CISA & Partners Issue Guidance & Best Practices for Event Logging and Threat Detection
The U.S. Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), National Security Agency (NSA), Australian Signals Directorate’s Australian Cyber Security Centre (ACSC), and their international partners have issued guidance on event logging and threat detection.
HIPAA-regulated entities are required to implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information (ePHI) and to regularly review those logs to identify unauthorized activity. These include application logs of user activity in ePHI systems/applications, which capture information such as files opened, records accessed, and the creation, reading, editing, or deletion of records associated with ePHI, and system-level logs, which include successful and unsuccessful login attempts, devices used to log on, and the applications that were successfully or unsuccessfully accessed.
The latest guidance from CISA and partners is aimed at medium to large organizations and includes best practices to improve event logging and threat detection for enterprise networks, cloud services, enterprise mobility, and operational technology (OT) networks. The guidance can help network defenders define a baseline for event logging, identify threats, and help incident response teams mitigate cyber threats, including attacks involving fileless malware and living-off-the-land (LOTL) techniques that threat actors use to evade detection.
According to the guidance, the main aims of an effective event logging system are the creation of event logs that are usable and performant for analysts and allow network defenders to make quick, informed decisions based on prioritized alerts and analytics. The system should send alerts to network defenders to warn them of activities that could be associated with malicious actions, such as new software installations and configuration changes, as well as events that could indicate LOTL techniques being used or post-compromise lateral movement. It is also important to reduce alert noise to save query time and avoid costs associated with storage.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The best practices detailed in the guidance include the creation of an enterprise-approved event logging policy, centralized event log access and correlation, secure storage and event log integrity, and implementing a detection strategy for relevant threats. The guidance also includes a case study involving the Volt Typhoon threat actor, which used LOTL techniques to infiltrate Windows-based systems and evade detection. The guidance explains some of the anomalous behaviors associated with the use of LOTL techniques that could allow network defenders to identify the activities and differentiate them from legitimate behaviors.
