The NSA (National Security Agency) and the Australian Signals Directorate's Australian Cyber Security Centre have released Best Practices for Event Logging and Threat Detection (PDF) to help organizations protect against malicious actors.
This guidance is ideal for senior information technology decision-makers, operational technology (OT) operators, network administrators, and network operators.
The information sheet includes guidance on living-off-the-land (LoTL) techniques used by attackers to evade detection within an organization’s environment.
“The guidance in this publication focuses on general best practices for event logging and threat detection; however, LOTL techniques feature as they provide a great case study due to the high difficulty in detecting them.”
While not all-inclusive, here’s a summary of some of the top event logging recommendations and best practices:
Take into consideration any shared responsibilities between service providers and the organization. Policy should include:
Event Log Quality
This refers to the types of events collected, and how useful event logs are to allow organizations to assess security incidents.
"Quality log data helps in building a comprehensive picture of your environment, drives detection and alerting systems to discover issues quickly, and helps incident responders understand what went wrong if you do suffer a cybersecurity incident." – Scott Gee, AHA deputy national advisor for cybersecurity and risk, IndustryIntel
Capturing a large volume of well-formatted logs can be invaluable for incident response, but organizations should organize logged data into hot and cold data storage.
Consider logging the following to help detect malicious actors using LoTL techniques:
Event Log Retention
Retain logs for long enough to support incident investigations; default periods are often insufficient.
"Ideally, logs should be stored for a period of one year, subject to storage space constraints. In the middle of an incident is not the time to find out that you were not logging useful data, or that you were not retaining that data for long enough to thoroughly investigate the incident.” – Scott Gee, AHA deputy national advisor for cybersecurity and risk, IndustryIntel
Enterprise Network Logging
With a wide variety of native tools to exploit, enterprise networks should prioritize logging:
Secure Storage & Event Log Integrity
They recommend organizations implement a secure, centralized event logging facility for log aggregation; forwarding their logs to analytic tools like security information and event management (SIEM) and extended detection and response (XDR) solutions.
The goal is to prevent the loss of logs once a local device's storage is exceeded, as many network infrastructure devices have limited local storage.
"In the event of a cyber security incident, an absence of historical event logs will frequently have a negative impact on cyber security incident response activities."
Secure Transport & Storage of Logs
To ensure event log integrity in transit and at rest, organizations should implement secure mechanisms like TLS 1.3 and methods of cryptographic verification. Securing and restricting access to logs is also important to prioritize (enacting least privilege to grant access only to those that need it to do their jobs).
Protect Logs From Unauthorized Access, Modification & Deletion
To avoid or delay detection, malicious actors are known to modify or delete local system event logs. Logs should be aggregated in an event logging facility that can protect them from unauthorized modification and deletion.
Best practices include:
Specifically, securing SIEMs is also considered best practice:
“Organizations are encouraged to harden and segment their SIEM solutions from general IT environments. SIEMs are attractive targets for malicious actors because they contain a wealth of information, provide an analysis function, and can be a single point of failure in an organization’s detection capability.”
Detecting Living off the Land Techniques
They recommend implementing analytics capabilities to enable automated detection of behavioral anomalies on networks, devices or accounts.
They also recommend using a SIEM to detect anomalous activity by comparing event logs to a baseline of business-as-usual traffic and activity.
Examples of Anomalous Behavior
These are examples of actions to detect:
For more guidance and detailed information around other best logging and threat detection practices, check out the information sheet (PDF).
Blumira helps you identify threats faster and respond quickly to prevent ransomware and data breaches, all while doing the heavy lifting for your IT team.
We do this by following these best practices, aligned with NSA’s recommendations:
Get started by signing up for a free SIEM + XDR trial.