Audit And Accountability
Review audit information for broad activity in addition to per-machine activity.
Examining audit logs for system-specific indicators provides an important “point-defense” ability for a specific system (see practice AU.4.053). Comparing log information across multiple disparate systems allows for a holistic and time-correlated approach to detect cyber attack actions that would not constitute a threat indicator or generate any action when identified on any single system. Some of these attacks may be subtle or infrequent, while others just comprise a large number of machines. This practice requires that a system perspective be used to look for these subtle and distributed (in both logical space and time) indicators and to act upon detecting them in line with other auditing practices. The definition and scope of the system perspective will vary as the size of the organization or enclave changes. For very small installations, broad activity may only mean more than one system. Example 1 You are working your shift in the security operations center (SOC) when you are alerted to a trend that has appeared in logs from across the company networks. The centralized log collection server has identified minor indicators that show periodic increases in failed login attempts across most of the corporate data servers. While the number of failed attempts did not cross the threshold for account locking, together they passed the 24-hour moving window for failed login attempts, having exceeded the average of such attempts by 1000%. You obtain a list of all account names for which access failed and see that four accounts have had extremely high failure counts. You initiate a log query to identify the IP addresses of the systems that attempted to access these four accounts over the past 10 days and notify the threat hunting team of the analysis results. Example 2 As part of the security operations center (SOC) standard operating procedures (SOP), you execute a run of a log analysis tool on the system-wide audit log looking for pre-defined indicators of broad security-relevant activity. The analysis tool notifies you that afternormal-work-hours, failed login attempts are occurring across a large number of machines resulting in locked accounts across the system. On a machine-by-machine basis a locked account does not warrant any escalation but across multiple systems this indicates a potential denial of service attack to cause a significant impact on workforce productivity at the start of the next workday.
The full scope of adversary activity may not be apparent from analyzing a single machine. A broad perspective is necessary for full cybersecurity situational awareness. Activity might be reviewed across multiple machines, an enclave, or an entire enterprise. This will require audit logs collated with the same scope as the analysis.
NIST SP 800-53 Rev 4 RA-5(6), RA-5(8), RA-5(10)
NIST CSF v1.1 PR.PT-1