The National Security Agency (NSA) has published a best practice guide for event logging to fight against living off the land (LOTL) techniques. The document says advanced persistent threat actors (APTs) employ LOTL techniques to avoid detection.
According to the NSA, developing and implementing an enterprise-approved logging policy improves an organization’s chances of detecting malicious behavior on its systems. NSA recommends that such a policy include details of the events to be logged, event logging facilities to be used, how event logs will be monitored, event log retention durations, and when to reassess which logs are worthy of collection. A logging policy should also consider shared responsibilities between service providers and organizations.
Organizations should also have centralized log access and correlation. According to NSA, the prioritized lists of log sources detail the likelihood of assets being targeted by malicious actors and the potential impact of their compromise in enterprise networks, OT, cloud computing, and enterprise mobility using mobile computing devices.
According to NSA, organizations should also implement a centralized event logging facility, such as a secured data lake, to enable log aggregation and then forward select processed logs to analytic tools, such as security information and event management (SIEM) solutions and extended detection and response (XDR) solutions. Forwarding event logs to a centralized and secure storage capability prevents the loss of logs once the local device’s storage is exhausted.
NSA also recommends that organizations implement user and entity behavioral analytics capabilities to enable automated detection of behavioral anomalies on networks, devices, or accounts. NSA noted that such behavioral analytics are vital in detecting malicious actors employing LOTL techniques.
If you would like to read more about the best event logging and threat detection practices to implement for your organization, then please click here.