If you're a professional hacker looking for the victim of your next big heist, one thing you are going to do is cover your tracks. Eliminating the evidence is a primary concern in many criminal activities. In the physical world, it is finger prints, bullet casings, blood, hair, camera footage, etc. In the virtual world of cyber crime, it largely all comes down to logs. Criminals want to find, delete or alter them and the gate keepers want to save, archive and protect them from the bad guys. After the theft has occurred, if there is going to be any tracking down of the assailant, it will come down to how well the organization has archive and protected the logs and traffic patterns.
For example, when hackers stole at least 45.7 million credit and debit cards from shoppers at off-price retailers including T.J. Maxx and Marshalls. NBC News reported that "TJX also remains uncertain of the theft’s size because it deleted much of the transaction data in the normal course of business between the time of the breach and the time TJX detected it."
Removing logs to cover their tracks obviously makes it significantly more difficult but, what if instead of deleting them, the attackers alter their contents. Hackers talk about this strategy on ethical hacking sites.
“Don't delete entire log files, instead, just remove only the incriminating entries from the file. The other question is, is there a backup log file? What if they just look for differences and find the exact things you erased? Always think about your actions. The best thing is to delete random lines of log, including yours.”
Examples of log altering:
- Hackers stole $101 million from Bangladesh’s central bank. Investigators learned that the heist was performed by "a sophisticated group who sought to cover their tracks by deleting computer logs as they went".
- A phishing attack allowed a perpetrator to infect and compromise JP Morgan Chase, Robert Capps a cybersecurity expert at RedSeal commented that "Getting access to bank records is uncommon but not unheard for hackers, who often change computer logs to cover their tracks but can't always get to more sensitive data." When the FBI was brought in to investigate, CNN reported that “hackers used sophisticated, never-before-seen malware to get deep enough into the banks' computer systems to delete and manipulate records”
How to Protect Logs
All logs should be sent to a separate collection system in real time. Hosting log files locally on the same system that has been compromised isn’t a good idea. It makes it all the easier for the attacker to remove or alter the evidence. Instead, send the logs in real time to an appliance such as a SIEM.
Archive the Traffic Patterns
The traffic patterns to and from all systems on the network can also easily be archived for long periods of time. NetFlow and IPFIX are the leading technologies today for keeping a record of all communication patterns between connected devices. All routers and most major firewall can export these technologies to a flow collection system. Should an incident occur, log records can be compared to traffic patterns which allow security teams to confirm the validity of events that took place.
Taking the Protection of Logs a Step Further
Due to the critical nature of saving unaltered logs, companies often deploy a UDP Forwarder. These appliances duplicate all received UDP frames (I.e. messages) and forwards them out to multiple collection servers by changing the destination IP address. The source IP address however, is not modified. As a result, the device performing the UDP forwarding is completely transparent to the destination.
If a hacker were to notice that logs were being off loaded to a 2nd system, they would have to hack UDP Forwarding system, learn where the logs were going and then hack the additional systems. For most hackers, they will omit changing the logs or move on to an easier target.
Keep your Data Safe
Never has there been a time when logs are more important. Attackers are going to get in and you will be required to perform incident response. The first thing the security team will ask for is the logs. When this happens, don’t be the wondering what to do next. Make sure logs are backed up to a 2nd system or 3rd system and make sure a UDP forwarder is relaying the messages. The harder you make it for the attacker, the more likely they are to move onto another victim.
About the author: Michael Patterson, CEO – Plixer: Michael worked in technical support and product training at Cabletron Systems while he finished his Masters in Computer Information Systems from Southern New Hampshire University. He joined Professional Services for a year before he left the ‘Tron’ in 1998 to start Somix which eventually became Plixer.