Small Business Attack – Changing Logs

In I.T., we love logs.  They’re organic, they float, they burn and you can build houses out of them!  Of course, we also like the other kind of logs as well.

The kind of logs I want to talk about are the ones that keep track of what’s going on with your systems.  They are intended to make it easier to reconstruct strange behavior and trace issues between systems. System administrators will check the logs to see if there are problems involving CPU, memory or disk usage. Network administrators can use them to trace network congestion and connectivity issues. Developers can use them to find out why certain programs aren’t functioning properly. Also, security professionals can use them to help identify attackers and how far they penetrated a system or network.

At least, in theory we can. There’s one problem: attackers can write logs too.

A common technique that attackers use is to erase or modify the logs after they successfully compromise a system. They can cover up vulnerabilities, erase their tracks and make things appear to be running OK even when they’re not. They can also read the logs and use the information in them to identify other targets.

If you have a system that is backed up on a regular basis, an attacker can find those logs and use them to identify the backup server. Once they know that, they can focus their efforts on getting the data that’s over there. They can use logs to identify which users might have elevated permissions on other systems. They can also use them to determine what “normal” activity looks like, so they can hide their activities in places you can’t find them.

Like many things, it’s a double-edged sword.

You need the logs, because they’re useful to you, but they’re also useful to the attackers, so what can you do?