NSA Best Practices for Event Logging & Threat Detection

The NSA (National Security Agency) and the Australian Signals Directorate's Australian Cyber Security Centre have released Best Practices for Event Logging and Threat Detection (PDF) to help organizations protect against malicious actors. 

This guidance is ideal for senior information technology decision-makers, operational technology (OT) operators, network administrators, and network operators.

The information sheet includes guidance on living-off-the-land (LoTL) techniques used by attackers to evade detection within an organization’s environment.

“The guidance in this publication focuses on general best practices for event logging and threat detection; however, LOTL techniques feature as they provide a great case study due to the high difficulty in detecting them.”

While not all-inclusive, here’s a summary of some of the top event logging recommendations and best practices:

Take into consideration any shared responsibilities between service providers and the organization. Policy should include:

• Details of the events to be logged
• Event logging facilities to be used
• How event logs will be monitored
• Event log retention durations
• When to reassess which logs are worth collecting

Event Log Quality

This refers to the types of events collected, and how useful event logs are to allow organizations to assess security incidents.

"Quality log data helps in building a comprehensive picture of your environment, drives detection and alerting systems to discover issues quickly, and helps incident responders understand what went wrong if you do suffer a cybersecurity incident."  – Scott Gee, AHA deputy national advisor for cybersecurity and risk, IndustryIntel

Capturing a large volume of well-formatted logs can be invaluable for incident response, but organizations should organize logged data into hot and cold data storage.

Consider logging the following to help detect malicious actors using LoTL techniques:

• Linux: Logs capturing the use of curl, systemctl, systemd, python and other common LOLBins
• Microsoft Windows: Logs capturing the use of wmic.exe, ntdsutil.exe, Netsh,cmd.exe, PowerShell, mshta.exe, rundll32.exe, resvr32.exe and other common LOLBins. Capture command execution, script block logging and module logging for PowerShell, and detailed tracking of admin tasks
• Cloud: Log all control plane operations, API calls and end user logins. Capture read and write activities, admin changes and authentication events

Event Log Retention

Retain logs for long enough to support incident investigations; default periods are often insufficient. 

"Ideally, logs should be stored for a period of one year, subject to storage space constraints. In the middle of an incident is not the time to find out that you were not logging useful data, or that you were not retaining that data for long enough to thoroughly investigate the incident.” – Scott Gee, AHA deputy national advisor for cybersecurity and risk, IndustryIntel

• Log retention periods should be informed by risk assessment
• In some cases, it can take up to 18 months to discover an incident, with malware dwelling on a network from 70-200 days
• Review log storage allocations -- insufficient storage is a common obstacle to log retention 
• The longer logs can be kept, the higher the chances of determining the extent of an incident

Enterprise Network Logging

With a wide variety of native tools to exploit, enterprise networks should prioritize logging:

• Critical systems and data holdings likely to be targeted
• Internet-facing services, including remote access, network metadata and their underlying server operating system
• Identity and domain management servers
• Any other critical servers
• Edge devices, such as boundary routers and firewalls
• Administrative workstations
• Highly privileged systems such as configuration management, performance and availability
• Monitoring (in cases where privileged access is used), Continuous Integration/Continuous Delivery
• (CI/CD), vulnerability scanning services, secret and privilege management
• Data repositories
• Security-related and critical software
• User computers
• User application logs
• Web proxies used by organizational users and service accounts
• DNS services used by organizational users

Secure Storage & Event Log Integrity

They recommend organizations implement a secure, centralized event logging facility for log aggregation; forwarding their logs to analytic tools like security information and event management (SIEM) and extended detection and response (XDR) solutions.

The goal is to prevent the loss of logs once a local device's storage is exceeded, as many network infrastructure devices have limited local storage.

"In the event of a cyber security incident, an absence of historical event logs will frequently have a negative impact on cyber security incident response activities."

Secure Transport & Storage of Logs

To ensure event log integrity in transit and at rest, organizations should implement secure mechanisms like TLS 1.3 and methods of cryptographic verification. Securing and restricting access to logs is also important to prioritize (enacting least privilege to grant access only to those that need it to do their jobs).

Protect Logs From Unauthorized Access, Modification & Deletion

To avoid or delay detection, malicious actors are known to modify or delete local system event logs. Logs should be aggregated in an event logging facility that can protect them from unauthorized modification and deletion.

Best practices include:

• Limit access only to personnel that need to have permission to delete or modify logs, or view logs
• Store logs in a separate or segmented network with additional security controls to prevent tampering
• Back up event logs and implement data redundancy practices

Specifically, securing SIEMs is also considered best practice:

“Organizations are encouraged to harden and segment their SIEM solutions from general IT environments. SIEMs are attractive targets for malicious actors because they contain a wealth of information, provide an analysis function, and can be a single point of failure in an organization’s detection capability.”

Detecting Living off the Land Techniques

They recommend implementing analytics capabilities to enable automated detection of behavioral anomalies on networks, devices or accounts.

They also recommend using a SIEM to detect anomalous activity by comparing event logs to a baseline of business-as-usual traffic and activity.

Examples of Anomalous Behavior

These are examples of actions to detect:

• A user logging in during unusual hours
• An account accessing services it doesn't usually access
• A user logging in using an unusual device
• A high volume of access attempts
• Any instances of impossible travel or concurrent logins from multiple geographic locations
• Downloading or exporting large volumes of data
• Network logins without defined computer access or physical access log validation
• A single IP address attempting to authenticate as multiple different users
• The creation of user accounts or disabled accounts being re-enabled (especially admin accounts)
• Netflow data indicating one device talking to other internal devices it normally doesn't connect to
• Unusual script execution, software installation or use of admin tools
• Unexpected clearing of logs
• An execution of a process from an unusual or suspicious path
• Configuration changes to security software, such as Windows Defender and logging management software

For more guidance and detailed information around other best logging and threat detection practices, check out the information sheet (PDF).

Blumira Helps You Follow Best Practices for Event Logging & Threat Detection

Blumira helps you identify threats faster and respond quickly to prevent ransomware and data breaches, all while doing the heavy lifting for your IT team. 

We do this by following these best practices, aligned with NSA’s recommendations:

• Providing log aggregation and centralization with our SIEM + XDR platform
• Blumira retains 100% of the logs sent to its platform, without any filtering 
• Providing data retention for one year to ensure your logs are available for investigation, incident response, and to help meet cyber insurance and compliance requirements
• For access to the application, Blumira enforces MFA (multi-factor authentication) on 100% of users accessing the platform and doesn’t allow any deletion of logs through the user interface
• On the backend, we ensure Blumira’s log database is only accessible to internal Blumira services and parties that require access and enforce strict access controls and employ least privilege to those who do
• Blumira maintains raw log data while tracking and identifying log messages to ensure data integrity and validation
• Through periodic review and internal processes, Blumira validates that incoming logs have not been tampered with, while alerting customers if any audit logs are cleared to help protect them from modification by attackers or insiders that may want to hide their activity
• All logs sent to the Blumira platform are encrypted in transit and then at rest once securely in our systems
• Blumira’s incident detection engineers write detection rules designed to identify indicators of attacker behavior, with a focus on Living-Off-the-Land techniques
• Speed to detection and security are both prioritized; with our platform alerting you within minutes of initial detection and implementation taking, on average, 4 hours to complete

Get started by signing up for a free SIEM + XDR trial.