Deleting logs helps attackers cover their tracks and makes it more difficult for forensics researchers to identify where and what attackers have accessed. It's like committing a crime and stealing the tape from the surveillance camera. Using encryption on data being sent out of your organization, for example a SSL connection over port 443 allows attackers to hide their activities from network-based detections. Outbound traffic is cloaked to look innocuous to detection systems, making data theft detection less likely. Installing rootkits similarly helps hackers further avoid detection when examining a local system. Rootkits are designed to go undetected, enabling an attacker to leisurely inspect a system and exploit it at will.
Security pros can combat these network intrusion techniques using log review, centralized logging, network-based anomaly detection and file-integrity monitoring software. These are standard techniques for detection that are not always effectively used. Developing an effective and strategic review of the many types and locations of logs can help detect when an attacker has compromised a system. Centralized logging or a mechanism that prevents tampering with the logs will defend against attackers that delete logs to cover their tracks.
Network-based anomaly detection (NBAD) identifies when a compromised system communicates with unknown systems. The technology identifies intrusions and can be used even if the attacker is, for example, using SSL over port 443 to detect the endpoint he or she is connecting to on the Internet. File-integrity monitoring software can also be used to detect when attackers modify system files with a rootkit as part of their compromise. For example, the file- integrity monitoring software can detect when a critical system file is replaced or modified to include a file from the rootkit.
This was first published in December 2009