Cyber Intrusion Mitigation Strategies Part Four: Increasing Logging Capabilities
ICS-CERT developed this guidance to provide basic recommendations for owners and operators of critical infrastructure to enhance their network security posture.
It is not intended to be a detailed examination of all actions involved in incident response but is an attempt to provide high-level strategies that should can improve overall visibility of a cyber intrusion and aid in recovery efforts should an incident occur.
This guidance applies to both enterprise and control system networks, particularly where interconnectivity could allow movement between networks. ICS-CERT reminds organizations to perform proper impact analysis and risk assessment prior to implementing defensive measures to ensure there is no impact to normal operations.
The guidance is organized into topical areas within the major phases of incident response—detection, mitigation, and eradication/recovery—and closes with recommendations for long term security posture improvements.
The implementation of concepts discussed in this document is the responsibility of each organization and is dependent on the organization’s needs, network topology, and operational requirements.
INCREASE LOGGING CAPABILITIES:
System and network device logs provide valuable records of system activity. Logs may yield indicators of compromise, C2 communications, exfiltrated data, remote access logons, and other valuable data. Organizations should consider enabling the following types of logging and retaining those logs for 6 months to a year or more if possible:
• firewall logs,
• proxy logs,
• DNS logs,
• IDS logs,
• packet captures,
• flow data from routers and switches (unsampled), and
• host and application logs
DNS LOGGING WITH HOST LEVEL GRANULARITY:
As most malware uses domain name-based command and control (C2) servers (versus hard coded IP based C&C), it is essential for network defenders to have full awareness of DNS requests throughout the enterprise.
ICS-CERT recommends that organizations deploy host level granularity in DNS logging to give network administrators the ability to identify the internal host name or IP address of the machine making a specific DNS request. This allows network defenders to identify hosts that have connected to malicious domains.
In order to capture and log all DNS requests, network administrators should ensure that all requests go through company DNS servers. In addition, company servers should only service DNS requests from authorized company hosts.
In most configurations, host-level DNS logging is disabled by default and must be specifically enabled on authorized DNS resolvers. ICS-CERT recommends that organizations evaluate their DNS solution and enable this logging feature after fully evaluating the potential impact to the network.
Retention of all logs for as long as possible—a month at the minimum; ideally, one or two years—provides the ability to go back and possibly find the initial time and indictors for the compromise.
AUDIT NETWORK HOSTS FOR SUSPICIOUS FILES:
MD5 hashes are digital fingerprints used to identify files. Changing just one byte in a file will result in a different hash. If an MD5 hash is known to belong to a malicious file, any file with a matching hash should be considered malicious, regardless of the filename.
The ability to perform an enterprisewide host-level search for MD5 hashes is a powerful organizational tool for incident response. MD5 hashes are among the key indicators that can be used to identify the presence of malicious adversaries. Multiple host-based IDS and forensic tools, as well as plug-ins to enterprise configuration management software, offer this functionality.
WHAT TO DO WITH AN INFECTED HOST:
As explained above, when a compromised system is identified, it is important to preserve the forensic data while mitigating the infection. Forensic data from compromised hosts offers valuable insight into the characteristics of the malicious software and can yield additional indicators of compromise for enhanced detection and mitigation on the network.
When all available data from the infected host have been retained, the organization should follow established internal policies for recovering the host.
Many organizations do not have the internal staff necessary to handle the full range of incident response processes. Those organizations should consult trained forensic investigators for advice and assistance prior to implementing any forensic or recovery efforts. However, almost any organization can benefit from the advice and assistance of trained incident response personnel when developing their internal response plans.