TechNet Home > TechNet Security > Library > Auditing and Monitoring

Security Monitoring and Attack Detection Planning Guide

Chapter 3 - Issues and Requirements

Updated: June 30, 2005
On This Page
IntroductionIntroduction
Detect Policy Violations Detect Policy Violations
Identify External AttacksIdentify External Attacks
Implement Forensic AnalysisImplement Forensic Analysis
SummarySummary

Introduction

An important part of an effective security strategy is to make an accurate assessment of the threats to your network. Just as organizations have different views on what constitutes a risk to their physical security, so companies have differing views on the risks to network data. These views depend on numerous factors, such as the industry sector in which the organization operates, the value of their data, and whether they have experienced previous attacks to their network. For more information about security risk management, see The Security Risk Management Guide at http://www.microsoft.com/technet/security/guidance/complianceandpolicies
/secrisk/default.mspx.

Data from Microsoft partners and customers, coupled with information derived from the Microsoft corporate network, identifies three main concerns that security monitoring and attack detection can address. These areas of concern are to:

Detect policy violations

Identify external attacks

Implement forensic analysis

This chapter describes each scenario, and Chapter 4, "Design the Solution," shows how to configure security monitoring and archiving to address these threats.

To identify unusual activity in a network, you need to know what you consider typical for your environment. This guide attempts to distinguish between what is typical behavior and what is unusual.

Identifying anomalies also requires you to implement a secure baseline on all your computers. Without this secure baseline, you cannot identify computers that do not meet baseline requirements.

Detect Policy Violations

Policy violations form the largest category of security issues with which organizations much cope. Policy violations include the following actions:

Creation of user accounts outside the proper process

Use of administrator privileges without proper authorization

Use of service accounts for interactive log ons

Attempts to access files to which a user does not have permission

Deletion of files that users have permission to access

Execution of unapproved programs

The most common type of policy violation is unintentional user access attempts, such as trying to open unauthorized directories. However, access restrictions and limited rights usually prevent users from attempts at significant damage. Policy violations by administrators, whether deliberate or accidental, are of far greater concern.

Unreliable network administrators pose a significant threat to an organization. Administrators need high levels of system access rights and privileges to carry out their jobs. Administrators have the ability to create user accounts, reset passwords, and change ownership of files and folders. However, just because administrators can carry out a procedure does not mean they have authorization to do so. Administrator rights also enable administrators to view network resources they should not see, such as financial records.

Business Issues

Most organizations should make the detection of policy violations a priority because of the probability that a violation can occur and the potential for damage. Business issues with the detection and prevention of policy violations include how to:

Enforce strict background checks before hiring and at regular intervals during employment.

Maintain independent security checks on administrator actions.

Perform regular checks of the security monitoring system.

Identify security breaches quickly.

Confirm the extent of the security breach.

Limit the damage that security breaches cause.

Enterprise organizations usually perform adequate security checks before a new employee joins the company. However, many organizations do not continue to monitor internal users for risky behavior.

It is essential that your internal users sign explicit terms and conditions that alert them to your network security monitoring requirements. They must understand that if they try to open a file or access a share to which they do not have permission, the security logs will record that failed attempt. Internal users who work with high value files should know that the security logs will track each time they access those files.

Note:  It is becoming increasingly difficult to prosecute or fire employees without proof that they were fully aware of internal security monitoring and the consequences of deliberate attempts to access or destroy confidential data. Data protection requirements and human rights legislation may also require explicit consent.

Separate Duties

Organizations should implement strict separation of duties, so that different individuals or groups, such as the security or audit department, are responsible for the inspection of the actions of administrators. The inspection group should not have permission to perform administrator actions themselves, to safeguard against inspectors who turn into perpetrators.

Test Monitoring Functions

Organizations should carry out regular tests of the monitoring functions. One approach is to use penetration tests or a test administrator account to ensure that the alerts function correctly. These tests should occur on an irregular schedule each week to prevent an attacker from using the penetration test as a strike opportunity.

Define Security Processes and Responses

To identify security breaches quickly, an organization must have comprehensive processes that define how to perform particular network operations. For example, organizations might use an identity management system such as Microsoft Identity Integration Server (MIIS) 2003 to create (provision) user accounts. Although administrators can create user accounts directly, organizational policy would specify that they should not do so. Hence, if the security monitoring system detects event 624 (creation of a user account), the event should link to the MIIS 2003 provisioning account and not to an individual administrator's account.

To limit the damage that security breaches cause, an organization must define suitable responses to anticipated incidents, such as rapid mobilization of onsite security staff. The speed and effectiveness of incident responses can provide significant enhancement of an organization's security profile — if users or administrators know that a vigorous investigation follows any security incident, they are less likely to attempt to breach a security policy.

Abundant media coverage reports on the threats to networks from external sources. However, experience shows that the probability of data loss or compromise from external attackers is significantly lower than the probability of data loss from incorrect configuration by network administrators. Although you should not become complacent about external threats, keep in mind that many organizations want to sell solutions to keep external intruders out of your network (because that is relatively easy to do). On the other hand, no one can sell you a package that prevents your administrators from making mistakes or from acting dishonestly  

Technical Issues

To implement a functional security monitoring and attack detection system based on Windows security event logging, you must address how to:

Manage high volumes of security events. To cope with high levels of security events, you must carefully consider which security audit settings to enable. This is particularly applicable to the audit of file and object access, which can generate vast quantities of data.

Store and manage large numbers of events in a central repository. Storage of events can involve the management of terabytes of data. Because this technical requirement is of greater concern to forensic analysis, it is covered in more detail in the "Implement Forensic Analysis" section later in this chapter.

Identify attack patterns. To identify attack signatures, you must know the patterns of events that indicate an attack. You should always respond in a timely and appropriate manner when an attack signature identifies an intrusion.

Restrict administrators so that they cannot circumvent security audit controls. To prevent administrators from circumvention of audit controls, you should compartmentalize administrator responsibilities and create or allocate a group of security specialists to oversee the administrator audits.

Security Issues

Identification of security issues is the central focus of a security monitoring and attack detection system. Effective security monitoring should identify the following occurrences:

Attempts to access resources through changes to file permissions

Attempts to access resources through password resets

Creation of new users

Placement of users into groups

Use of unauthorized administrative accounts

Log ons at the console that use service account credentials

Execution of unauthorized programs

Deliberate damage to files (does not include corruption caused by disk errors)

Introduction of unauthorized operating systems

Creation or deletion of trust relationships

Log ons with an incorrect account, such as a general administrative account

Unauthorized changes to security policy

To identify these actions properly, you must be aware of the characteristic event sequences and be able to extract these sequences from other security events.

Solution Requirements

To detect organizational and security policy violations, your solution must contain:

Well-defined security procedures that cover all network operations.

Comprehensive security audit logs.

Reliable centralized collection of security logs with suitable filters for analysis.

Adjustable levels of security audits.

Investigation of any discrepancies such as omissions, missing records, and so on.

To identify configuration errors, your solution should include:

Well-defined change management procedures (that include validation) to cover all network operations.

Effective security audit logs.

A reliable centralized collection of security logs.

Automated analysis of the security logs to identify configuration changes.

For more information about how to implement such a solution, see Chapter 4, "Design the Solution."

Identify External Attacks

External attacks come in two main forms —attacks perpetrated by people and attacks carried out by malicious applications. Both types of attack have different characteristics and threat profiles. Human attackers can learn about the target network and modify their attack accordingly, whereas malicious applications can affect multiple computers and leave back doors for attackers to exploit.

Malicious applications include a variety of possible threats, such as viruses, worms, and Trojans. Although these applications can be troublesome and cause significant disruption, these attacks are easier to prevent than those perpetrated by people.

Note:  This guide does not include any information about attacks that involve hardware devices such as inline keystroke loggers, because security monitoring cannot detect these devices.

Business Issues

This guide addresses the business issues that arise from external attacks that attempt to penetrate the network and are detectable at either the application or the presentation layer. Security monitoring is not especially useful to identify a distributed denial of service (DDoS) attack, but other mechanisms such as Microsoft Internet Information Services (IIS) logs can identify the duration, packet type, apparent IP address (possibly spoofed), and other DDoS attack details.

Identification of malicious applications is of considerable importance to organizations in all sectors, but particularly for those organizations that operate in the financial sector or are constrained by regulations. For example, such organizations have greater concerns about the presence of spyware applications. Spyware applications can reside on a server or workstation and communicate confidential information to external third parties.

A major business issue with malicious applications is the uncertainty that they exist on a network. A particularly worrisome scenario is if the malicious software component is a rootkit or similar program that takes complete control of a computer and then masks the fact that an attacker now controls the computer. It is difficult to be sure that your computers do not have such malicious applications running, because the rootkit might be better at concealment than you are at detecting them.

Technical Issues

The increased numbers of attacks on organizations result from the actions of inexperienced attackers who use preconfigured scripts to exploit vulnerabilities. Far more dangerous are members of the small, dedicated set of highly skilled and experienced attackers (who can cooperate with each other) and can use a range of different attacks to attempt to penetrate a network.

Note:  This guide defines an attacker as a person who deliberately mounts an attack; a virus, worm, or Trojan that acts on its own is not an attacker.

The main way to identify malicious applications is to track processes. If you track processes, you can identify each program that starts or stops on a workstation or server. The downside of this approach is that it generates a large number of events, the majority of which are not of interest.

Two particular areas where analyzing tracked processed can be difficult are:

Web servers that use Common Gateway Interface (CGI). Each page hit creates a new process.

Development workstations. Application builds create numerous processes within a short period.

These factors can cause very high numbers of events in a short time or create numerous events continually. In either case, effective filters are necessary to extract the attack events from legitimate events.

Security Issues

The security issues that external attacks raise are considerable, because attackers have great flexibility in choosing their network intrusion method. External attackers can penetrate networks through the following mechanisms:

Attempt to crack passwords.

Change or reset passwords.

Exploit vulnerabilities.

Trick a user to run a malicious application.

Use privilege escalation to compromise additional computers (called island hopping).

Install a rootkit or Trojan.

Use an unauthorized workstation.

Use a phishing attack, in which a fraudulent e-mail points to a malicious Web site.

The primary method for the detection of attackers and malicious applications is to track processes. You need to apply this method carefully and integrate it with software restriction policies in Group Policy. Be aware that you should define very strict policies that dictate what programs can run on computers within perimeter networks.

Note:  Software restriction policies can have unintended effects on portable computers or within enterprise environments. Always create new Group Policy Objects (GPOs) to manage software restriction policies and do not apply software restrictions through the default domain policy.

For more information about the use of software restriction policies, see Using Software Restriction Policies to Protect Against Unauthorized Software at http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/rstrplcy.mspx

Solution Requirements

The solution requirements to identify external attackers overlap with those required to identify internal threats. These requirements include:

A defense-in-depth approach to security implementation.

Effective security audit logs.

Reliable centralized collection of security logs.

Automated analysis of the security logs to identify attack signatures.

The solution requirements to detect malicious applications share some of the requirements to identify internal threats. These solution requirements include:

Effective procedures to audit any unauthorized software on the network.

Properly configured security audit logs.

Reliable centralized collection and filters of security logs.

Automated analysis of the security logs to identify suspicious behavior, with use of third-party programs where necessary.

For more information about protection against virus attacks, see The Antivirus Defense-in-Depth Guide at http://www.microsoft.com/technet/security/guidance/serversecurity/avdind_0.mspx.

Implement Forensic Analysis

You can use forensic analysis to track the timing, severity, and consequences of a security breach and to identify the systems that attackers have compromised. Forensic analysis must record:

Time of the attack

Duration of the attack

Affected computers

Changes that the attacker made to the network

Because forensic analysis is a large subject on its own, this guide cannot cover this topic in full. In particular, this guide does not cover the evidence handling requirements of forensic analysis or coverage of forensic data sources other then the security event log.

Business Issues

Forensic analysis differs from other solution scenarios because it investigates incidents after they have occurred instead of in real time. Forensic analysis must provide a detailed list of all events of interest from one or more computers. The analysis system must be able to handle and archive large amounts of data in a suitable database.

A key business decision is how long to preserve forensic data. Organizations must identify the maximum age for forensic data, after which the information becomes obsolete. The following table shows typical retention times for forensic data.

Table 3.1: Storage Limits for Forensic Analysis

Storage FactorsStorage LimitComments

Online storage (database)

  21 days

Provides rapid access to recent events

Offline storage (backup)

180 days

Reasonable limit for most organizations

Regulatory environment

    7 years

 

Intelligence agencies

Permanent

 

Note:  Some organizations (such as hospitals and government agencies) specify limits in terms of "do not keep longer than" rather than a set retention time.

One option is to use online databases to retain the last three weeks of events, then archive older events into a highly compressible format, such as comma separated variable (CSV) text files for offline storage. If necessary, you can then import these CSV files back into the database for analysis.

Whatever system you use, ensure that it matches your requirements for rapid investigation of recent events with the ability to recover older events if necessary. Your experience of security events within your own environment should guide you as to the best combination of data retention times for online and offline storage.

Technical Issues

Implementation of security monitoring for forensic analysis requires reliable collection and storage of very large numbers of events. The security monitoring requirements on the client are similar to those for the other solution scenarios but require far greater database storage and highly efficient data management.

The technical challenges include the following factors:

Reliable and secure storage for online data

Provision of large amounts of high performance disk space for online storage

Reliable backup of old events to archive media

Management of movement of older backups to a suitable archive store, if required

Restoration of information from old backups

These challenges are not specific to security monitoring, because database administrators have similar concerns for applications such as online transaction processing (OLTP) databases. However, unlike OLTP and other traditional database applications, forensic analysis databases must cope with far greater volumes of writes rather than reads.

Security Issues

Typically, the data gathered for forensic analysis grows continuously. Very rarely, someone such as the enterprise security administrator might need to access this information. Nobody else should be able to access the information, interrupt its collection, or modify it. Security on the database must be comprehensive, so that only one or two highly trusted individuals can access the security data.

Solution Requirements

The solution requirements for implementation of forensic analysis are:

Properly configured security logging.

Secure checking of security log entries.

A secure and centralized collection of security logs.

Reliable storage of security monitoring information.

Effective archive mechanisms.

Summary

This chapter described the solution requirements for the three scenarios contained within this guide. Chapter 4, "Design the Solution," explains how to incorporate these elements to create your security monitoring and attack detection plan.


**
**

Download

Get the Security Monitoring and Attack Detection Planning Guide

Solution Accelerator Notifications

Sign up to stay informed

Feedback

Send us your comments or suggestions