The Top 10 community survey (#3) ranked security logging and monitoring third, up from tenth in the OWASP Top 10 2017. Often involving interviews or asking if attacks were detected throughout a penetration test, logging and monitoring can be difficult to test. There isn’t much CVE/CVSS data for this category, but detecting and responding to breaches is crucial. Still, it can impact accountability, visibility, incident alerting, and forensics. This category includes CWE-117 Improper Output Neutralization for Logs, CWE-223 Omission of Security-relevant Data, and CWE-532 Insertion of Sensitive Information into Log File, in addition to CWE-778 Insufficient Logging.
What Are Security Logging and Monitoring Failures?
Hackers leverage gaps in logging and monitoring by relying on the fact that security teams will take time to detect and remediate the attack to try and escalate privileges. This section explores the threats related to insufficient logging & monitoring and the business impacts of a successful attack.
The fundamental reason for an inadequately logged system getting exploited by attack vectors is typically based on the following demerits that occur in the absence of an efficient logging and monitoring framework:
- Unlogged events and transactions
- Missing log backups
- Obscure error logging
- Missing breach escalation plans
- Poor authentication management
- Ineffective training on logging and monitoring, Lack of exports to analyze log data
Threats Associated with Security Logging & Monitoring Failures
Attackers typically leverage many devices connected to the internet to inject malware into a system and coordinate a cyber attack. Such malware is automated bots that manipulate the application in several ways, from easy spamming operations to performing many advanced attacks intended to manipulate the application.
These also are commonly supported by botnets that orchestrate numerous attacks, including brute Force, Phishing, and Distributed Denial of Service(DDoS)attacks. Botnet attacks rely on a sequence of actions running through multiple stages. In the absence of proper event data logging, these attacks are almost impossible to observe or analyze.
An efficient monitoring system with tools like Syslog is considered the primary first line of defense to scale back the chance and severity of Botnet attacks.
A Domain Name Service (DNS) offers a customary mechanism to point machine hostnames to their IP addresses. Since DNS directs network traffic towards the legitimate web servers and target machines, these are common vulnerable points that are exploited by attack vectors to target the availability or stability of the DNS server as a part of the general attack strategy.
Some possible DNS attacks include:
- Cache poisoning
- Distributed Reflection DoS Attacks
- NXDOMAIN attacks
- DNS Tunneling
- Random Subdomain Attacks
- Domain lock-up attack
If DNS-based events are not logged and appropriately monitored, administrators won’t recognize the types of machines attackers (in the disguise of users) query and interact with. Additionally, threat actors can perpetuate malicious actions such as malware installation, credential theft, command & control communication, network footprinting, and data theft without adequate query logging and analysis.
Organizations that invest a fortune in securing systems from external attacks often miscalculate internal threats. Such internal threat actors continue to concern organizations since their suspicious activities typically go unrestrained. In such cases, malicious or compromised insiders pose a severe threat to systems since they access various management and security measures. Though this situation sounds astonishing, the mitigation is comparatively simple and easy and depends on an efficient logging mechanism.
In such instances, insufficient monitoring and log management lead to untraceable user behavior patterns, thereby permitting imposters or malicious insiders to compromise the system at a much deeper level.
Insider threats resulting from insufficient logging and monitoring include the following:
- Malware traffic
- Ransomware attacks
- Advanced Persistent Threats
How Attackers Leverage Security Logging and Monitoring Failures
Without logging important security information, security admins don’t seem to be alerted of any unusual events that turn each vulnerability into a potential breach and run into the risk of a further privilege escalation attack. This is usually done in the following order:
Once an attacker has gained access to a system, they conceal their presence and identity as much as possible. Hackers even try to erase event logs, which will raise the alarm for systems that lack comprehensive log management.
Typical active attacks begin with the hacker inquiring about the system for security vulnerabilities. After that, the attackers try to exploit areas of the web server that were built without following security best practises. They then take advantage of ineffective incident response and correction to deepen their hold on the system or access more crucial data. As the response times for Security logging & monitoring incidents are long, usually 150-200 days, these threat actors have enough time to discreetly check for additional privileged access.
Once they’ve gained access, hackers typically use well-known advanced attack strategies to cover more ground. Here are a few examples:
Various methods aim to get unauthorized access to user accounts—some password attacks includesBrute Force, Dictionary Attacks, and Password Sniffers.
Advanced Persistent Threats
Intruders access a network and stay undetected, generally monitoring traffic to extract crucial information.
A threat actor intercepts and modifies messages between a server and the client: such attacks include WI-Fi eavesdropping, Session Hijacking, and Email Hijacking.
Once attackers gain initial access to the system, they conceive to shut down the network/machine and cut back its ability to respond to user requests by flooding the server with enormous bot-generated traffic.
Business Impacts of Security Logging and Monitoring Attacks
Without proper logging and monitoring mechanisms, it is significantly harder for organizations to detect and mitigate breaches, which costs businesses time and money.The following are some of the consequences of inadequate logging and monitoring attacks:
Threat actors looking to carry out a Denial of Service (DoS) attack generally flood a target server with traffic till the server crashes or fails to reply. This brute force attack suggests that the server is overwhelmed, and therefore the services become inaccessible to legitimate users. Attackers also make sure that the attack resembles a non-malicious availability issue, making them even tougher to trace.
Reduced Data Integrity
It is difficult to set proper controls for various IT information life cycle phases when there are no adequate logging and monitoring tools. Threat actors who gain illegal access to a system will simply alter log information, change entries, and inject unexpected inputs into the system. This means that company data is inconsistent, inaccurate, or incomplete, making it unreliable or invalid for optimum business necessities.
Improper logging and monitoring mechanisms permit attackers to access non-public information, which costs businesses money and reputation. Event logs generally contain sensitive user and system information. Threat actors with access to system logs have unlimited access to this information that they will use for other malicious purposes.
Proper logging and monitoring mechanisms give easier identification of users and processes interacting with a system. Without proper logging mechanisms, it’s difficult to trace the source location of a message/request. This makes it difficult to trace the source of a threat, which inspires system attacks.
Lack of Accountability
When there’s no way to track user and network security, it’s difficult to trust an organization’s security readiness. All events related to the system can be tracked and verified thanks to logging and monitoring mechanisms.
How to Prevent Security Logging and Monitoring Failures
- Ensure all login, access control, and server-side input validation failures are logged with sufficient user context to detect suspicious or malicious accounts and held for enough time to permit delayed forensic analysis.
- Ensure that logs are generated in a format that can be easily consumed by log management software.
- Ensure log information is encoded properly to forestall injections or attacks on the logging or monitoring systems.
- Ensure high-value transactions have an audit trail with integrity controls to prevent deletion, like append-only database tables.
- DevSecOps teams should establish effective monitoring and alerting to detect and remediate suspicious activities quickly.
- Establish or adopt an incident response and recovery plan, like the National Institute of Standards and Technology (NIST) 800-61r2 or later.
- To ensure fault tolerance, backup log files on multiple servers.
- Conduct penetration tests on a regular basis to identify gaps in incident monitoring and reporting.
- Log event monitoring and alerts can be automated.