The Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC), in collaboration with the United States Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the National Security Agency (NSA), and several international partners released a new guide titled “Best Practices for Event Logging and Threat Detection,” which aims to help organizations establish a robust baseline for event logging to counteract the rise of malicious cyber threats.
According to CISA, the prevalence of sophisticated attacks such as Living Off the Land (LOTL) techniques and fileless malware highlights the critical need for effective event logging. LOTL techniques involve using existing tools and processes within the system to carry out malicious activities, making them particularly challenging to detect. To address these threats, the newly released guide focuses on enhancing event logging strategies and threat detection capabilities.
Importance of Event Logging and Threat Detection
Event logging is essential for maintaining operational continuity and enhancing the security and resilience of critical systems. By improving network visibility through comprehensive event logging, organizations can better identify and respond to potential security incidents, including those involving LOTL techniques. The “Best Practices for Event Logging and Threat Detection” guide, crafted through a collaborative effort of prominent global cybersecurity agencies, outlines essential strategies for enhancing event logging practices.
This guide was developed by key organizations, including CISA, FBI, and NSA from the United States; the National Cyber Security Centre (NCSC-UK) from the United Kingdom; the Canadian Centre for Cyber Security (CCCS); New Zealand’s National Cyber Security Centre (NCSC-NZ) and CERT NZ; Japan’s National Center of Incident Readiness and Strategy for Cybersecurity (NISC) and JPCERT/CC; South Korea’s National Intelligence Services (NIS) and NIS’s National Cyber Security Center (NCSC-Korea); Singapore’s Cyber Security Agency (CSA); and the Netherlands’ General Intelligence and Security Service (AIVD) and Military Intelligence and Security Service (MIVD).
The guide highlights several key objectives for effective event-logging solutions. It advocates for generating alerts for significant cybersecurity events, such as critical software changes or new deployments, to aid network defenders. It also stresses the importance of detecting potential incidents, including those involving Living Off the Land (LOTL) techniques and lateral movements within networks.
Additionally, the guide highlights the need for effective incident response by providing detailed insights into compromises, ensuring policy compliance, managing alerts to reduce noise and associated costs, and optimizing logs and logging platforms for enhanced usability and analytical performance.
Best Practices for Event Logging and Threat Detection
Effective event logging and threat detection are crucial for safeguarding organizational systems against cyber threats. Implementing best practices in these areas can significantly enhance an organization’s ability to detect and respond to malicious activities.
Several key practices are essential for effective event logging and threat detection. First, developing a comprehensive enterprise-approved event logging policy is crucial for maintaining consistent and effective monitoring. This policy should clearly define the types of events to be logged, the facilities and methods for logging, and the procedures for monitoring these logs. It should also specify how long logs will be retained and establish regular intervals for reassessing and updating logging practices. A well-structured policy ensures that logging is thorough and uniform across the organization, which is vital for detecting and responding to security threats.
Additionally, focusing on the quality of event logs is essential for accurate threat detection. High-quality logs capture relevant and actionable data, helping to distinguish true positives from false positives. For example, on Linux-based systems, logs should include common Living Off the Land (LOTL) binaries such as curl and systemctl, while on Windows systems, logs should cover tools like wmic.exe and PowerShell. High-quality logging improves the ability to detect subtle indicators of LOTL techniques and other sophisticated attacks.
Event logs should also capture comprehensive details to support effective threat detection and incident response. According to the US Office of Management and Budget’s M-21-31 guidelines, logs should include accurate timestamps, event types, device identifiers, source and destination IP addresses, status codes, response times, user IDs, and executed commands. Detailed logs provide a thorough view of system activities, which is crucial for identifying and analyzing potential security incidents.
For Operational Technology (OT) environments, which often involve devices with limited logging capabilities, it is important to supplement logging with additional sensors or methods. Organizations should balance the volume of logged data with the performance constraints of OT devices, ensuring that critical events are captured without negatively impacting device functionality.
Centralizing event logs from various systems facilitates better analysis and correlation. Employing structured log formats and maintaining consistent timestamping streamline log management, enabling more efficient data analysis and improving overall threat detection and response.
Securing the storage and integrity of event logs is critical to prevent unauthorized access and tampering. Organizations should implement secure storage solutions and use robust transport mechanisms like Transport Layer Security (TLS) 1.3 to protect logs both in transit and at rest. Access to logs should be restricted to authorized personnel only, with measures in place to prevent unauthorized modifications or deletions.
Timely ingestion of event logs is essential for early detection and response to cybersecurity events. Delays in log generation, collection, or ingestion can hinder the ability to identify and address security incidents promptly. Ensuring logs are ingested and analyzed promptly helps detect potential threats before they escalate.
Lastly, developing a detection strategy for relevant threats by implementing user and entity behavior analytics can enhance threat detection. Comparing event logs against a baseline of normal behavior helps identify deviations that may indicate malicious activity. This approach is particularly useful for detecting anomalies and LOTL techniques, which often involve sophisticated methods to evade traditional security measures.
Additional Resources and Recommendations
Organizations seeking further guidance can refer to several valuable resources. The Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) Information Security Manual (ISM) provides detailed recommendations on event log recording. CISA’s Guidance for Implementing M-21-31 offers insights on prioritizing log collection, while NIST’s Guide to OT Security outlines specific considerations for OT event logging.
For detection strategies, the MITRE ATT&CK framework offers useful use cases. Regularly reviewing and optimizing log storage capacities and retention periods is also recommended to support ongoing cybersecurity investigations and improve overall security posture.
The “Best Practices for Event Logging and Threat Detection” guide represents a crucial step towards enhancing organizational cybersecurity. By following the recommended practices, organizations can improve their ability to detect and respond to cyber threats, including sophisticated LOTL techniques. Implementing these practices will not only help in mitigating current threats but also in building a more resilient cybersecurity posture for the future.
