Nearly all major security incidents originate from the exploitation of insufficient logging, unplanned security strategies, or insufficient monitoring. Businesses using applications with insufficient or no logging functions run the risk of attack taking so long to be mitigated that those can do considerable damage to the entire tech stack.
Logging & monitoring functions provide administrators and security teams with raw traffic data that help detect potential threats by identifying unusual patterns. These mechanisms are basic security pillars that form the foundation of a robustly administered security framework.
In the absence of diligently planned logging mechanisms, an organization misses the audit trail for security analysis, thereby allowing attack vectors to have plenty of time to penetrate multiple ecosystem components further.
Attacks based on insufficient monitoring and logging vulnerabilities are usually ranked high in prevalence, medium in opportunity, and low in detectability. Ensuring that all events are logged, and events monitored, as a result, is often considered as the first step in intrusion detection.
This article explores various vulnerabilities and business impacts arising from insufficient logging & monitoring and the best practices and tools to prevent attackers exploit security issues.
Table of contents
- What Is Insufficient Logging and Monitoring
- Threats Associated with Insufficient Logging & Monitoring
- How Attackers Leverage Insufficient Logging and Monitoring
- Business Impacts of Insufficient Logging and Monitoring Attacks
- Examples of Insufficient Logging and Monitoring Attacks
- Preventing Insufficient Logging and Monitoring Attacks
- Security Logging and Monitoring Best practices
- Final Conclusions and Frequently Asked Questions
What Is Insufficient Logging and Monitoring
Hackers leverage gaps in logging and monitoring by relying on the fact that security teams will take time to detect and remediate the attack to try and escalate privileges. This section explores the threats associated with insufficient logging & monitoring and the business impacts of a successful attack.
The fundamental reason for an inadequately logged system getting exploited by attack vectors are typically based on the following demerits that occur in the absence of an efficient logging and monitoring framework:
- Unlogged events and transactions
- Missing log backups
- Obscure error logging
- Missing breach escalation plans
- Poor authentication management
- Ineffective training on logging and monitoring
- Lack of exports to analyze log data
- Software misconfigurations
Threats Associated with Insufficient Logging & Monitoring
Attackers often leverage several devices connected to the internet to inject malware into a system and coordinate a cyber attack. Such malware are automated bots that manipulate the application in different ways – from simple spamming operations to performing more complex attacks intended to manipulate the application.
These are also commonly supported by botnets that orchestrate various attacks, including Brute Force, Phishing, and Distributed Denial of Service (DDoS) attacks. Botnet attacks rely on a chain of actions running through multiple stages. In the absence of proper logging of event data, these attacks are almost impossible to detect or analyze.
An efficient monitoring system with tools like Syslog is often considered the primary first line of defense to reduce the likelihood and severity of Botnet attacks.
A Domain Name Service (DNS) offers a standard mechanism to point machine hostnames to their IP addresses. Since DNS directs network traffic towards the correct web servers and target machines, these are common vulnerable points that are often exploited by attack vectors to target the availability or stability of the DNS server as part of the overall attack strategy.
Some possible DNS attacks include:
- Cache poisoning
- Distributed Reflection DoS Attacks
- NXDOMAIN attacks
- DNS Tunneling
- Random Subdomain Attacks
- Domain lock-up attack
If DNS-based events are not logged and appropriately monitored, administrators won’t know the types of machines attackers (in the disguise of users) query and interact with. Additionally, threat actors can perpetuate malicious actions such as malware installation, credential theft, command & control communication, network footprinting, and data theft in the absence of adequate query logging and analysis.
Organizations that typically invest a fortune in securing systems from external attacks often miscalculate internal threats. Such internal threat actors continue to be a critical concern for organizations since their suspicious activities often go unchecked. In such cases, malicious or compromised insiders pose a severe threat to systems since they have access to various control and security measures. Though a situation like this sounds astonishing, the mitigation is relatively straightforward and straightforward that relies on an efficient logging mechanism.
Insufficient monitoring and log management in such instances result in untraceable user behavior patterns, thereby allowing imposters or malicious insiders to compromise the system at a much deeper level.
Some commonly known insider threats arising from insufficient logging & monitoring include:
- Malware traffic
- Ransomware attacks
- Advanced Persistent Threats
How Attackers Leverage Insufficient Logging and Monitoring
Without logging critical security information, security admins are not alerted of any unusual events, which turns every vulnerability into a potential breach and runs into the risk of a further privilege escalation attack. This is usually done in the following order:
Once an attacker has gained access to a system, they attempt to hide their presence and identity as much as possible. For systems that lack comprehensive log management, hackers even try to erase event logs that may raise the alarm.
The attackers then try to exploit areas of the web server that were developed without following the security best practices. Typical active attacks begin with the hacker probing the system for security vulnerabilities. They then take advantage of ineffective incident response and remediation to deepen their hold on the system or access more crucial data. As the response times for insufficient logging & monitoring incidents are long, typically 150-200 days, these threat actors have considerable time to test for more privileged access discreetly.
Hackers typically utilize well-known advanced attack strategies to cover more ground once they have gained the initial access. Some of these include:
- Password Attacks – Various methods are aimed at obtaining unauthorized access to user accounts. Some password attack methods include Brute Force, Dictionary Attacks, and Password Sniffers.
- Advanced Persistent Threats – Intruders access a network and stay undetected, typically monitoring traffic to extract crucial data.
- Man-in-the-middle-attack (MITM) – A threat actor intercepts and modifies messages between a server and the client (or two communicating parties). Such attacks include Wi-Fi eavesdropping, Session Hijacking, and Email Hijacking.
- Denial-of-Service Attack – Once attackers gain initial access to the system, they attempt to shut down the network/machine and reduce its ability to respond to user requests by flooding the server with enormous bot-generated traffic.
Scan Your Web App or API for Vulnerabilities
Business Impacts of Insufficient Logging and Monitoring Attacks
Without proper logging and monitoring mechanisms, it is significantly harder for organizations to detect and mitigate breaches, which costs businesses time and money. Some effects of insufficient logging and monitoring attacks include:
Threat actors looking to carry out a Denial of Service (DoS) attack typically flood a target server with traffic until the server crashes or fails to respond. This brute force attack means the server is overwhelmed, and the services become inaccessible to legitimate users. Attackers also ensure that the attack resembles a non-malicious availability issue, making them even harder to track.
Event logs typically contain sensitive user and system information. Threat actors with access to system logs have unlimited access to this data, which they can use for other malicious purposes. Improper logging and monitoring mechanisms allow attackers access to private information, which costs businesses money and reputation.
Reduced Data Integrity
It is difficult to set proper controls for different IT data life cycle phases when there are no adequate logging and monitoring tools in place. Threat actors who gain illegal access to a system can easily alter log data, change entries, and inject unexpected inputs into the system. This also means that company data is either inconsistent, inaccurate, or incomplete, making it unreliable or invalid for optimum business requirements.
Proper logging and monitoring mechanisms allow for easier identification of users and processes interacting with a system. Without proper logging mechanisms, it is difficult to trace the source of a message/request. This makes it difficult to trace the source of a threat, which encourages system attacks.
Lack of Accountability
It is difficult to trust an organization’s security preparedness when there’s no way to track user and network security. Logging and monitoring mechanisms serve as an assurance that all events related to the system can be tracked and verified.
Examples of Insufficient Logging and Monitoring Attacks
Without proper monitoring and logging of network traffic, businesses fail to prevent attackers from installing malware and accessing crucial data. In recent history, the following are some of the well-known examples of security incidents arising from insufficient logging and monitoring:
The Stuxnet Worm Attack on Iran’s Nuclear Program
The Stuxnet worm is a masterfully crafted Malware that attacks Supervisory Control and Data Acquisition (SCADA) systems. In 2010, the security team at the Iranian nuclear program discovered that the bug had been used to access critical weapons control systems.
On deeper analysis, the bug was found to be active since 2005 and was spread using infected USB drives. The hackers took advantage of poor logging and monitoring mechanisms to gain elevated access discreetly.
The 2017 Verizon Communications Data Breach
While no data was stolen, Verizon admits that at least 14 Million customer records were exposed to the internet in a data breach discovered in 2017. These records included such data as phone numbers and account PINs. This data was not password-protected, and attackers could have easily downloaded and exploited it.
However, the records were stored in a cloud-based data repository and were discovered by a cybersecurity researcher before any attackers could take advantage of the loophole.
The 2019 Dominion National Data Breach
In 2019, Insurer Dominion National discovered that members of its health plans could have been exposed to a data breach that lasted more than nine years. The breach, which was determined to have affected over 2 million individuals, exposed sensitive customer data, including:
- Bank account numbers
- Routing numbers
- Taxpayer identification information
- Social security numbers
- Names and Dates of Birth among others
After an exhaustive investigation, it was determined that this information was not accessed or used by unauthorized persons. Dominion National was, however, ordered to cover any claims for monetary losses reasonably traceable to the breach.
Preventing Insufficient Logging and Monitoring Attacks
Proper logging and monitoring are the keys to early detection and remediation of most security risks and threats. Logging involves tracing and storing information related to events in the system, while monitoring consists of analyzing and visualizing these metrics to identify patterns and anomalies.
Administering efficient logging and monitoring strategies is therefore considered crucial to maintaining a security posture and performance. The following section explores the tools and best practices that help prevent insufficient logging and monitoring attacks:
Security Logging and Monitoring Best practices
The Open Web Application Security Project (OWASP) recommends various best practices for efficient logging and monitoring. These include:
- Ensure sufficient logging for all authentication failures, including login, access control, and server-side validation.
- Create context and understand baseline traffic to enable easy identification of suspicious and malicious activity
- Have an audit trail for critical and high-value transactions to prevent deletion or tampering
- Backup log files on multiple servers to enable fault tolerance
- Authenticate access to logs
- Automate monitoring and alerts for log events
- Create an integrated platform for log management and monitoring, complete with real-time alerts and visualization
- Have an ITIL based formal incident response plan and resolution strategy that follows set standards
- Always perform penetration tests to identify gaps in incident monitoring and reporting
- Having a recovery plan or strategy developed for rainy days
Popular Logging and Monitoring solutions
There are several helpful tools that organizations can use to set up a centralized system for the logging, analysis, and reporting of event data. These include:
This open-source project integrates available logging mechanisms with security best practices to provide real-time application layer intrusion detection for self-healing applications. The project also provides a framework for automated responses to security incidents.
NLog is also an open-source, flexible logging solution for processing events and alerts that are mainly used for .NET platforms. The platform takes in logging data in the .NET language then augments it with information on the related context for real-time log analysis.
Final Conclusions and Frequently Asked Questions
What is Security Logging?
Security logging is recording information about what happens within your network. Security logs include everything from firewall logs to event logs to application logs. Each type of log provides different kinds of information.
For example, a firewall log may record the source IP address of each packet sent or received by the device. Event logs record the date, time, and details of each event that occurs within the computer. Application logs record the name of the process that was running when the event occurred.
How do I know whether I’m being attacked? How do I find out what is going on?
You need to be able to tell when an attack is occurring. There are two ways to do this:
1) Monitor your logs.
2) Use a tool such as Nlog to analyze the logs.
How Many Logs Should I Monitor?
It depends on how much you want to spend on this. The more logs you collect, the better chance you have at catching malicious activities.
Insufficient log management monitoring is a major reason why companies are not able to remediate security incidents effectively. This allows companies to take the right reactive approach and corrective measures to ensure systems are secured in the future. As a result, insufficient logging and monitoring pose a unique level of vulnerability that remains a popular aspect of an attacker’s exploit.
This is confirmed by the fact that as of 2018, 35% of orchestrated hacks were fileless since file-based attacks are easier to detect with traditional logging and monitoring mechanisms. The immutable report also states that over 93% of security breaches carried out in 2017 could have been prevented with basic logging and monitoring measures.www.immuniweb.com
Crashtest Security offers a comprehensive security assessment to ensure that every transaction on your web application is sufficiently logged with integrity controls. To know more about how Crashtest Security can perform a comprehensive scan and protect your tech stack from malicious attacks, sign up for free here.