Aggressively Monitoring for Changes Is a Key Aspect of Cybersecurity

COMMENTARY

There are many layers to a proper cybersecurity defense. Each layer is important, and risks are increased any time a layer is compromised or missing. Additionally, there can never be enough layers. While you can reduce risks by adding layers, you can never eliminate all the risk. Two of the most vital layers of defense are file integrity monitoring and change detection. Both are controlled and monitored by an organization's change management program.

In the early days of computer networking, I remember making major changes on the fly, without any documentation, approvals, back-out plans, or oversight. Step ahead a few years and this would be a fast and easy way to find yourself unemployed and unemployable.

Changes, change detection, and change management are a big deal and require coordination, planning, testing, documentation, developing back-out plans, and gaining approvals from key aspects of the organization. Often, receiving approvals can take weeks or even months. In many organizations these days, change approvals are done by committees that track changes very closely to prevent issues, outages, or disruptions to the business.

Threat Actors Attacks

When threat actors attack your network, they must make changes to carry out their objectives. Their objective is almost always financial gain. The threat actor must find a means to enter the network, such as unpatched vulnerabilities or phishing, and typically escalate credentials to further their objectives. Many times, the threat actor must insert payloads, executables, create accounts, edit access control lists, use unapproved software, disable software or agents, and alter logs and security configurations before doing any real damage. All these actions require changes. 

When changes are detected, the threat actor has not yet completed their objectives. Change detection and file integrity monitoring solutions can be triggered, alerting information security before the threat actor has established command and control, pivoted to active directory, exfiltrated confidential data, or kicked off encryption processes. These next-generation systems can operate and alert in real time.

The Biggest Threats

There are only a few reasons that files, software, operating systems, databases, applications, or configurations change:

Having spent more than 30 years in cybersecurity, the two items I worry most about are the last items: malware and threat actors .

All of these changes, regardless of the reason, would look about the same in logs and telemetry. Therein lies the problem. It's crucial when changes occur for change management, information technology, and information security to understand what caused the changes.

To do this, you must have a robust file-integrity monitoring and change monitoring system. When these systems find a change has occurred, someone, or some process, needs to reconcile that change. Is there a change record that explains the change? Was this planned? If the answer is no, a second ticket should be opened and an investigation started immediately by opening an incident ticket. If the change in logs is related to a crown jewel, the investigation should be escalated as urgent, and the cybersecurity incident response team should be notified.

It could be there's no change ticket or obvious explanation, but no malware or threat actor activities are responsible. This must be ruled out as soon as possible. Threat actors move rapidly these days. Dwell time was months just a few years ago; today, dwell time can be just a few hours.

The more critical the server, application, database, etc., the more important the file integrity monitoring and change detection systems. Business criticality should be the defining aspect as to what level of inspection needs to occur. In fact, if there's little business criticality, maybe file integrity monitoring is not needed. Maybe the level of change inspection can be low.

File integrity monitoring (FIM) watches and analyzes the integrity of endpoints, file systems, databases, file shares, network devices, various operating systems, and applications for evidence of corruption or tampering, which may be indicative of threat actor activities. FIM tools compare the current baseline with a past baseline and alerts when any differences are found.

These days, threat actors can be very sophisticated with their techniques to alter endpoints. Very often, file systems, registries, configuration files, system files, access control lists, etc., will be changed during an attack and/or while a threat actor is moving laterally during an attack. Threat actors may change access control groups, disable key aspects of logging, or in some cases, disable or uninstall security monitoring, agents, or applications. These type actions expedite the need for rapid threat detection and analysis, along with remediation.

When a cybersecurity professional can detect a threat early, the likelihood of thwarting the threat actor increases and damage to data and endpoints are minimized. There are numerous layers to early detection. Change detection and file integrity monitoring are but two of the layers. The addition of these two layers of security lowers risk and allows for better audit and compliance measures.

Conclusion

As always, employee education is an integral part of any program. Employees and management must fully support and adhere to both layers of security. Once these layers are in place, a proactive approach with definitive security controls can be implemented against malware and threat actors. This will ensure your organization is minimizing risk against threat actors and cyberattacks.