T0192 - Sensitive information in logs

Operational logs are a valuable source of information for organizations to monitor their systems and applications, identify issues, and improve their overall security posture. However, these logs can also contain sensitive information such as personally identifiable information (PII) data, tokens, credentials, and internal system information. While this information may be useful to legitimate system administrators and security personnel, it can also be highly valuable to attackers who want to exploit vulnerabilities in the system. An adversary may attempt to gain access to the operational logs in order to steal valuable data or deepen their attack by using the information contained within the logs to escalate their privileges and move laterally within the organization's network.

ID: T0192
Type: Technique
Tactic: Collection
Summary: Sensitive information in logs
State: draft

Mitigations

id

type

summary

description

M1300
Mitigation
Implement log sanitization
Implement log sanitization techniques that automatically remove or obfuscate sensitive information from logs, such as passwords, API keys, access tokens, or other types of credentials. This can prevent sensitive information from being inadvertently logged in the first place.
M1301
Mitigation
Implement log sanitization
Configure log levels and verbosity to minimize the amount of sensitive information that is logged. Set appropriate log levels to ensure that only necessary information is logged, and avoid logging sensitive data unless absolutely necessary.
M1302
Mitigation
Implement strict access controls for logs
Implement strict access controls for logs to ensure that only authorized personnel have access to log files. Use role-based access controls (RBAC) and least privilege principles to restrict access to logs to only those who need it for their job functions.
M1440
Mitigation
Review logging settings
It's crucial to regularly verify and validate that logging settings are configured correctly and are functioning as intended. This includes ensuring that logs are being generated, stored securely, and are accessible to security teams for analysis. Regular audits of logging settings can help identify any misconfigurations or gaps in logging coverage.
M1441
Mitigation
Implement centralized logging
Implementing centralized logging mechanisms can help ensure that logs are collected from all relevant systems and network devices, and stored securely in a central repository. This can provide a consolidated view of logs and enable security teams to analyze them effectively for detecting any suspicious activities.

Detections

id

type

summary

description

D1131
Detection
Implement SIEM
Implement a SIEM system to centralize and analyze logs and events from various sources, including user account-related activities. Use SIEM rules or correlation rules to detect any abnormal or suspicious user account-related activities, such as multiple failed login attempts, changes to account settings outside of normal patterns, or simultaneous login attempts from different locations.
D1300
Detection
Implement regular log reviews
Conduct regular manual reviews of logs to identify any sensitive information that may have been inadvertently logged. This can involve reviewing log files for patterns or anomalies that may indicate sensitive information, or using search and filtering techniques to identify potential incidents.

References

  1. https://medium.com/google-cloud/protect-sensitive-info-in-logs-using-google-cloud-4548211d4654
  2. https://www.logiq.ai/6-ways-to-protect-sensitive-data-in-logs/