In the world of cyber defense, log analysis has become absolutely critical in discovering and researching threats. No longer are we in the era of plain-text reverse shells and directory traversal attacks. Network intrusion detection systems (NIDS) are increasingly ineffective. So what changed over the last decade to make this the current reality?
In the year 2015, almost every popular website supports encryption, and many by default. Google, Facebook, Twitter, and many other sites enforce SSL on their default traffic. This is great for user privacy and end-to-end security. What it’s not so great for, is your everyday NIDS analyst. To make things worse, most types of malware now use encryption as well! The days of Snort content and pattern matching are effectively dead and gone.
There are certainly other ways to detect intrusions through NIDS. DNS queries, IP blacklists, anomalous SSL certificates, and SSL stripping can all be used to identify malicious traffic. However, there is an even better way. Not only does it completely solve the encryption issue, but it can additionally discover new and previously unknown threats: Yes, I’m talking about log analysis.
Log analysis has become increasingly important as malware and hostile traffic grow in complexity to evade typical NIDS setups. It’s just not good enough anymore to install Snort on a system, download the latest rule-sets, and call it a day. You will miss threats, you will get infections, and sophisticated attacks will plague your network.
There are many types of logging capabilities, but we’re going to focus on systems logs. The excellent cheat-sheet provided below by MalwareArchaeology.com can give you the information you need to get started with Windows Logging. We won’t pretend that log analysis is simple, or something you’re going to pick up in a day. It can be extremely complex, convoluted, and difficult to perform this type of analysis. However, when you are dealing with system logs, the ground truth is far more evident than with a NIDS implementation.
To provide a real-life example, imagine you are at a cyber exercise or competitive event. An opposing team gains access to your primary domain controller, through the Microsoft Remote Desktop Protocol (RDP). They have used a default username and password which you neglected to secure. What exactly are you going to see on a NIDS display? RDP traffic, which by itself is indicative of nothing more than a remote connection. It could be legitimate or hostile, it’s definitely going to be encrypted, and you’ll have no idea what changes are being made even if you can prove it’s a hostile attack!
Properly configured log analysis on the other hand, will give you everything you need to know. Account login audit policies will show you the user account which accessed your system, when the connection took place, and from where it originated. Policy change logs will show any modifications to your domain configuration and user accounts. File audits will help you identify malware injects and unwanted file modifications. Registry audits will help you track system changes. And we have only gone over a few types of logs!
As you make your way in the ever-changing and dangerous world of cyber security, remember that logging and auditing are your friends. NIDS cannot and will not detect everything. This isn’t 2005, and we face increasingly difficult challenges in information security. Logging and auditing correctly isn’t an easy task, but it’s something you should learn sooner rather than later. Whether you are performing malware analysis in a sandbox environment, or securing an enterprise level network, don’t just count on Snort with a standard ruleset; properly configure and monitor system and network logs in order to stay ahead of the curve!