Critical Control 6 – Check your audit logs frequently
Modern day attackers rely on the fact that such organizations rarely look at the audit logs, which means they would not know that their systems have been compromised. Most organizations the system log is an overlooked and forgotten function.
Every activity that has transpired on not only any given system but also interactions with neighboring systems are recorded. These are the first places an attacker goes once they gain a foothold and the last place they go before acting on their objectives. Because of this, we have control 6 which requires us to focus on these logs and take meaningful action to secure, monitor and audit the. On average, attackers are in your system for 140 days before getting detected, and are active within an organization on average about 4.6 hours before creating a detectable anomaly in the system logs.
Of all the basic six controls, this one is by far the most frequently neglected. It is a lot of effort to satisfy this control. Where there is an incident, all the effort that went into satisfying control 6 will immediately pay off.
CSC 6 – Maintenance, Monitoring and Analysis of Audit Logs
Control 6 has sub-controls which are often very minimally implemented. In our experience those include the requirement to utilize a minimum of three distinct time servers, activate detailed even logging, and allocating appropriate equipment sufficient to store log data.
Network systems are in constant motion. Every system keeps a record of their very busy lives in a local system log, which uses date and time to keep track of what they did and when. When the perspective of systems log data shifts from the single monolithic device to the collective sum of all devices the amount of log data is overwhelming. The only thread that is common across all of this data is time. Attackers make this information difficult – to – impossible for organizations to find. One way these attackers do this is by “fuzzing” the logs. Which is intentionally messing-up the timestamps that devices place in their local logs so that once that data is combined with log data from other devices the cause-effect relationships of an attackers actions cannot be found easily. Windows use DNS names so the computer systems can get the correct time. Attackers exploit this by creating a host record entry or spoof the DNS name and point to a server of their choosing. This causes the servers and workstations within that victim network to have no external reference of the correct time. This means incorrect logging of their activity. This kind of attack happens hundreds of times each year.
Most often new systems are intended to ease their use rather than emphasize security. Control 6 requires that we configure all devices to log with sufficient granularity to permit meaningful interpretation of events within a given period of interest at a late time. It is recommended to use log level 5 or greater for syslog-equipped devices. However, for windows, its recommended to use the logging requirements of the NIST checklist as a starting point.
Today, storage space is generally inexpensive, at least the kind needed to store log data. Find out how much log data is going to be generated across the entire organization. With this, determine the length of time needed to retain this data. Most organizations outside of the federally regulated space, should consider 6-12 months as a starting place.
Many of the network administrators make an effort to implement log retention by driving up the maximum log file size on each of their servers. While this provides excelled log retention on the local system so-long as nothing goes wrong, it doesn’t provide the same when a server crashes or an attacker gains a foothold and deletes logs. Storing some level of logs locally and in a centralized manner is what control 6 requires.
This control requires organizations to centralize, continuously systematically evaluate, and manage the logs of computer systems. Because of this, this control is one of the easiest to overlook because of the mundane nature of system logs. Doing this ensures that the organizations are able to provide some of the most critical forensic information in both pre and post-breach situations. It is crucial to implement this control because it ensures that organizations are able to answer internal and external stakeholder questions in the instance of a breach. Also, it serves as the best leading indications of attack and indications of compromise available.
For a deeper understanding of CSC Control 6, check out CIT’s CSC Controls 6 blog.