insightful for a variety of reasons[1], however it should be intuitive that an adversary has a vested interest in obscuring his or her illicit activities on a compromised system.
The CIS Top 20 Critical Cyber Security Controls control number 6 touches on this point by recommending systems send logs to a central log collector, but the intention is more on log collection for the purpose of aggregation and monitoring, such as with a SIEM, rather than for tamper resistance, though that is a likely side effect. Sending logs to a remote system is a good way to ensure proper logs exist to analyze in the wake of a breach. Also note that, in addition to deleting locally stored logs, many adversaries will disable a system’s logging service to prevent new logs from being stored locally or sent to a log collector.
Here are a few recommendations on logging:
- Send system logs to a log collector that is not part of the same authentication domain as the systems generating the logs. For example, the SIEM system(s) collecting/monitoring logs should not be members of the same active directory domain as those that generate the logs.
- Configure the SIEM to alert on events that indicate logging services were killed (if possible).
- Configure the SIEM to generate an alert after a period of inactivity from any given log source.
[1] I need to write a blog post on the problems with reports that are based on surveys of a population. For now, I’d encourage you to read up on these problems yourself. It’ll make you a better consumer and a better person.