The National Security Agency (NSA) has released the Best Practices for Event Logging and Threat Detection across cloud services, enterprise networks, mobile devices, and operational technology (OT) networks to ensure the continuing delivery of vital systems.
This Cybersecurity Information Sheet (CSI) was released in collaboration with international co-authors including the Australian Signals Directorate’s Australian Cyber Security Centre (ASD ACSC).
The guidance is intended to support IT and cyber employees in enterprises as they defend against threat actors who employ living off-the-land (LOTL) techniques.
It also provides recommendations for improving an organization’s resilience in the present cyber threat environment while considering resource restrictions.
Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN -14-day free trial
Four Best Practices for Event Logging and Threat Detection
An efficient event logging system should be able to recognize cyber security events, such as changes to essential software configurations, provide alerts when these events occur, keep an eye on account compliance, and guarantee that logs and logging platforms are performant and usable.
When pursuing best practices for logging, keep the following four factors:
- Enterprise-approved event logging policy
- Centralized event log access and correlation
- Secure storage and event log integrity
- Detection strategy for relevant threats
Enterprise Logging Policy: A Strategic Move for Cybersecurity
Creating and executing an enterprise-approved logging policy enhances an organization’s ability to identify fraudulent activity on its systems and ensures that all environments use the same logging technique.
The logging policy should consider any shared duties between the organization and its service providers.
In addition, the policy should specify which events are to be recorded, how event logs will be monitored, how long they will be retained, and when to reevaluate which logs should be kept.
Developing and implementing an enterprise-approved logging policy is crucial for detecting malicious behavior and ensuring consistency across an organization’s environments. Key components of an effective logging policy include:
- Event Log Quality: Focus on capturing high-quality cybersecurity events rather than just well-formatted logs. High-quality logs help network defenders accurately identify and respond to incidents.
- Detailed Captured Event Logs: Logs should include essential details such as timestamps, event types, device identifiers, IP addresses, user IDs, and commands executed. This information is vital for effective threat detection and incident response.
- Operational Technology (OT) Considerations: For OT environments, consider the limited logging capabilities of devices and use sensors or out-of-band communications to supplement logs without overloading devices.
- Content and Timestamp Consistency: Use structured log formats (like JSON) and consistent timestamps (preferably UTC with ISO 8601 formatting) across all systems to improve log correlation and analysis.
- Event Log Retention: Ensure logs are retained long enough to support incident investigations, considering that some threats may dwell for months before detection. Retention periods should align with regulatory requirements and the organization’s risk assessment.
These practices enhance an organization’s ability to detect, investigate, and respond to cybersecurity incidents effectively.
Centralized Event Log Access and Correlation
Centralized log collection and correlation provide prioritized lists of log sources for enterprise networks, OT, cloud computing, and enterprise mobility using mobile computing devices.
The prioritization process involves evaluating the probability of an attacker targeting the logged asset and the potential consequences of asset compromise.
The NSA advised organizations to set up centralized event logging facilities, such as secured data lakes, to enable log aggregation.
To implement an effective enterprise logging policy:
- Define Responsibilities: Clarify logging roles between the organization and service providers.
- Prioritize Logs: Focus on critical systems, network devices, and high-risk areas across enterprise, OT, cloud, and mobile environments.
- Ensure Log Quality: Capture key details like timestamps, IP addresses, and user IDs. Use consistent formats like JSON.
- Centralized Monitoring: Collect logs centrally, with data categorized into ‘hot’ (quick access) and ‘cold’ (long-term storage).
- Retention and Storage: Set retention periods based on risk and compliance needs. Ensure adequate storage to prevent data loss.
- Timestamp Synchronization: Use a consistent, reliable time source across all systems (preferably UTC).
- OT Considerations: Account for OT device limitations with alternative logging methods.
- Regular Review: Periodically reassess log relevance and update the policy as needed.
This approach strengthens threat detection, incident response, and compliance.
From there, selected, processed logs should be forwarded to analytic tools like security information and event management (SIEM) solutions and extended detection and response (XDR) solutions.
Secure Storage and Event Log Integrity
- Centralized Logging: Implement a secured data lake to aggregate logs, preventing loss due to limited local storage. Forward key logs to SIEM/XDR for analysis.
- Secure Transport & Storage: Use TLS 1.3 and cryptographic methods to protect logs in transit and at rest. Restrict access to sensitive logs.
- Unauthorized Access Prevention: Protect logs from modification/deletion by malicious actors. Only authorized personnel should have access, with audit logs in place.
- Harden SIEM: Isolate SIEM from general IT environments, filter logs to prioritize important ones, and minimize costs.
- Baseline & Threat Detection: Use centralized logs to detect deviations from normal behavior, indicating potential cybersecurity events or incidents.
- Timely Log Ingestion: Ensure quick log collection to enable early detection of security incidents.
Detection Strategy for Relevant Threats
To detect Living Off the Land (LOTL) techniques, organizations should implement user and entity behavioral analytics (UEBA) and leverage SIEM systems to identify anomalies by comparing event logs against established baselines of normal activity. Key recommendations and strategies include:
- Behavioral Analytics: Use UEBA to automatically detect unusual behavior on networks, devices, or accounts, which is essential for identifying LOTL techniques that blend in with normal operations.
- Case Study – Volt Typhoon: This group has used LOTL techniques like PowerShell scripts, Windows Management Instrumentation Console (WMIC), and other native tools to infiltrate and move laterally within systems, making traditional detection challenging.
- Anomalous Behavior Indicators:
- Unusual login times or locations.
- Access to services not typically used by the account.
- High volumes of access attempts or data downloads.
- Use of uncommon or suspicious processes and paths.
- Unexpected account activity, like re-enabling disabled accounts.
- Network anomalies, such as new connections between devices.
- Enhanced Detection: Implement endpoint detection and response (EDR) solutions, ensure detailed logging (including process creation and command-line auditing), and establish baselines for legitimate binary usage.
- Proactive Threat Hunting: Regularly conduct threat hunts to identify and investigate potential LOTL activities, refining detection rules based on the evolving threat landscape.
These strategies help detect and mitigate LOTL techniques, which are challenging due to their reliance on legitimate tools and activities within a network.
“Organizations need to strengthen their resilience against living off the land techniques that are pervading today’s cyber threat environment,” said (Download PDF) Dave Luber, NSA Cybersecurity Director.
“Implementing and maintaining an effective event logging solution improves the security and resilience of systems by enabling network visibility and quicker incident response.”
Download Free Cybersecurity Planning Checklist for SME Leaders (PDF) – Free Download