T0146 - Misconfigured audit logs settings

Misconfigured audit logs are a type of attack where an attacker modifies or disables audit logs to hide their malicious activities. This technique is commonly used in cloud, CI/CD, and SCM environments. In these environments, misconfigured audit logs can allow an attacker to modify or delete logs, making it difficult for security teams to detect and investigate the attack. The attacker can also disable audit logging to evade detection.

ID: T0146
Type: Technique
Tactic: Defense Evasion
Summary: Misconfigured audit logs settings
State: draft

Mitigations

id

type

summary

description

M1440
Mitigation
Review logging settings
It's crucial to regularly verify and validate that logging settings are configured correctly and are functioning as intended. This includes ensuring that logs are being generated, stored securely, and are accessible to security teams for analysis. Regular audits of logging settings can help identify any misconfigurations or gaps in logging coverage.
M1441
Mitigation
Implement centralized logging
Implementing centralized logging mechanisms can help ensure that logs are collected from all relevant systems and network devices, and stored securely in a central repository. This can provide a consolidated view of logs and enable security teams to analyze them effectively for detecting any suspicious activities.
M1550
Mitigation
Implement strict access control for clouds
Limit access to cloud resources to only authorized users and ensure that proper authentication and authorization mechanisms are in place.

Detections

id

type

summary

description

D1510
Detection
Implement Intrusion Detection System and anti-malware
An intrusion detection system (IDS) is a security tool designed to detect and alert on unauthorized access to a computer system or network. Implementing intrusion detection systems (IDS) and anti-malware software can help to identify and block malicious activity. IDS is a critical security tool that helps organizations to detect and respond to security incidents in a timely manner. By providing real-time monitoring and analysis of network traffic, IDS can help organizations to stay ahead of potential threats and reduce the risk of a security breach.
D1520
Detection
Implement endpoint detection and response system
An endpoint detection and response (EDR) system is a security tool designed to detect and respond to security incidents on endpoints, such as desktops, laptops, servers, and mobile devices. There are several reasons why an EDR system is essential for maintaining the security of endpoints: 1. Threat Detection: EDR can detect and alert on a wide range of threats, including malware, ransomware, and other types of attacks that may not be detected by traditional antivirus software. 2. Rapid Incident Response: EDR can help security teams to rapidly detect, investigate, and respond to security incidents on endpoints. EDR systems can provide detailed information about the scope and impact of an attack, enabling security personnel to respond quickly and effectively. 3. Behavioral Analysis: EDR can monitor endpoint behavior to detect and alert on suspicious or anomalous activity. This helps security teams to identify and respond to threats that may be missed by traditional signature-based detection. 4. Endpoint Visibility: EDR provides visibility into endpoint activity, including processes, network connections, and file activity. This helps security teams to identify potential attack vectors and take proactive measures to prevent future incidents.

References

  1. https://blog.marcolancini.it/2019/blog-cross-account-auditing/
  2. https://blog.marcolancini.it/continuous-cloud-visibility/