records for compliance purposes but attackers rely on the fact that such organizations rarely look at the audit logs so they do not know that their systems have been compromised. Because of poor or non-existent log analysis techniques, attackers sometimes control victim machines for months or years without anyone in the target organization knowing, even though the evidence of the attack has been recorded in unexamined log files.
How can this control be implemented, automated, and its effectiveness measured?
QW: Validate audit log settings for each hardware device and the software installed on it, ensuring that logs include dates, timestamps, source addresses, destination addresses, and various other useful elements of each packet and/or transaction. Systems should record logs in a standardized format such as syslog entries or those outlined by the Common Event Expression (CEE). If systems cannot generate logs in a standardized format, deploy log normalization tools to convert logs into a standardized format.
QW: Ensure that all systems which store logs have adequate storage space for the logs generated on a regular basis, so that log files will not fill up between log rotation intervals.
QW: System administrators and security personnel should devise profiles of common events from given systems, so that they can tune detection of attacks by avoiding false positives, more rapidly identify anomalies, and avoid overwhelming analysts with alerts.
QW: All remote access to an internal network, whether through VPN, dial-up, or other mechanism, should be logged verbosely.
QW: Operating systems should be configured to log access control events associated with a user attempting to access a resource (e.g., a file or directory) without the appropriate permissions.
QW: Verify that security administrators run bi-weekly anomaly reports and actively review the anomalies.
Vis/Attrib: Each agency network should include synchronized time sources, from which all servers retrieve time information on a regular basis, so that timestamps in logs are consistent.
Vis/Attrib: Network boundary devices, including firewalls, network-based IPSs, and both inbound and outbound proxies should be configured to log verbosely all traffic (both allowed and blocked) arriving at the device.