Eric Haupt
Return to Archive
Sunday Musing

Sunday Musings Its Ok To Be Thought

Happy Sunday Friend!

Welcome back to another musing! I’m glad you’re here. Here are your Sunday Musings, a quick dose of what I’m exploring and thinking about. If you find it useful, please feel free to forward this along to friends!

Quote I’m Musing

“If you want to improve, be content to be thought foolish and stupid with regard to external things.”

-Epictetus

The first time I was legitimately put in charge of a team for a project I was awkward and uncomfortable. My specialists knew more about the mission set than I did. But here I was, the new guy, in charge but ignorant. I had to get reps and sets in on everything from names of the people to intricacies of our problem set, tools, and acronyms (oh, the acronyms).

One of the biggest obstacles was to not let the assumption that I knew what someone was talking about continue. There’s an insecurity in saying we don’t know or understand something that we’re in charge of.

Flash forward to today. I’ve taken on a position of leadership where I’m pushing my boundaries. Truly organizational leadership where I need to exert both positional and indirect influence. Leading leaders of teams instead of just leading a team. While history isn’t going to give me the perfect answer, it does help give me a light in the dark.

I know I’m going to be in the same position across multiple vehicles. Those leaders and teams are experts in their respective areas. I’m going to have to learn more than I lead to be effective. That means asking questions and being content to possibly be thought of as stupid or foolish.

Ultimately, we are charged as leaders to rapidly gain understanding and knowledge of what and where we lead; to make the difference for our people and mission. We ask the questions we need to understand. We have to unapologetically admit what we don’t understand and then learn what we need to learn in the most expedient way possible. That’s how we serve our people, and our mission.

Reflection on Control 7

Control 7 reinforces my idea that while we are the few working to manage and secure our enterprise infrastructure, there are thousands of actors actively scanning for vulnerabilities in our very same infrastructure. They aren’t necessarily looking to directly attack us, but they’re malign in their intentions to either sell or distribute that information to those who do intend to attack.

Constant vigilance is the key to maximal risk-reduction to our enterprise and operations.

CIS Critical Security Control #8

Audit Log Management

The equity for understanding what’s going on in the enterprise.

What is it?

These twelve safeguards help us implement Audit logs. Specifically, what happened, what system it happened on, when it happened, and who caused it. We set our alerts for suspicious activity or major events such as a user attempting to access resources without appropriate privileges or binaries executed that shouldn’t exist.

Implementation Group 1 (Essential Cyber Hygiene)

Safeguards 1-3

8.1 Establish and Maintain an Audit Log Management Process

Implementation Note: Protect our assets by making sure we have an established process for collecting, reviewing, and maintaining complete and accurate audit logs. Take a look at running event simulations to verify logs capture the desired information. We may need to normalize our logs to speed up analysis.

8.2 Collect Audit Logs

Implementation Note: Enable our logs and actually collect/review them. This one is kind of a “If we don’t say it, then someone might not do it” safeguard. I know sometimes we get tools that we don’t remember to turn on. Turn on the tools we buy, otherwise they won’t help!

8.3 Ensure Adequate Audit Log Storage

Implementation Note: Make sure we have enough storage to maintain long-term storage. Retaining audit logs is essential for forensic analysis and remediation and a legal requirement in many cases. In fact, I know NIST SP 800-92 Sections 5.1 and 5.4 specifically teach us how to build policy and long-term storage management.

Implementation Group 2 (Foundation Building)

IG 1 + Safeguards 4-11

8.4 Standardize Time Synchronization

Implementation Note: Every endpoint (hosts, servers, etc.) that generates logs references their own internal clock to timestamp events. Making sure they’re all referencing the same time synchronization(s) ensures our investigations and log analysis correlate and lets us establish an accurate audit trail across multiple endpoints.

Side Note: There are three methods for it. Network Time Protocol (NTP), Precision Time Protocol (PTP), and GPS. NTP is the most common.

8.5 Collect Detailed Audit Logs

Implementation Note: Weak logs make analysis and forensics difficult or impossible. I would go beyond the safeguard to capture event entries for bespoke information:

  • Timestamp

  • Event, status, and any error codes

  • Service/command/application time

  • User or system account associated with the event

  • Device used and source and destination IPs

  • Terminal session ID

  • Web browser

8.6 Collect DNS Query Audit Logs

Implementation Note: Collecting DNS queries reduces the impact from DNS attacks and helps us track down misconfigured hosts.

8.7 Collect URL Request Audit Logs

Implementation Note: URL requests can expose info via the query string and then divulge sensitive data. Using this, malign actors can grab credentials and tokens. Simply using HTTPS doesn’t fix the vulnerability. Capturing request logs helps us in forensics and pinpoint where to improve.

8.8 Collect Command-Line Audit Logs

Implementation Note: We have vulnerabilities through cookies and forms. It’s not a difficult task to use command injection into the system shell of our webserver via either vector. Detecting unusual or threatening behavior at command consoles helps us identify what a malign actor is doing.

8.9 Remediate Detected Vulnerabilities

Implementation Note: Having a centralized and secure database of log data goes a long way in defeating the log deletion step when malign actors are covering their tracks. Additionally, centralizing the audit logs makes collection, retention, and analysis much simpler (*cough* automation)

8.10 Retain Audit Logs

Implementation Note: Another “It has to be said, otherwise we can’t say we said it” safeguard.
Retain audit logs. First, it’s mandatory for compliance in many regulations, standards, and laws for data privacy and security. Second, It’s common sense. Retaining our logs helps us with attack analysis when we discover an attack long after compromise. Retention also lets us look at record changes over time, identifying errors in internal systems and processes.

8.11 Conduct Audit Log Reviews

Implementation Note: Sometimes I can feel the long sigh from the writers of these safeguards. Like enabling the logs, we have to actually review our logs. Otherwise, we can’t see the abnormal events and correlate them to endpoints in our enterprise to either eliminate, reconfigure, or configure new devices.

Implementation Group 3 (Complex and Tailored Expertise)

IG 1,2 + Safeguard 12

8.12 Collect Service Provider Logs

Implementation Note: the “As a Service” model continues to expand. This safeguard becomes more and more important in direct correlation. service provider logs allow us to verify log integrity and regulatory compliance. Remember, we are held accountable for what our vendors do with our customers’ data also.

Why Should We Care About Control #8?

Often, our audit records are the only evidence of an attack. Poor log processes let malign actors work inside an unwary enterprise for extended periods without anyone realizing it.

A robust policy and process with complete logs across the enterprise affords analysts an expedited understanding of when and how the attack occurred, what information was accessed, and if data was exfiltrated. Retention is essential for follow-up investigations and for those times where an attack was undetected for an extended period (think SolarWinds).

I would love your feedback!

Which musing is your favorite? What else do you want to see or what should I eliminate? Any other suggestions? Just send a tweet to @erichaupt on Twitter and put #SundayMusings at the end so I can find it. Or, eric@erichaupt.com for long form email.

Have a wonderful week, I’ll see you Sunday.
​-e

End of transmission.