On August 21, 2024, the United States Cybersecurity and Infrastructure Security agency, alongside government agencies in key global allies, including Australia, the UK, Canada, and Japan, released guidance on event logging and threat detection best practices.
The guidance was published in response to the increased prevalence of threat actors employing Living of the Land (LOTL) techniques to evade detection. LOTL techniques are difficult to detect, and the guidance discusses four broad categories of best practices for medium to large size organizations:
- Enterprise-approved event logging policies
- Centralized log collection and correlation
- Secure storage and event log integrity
- Detection strategies for relevant threats
Enterprise-approved event logging policies. The guidance outlines the importance of developing and implementing an enterprise-approved event logging policy. Such a policy ensures that organizations can detect malicious activities consistently across their environments. High-quality event logs, which capture detailed and relevant cybersecurity events, are crucial for network defenders to identify and respond to threats swiftly. The guidance provides a baseline list of what effective event logging should capture, including, but not limited to: event type, device identifier, source and destination IP, and properly formatted and accurate timestamp. The policy should also consider the shared responsibilities between service providers and organizations, and each party should have clearly defined roles and responsibilities pertaining to event logging.
The guidance emphasizes that default log retention periods are often insufficient and reminds organizations that it can often take up to 18 months to identify a cyber incident. Organizations should consider extending their retention periods beyond the default periods and ensure the retention periods are compliant with any regulatory requirements.
Centralized log collection and correlation. The guidance highlights the importance of centralized log collection and correlation, which allows for more efficient monitoring and analysis. Centralized log collection and correlation enhances an organization’s ability to detect and mitigate potential incidents. Implementing a centralized log collection tool, however, can be easier said than done, particularly for large organizations with many applications and systems, some of which may not be compatible with the centralized logging tool.
In addition, the guidance addresses the specific needs of different environments, including cloud computing, operational technology (OT) networks, and enterprise mobility. For instance, in cloud environments, logging should focus on control plane operations, administrative changes, and API activities. In OT environments, the focus should be on detecting unusual behavior in critical devices that could signal a cyber threat. This tailored guidance is intended to help organizations prioritize their logging activities based on the unique risks.
Secure storage and event log integrity. The document also underscores the importance of secure storage and transport of event logs. Ensuring the integrity of logs through encryption and access controls is vital to prevent unauthorized access or tampering to these logs. Organizations are encouraged to implement advanced detection strategies, such as using user and entity behavioral analytics and identifying subtle signs of compromise.
Detection strategy for relevant threats. Included in the guidance is a case study of Volt Typhoon, a PRC state-sponsored cyber group that relies almost exclusively on LOTL techniques. Earlier this year, CISA released an advisory warning critical infrastructure organizations that Volt Typhoon has compromised the IT environments of multiple critical infrastructure organizations. The newly released guidance details some of the LOTL techniques that Volt Typhoon has used to disguise intrusion as “business-as-usual” activity.
Companies should consider these recommended practices to assist in protecting their systems from sophisticated cyber threats. By implementing robust logging and detection mechanisms, companies can better safeguard their operations, data, and reputation in an increasingly vulnerable digital world.