Insufficient logging and monitoring is one of the most dangerous conditions that can exist within an application's defensive structure. If this vulnerability or condition exists, then almost any advanced attack made against it will eventually be successful.
While we have been exploring topics in these blogs, we've uncovered quite a few dangerous vulnerabilities and malicious exploits that hackers employ to assault networks and bypass defenses. They run quite the gamut from exploiting weaknesses in programming languages, to injecting code using various formats, to hijacking data in transit. It's quite a range of threats, but whenever any of them are successful, there is often one common component shared among their victim's applications.
Insufficient logging and monitoring is one of the most dangerous conditions that can exist within an application's defensive structure. If this vulnerability or condition exists, then almost any advanced attack made against it will eventually be successful. Having insufficient logging and monitoring means that attacks or attempted attacks are not discovered for a very long time, if at all. It basically gives attackers the time they need to find a useful vulnerability and exploit it.
In this episode we will learn:
At first, attackers don't know if a system is being properly monitored, or if log files are being examined for suspicious activity. But it's easy enough for them to find out. What they will sometimes do is launch some form of inelegant, brute force type of attack, perhaps querying a user database for commonly used passwords. Then they wait a few days and try the same kind of attack again. If they are not blocked from doing it the second time, then it's a good indication that nobody is carefully monitoring the log files for suspicious activity.
Even though it's relatively simple to test an application's defenses and gauge the level of active monitoring happening, it's not a requirement of successful attacks. They can simply launch their attacks in such a way as to make as little noise as possible. More often than not, the combination of too many alerts, alert fatigue, poor security configurations or simply a plethora of exploitable vulnerabilities means that they will have plenty of time to complete their goals before defenders even realize that they are there.
Insufficient logging and monitoring is dangerous because it gives attackers time to not only launch their attacks, but to complete their goals long before defenders can launch a response. How much time depends on the attacked network, but different groups like the Open Web Application Security Project (OWASP) puts the average response time for breached networks at 191 days or longer.
Think about that for a moment. What would happen if robbers held up a bank, people called the police, and it took them half a year to respond?
The robbers would be long gone by the time police arrived. In fact, that same bank can be robbed many more times before the police even respond to the first incident.
It's like that in cybersecurity too. Most of the high profile breaches that you hear about on the news were not smash and grab type of operations. Often times the targeted organization only learns about a breach after the attackers have had more or less full control over data for months or even years. This makes insufficient logging and monitoring one of the most dangerous situations that can happen when trying to practice good cybersecurity.
Preventing insufficient logging and monitoring requires two main things. First, all applications must be created with the ability to monitor and log server-side input validation failures with enough user context for security teams to identify the tools and techniques, if not the user accounts, that attackers are using. Or, such input should be formatted into a language like STIX (Structured Threat Information eXpression) which can be quickly processed by security tools to generate appropriate alerts.
Secondly, it's not enough to simply generate good alerts, though that is a start. Organizations also need to establish roles and responsibilities so that those alerts are investigated in a timely fashion. Many successful breaches actually triggered alerts on the attacked networks, but those warning were not heeded because of questions of responsibility. Nobody knew whose job it was to respond, or assumed that someone else was looking into the problem.
A good place to start when assigning responsibilities is adopting an incident response and recovery plan like the one recommended by the National Institute of Standards and Technology (NIST) in special publication 800-61. There are other reference documents, including ones specific to various industries, and they don't have to be followed to the letter. But forming a plan defining who within an organization responds to alerts, and how they go about doing that in a timely fashion, is critical.
For further reading, you can take a look at what OWASP says about insufficient logging and monitoring. You can also put your newfound defensive knowledge to the test with the free demo of the Secure Code Warrior platform, which trains cybersecurity teams to become the ultimate cyber warriors. To learn more about defeating this vulnerability, and a rogues'gallery of other threats, visit the Secure Code Warrior blog.
Ready to find, fix and eliminate insufficient logging and monitoring right now? Head to our training arena: [Start Here]