Log Tampering Incident Response Playbook
The Lumu Log Tampering Incident Response Playbook is based on the Computer Security Incident Handling Guide by the National Institute of Standards and Technology (NIST). According to NIST special publication 800-61, the incident response life cycle has four main phases, as described in the following illustration.
This document contains guidelines for Log Tampering incident response using Lumu. Consider this playbook as a guideline to improve the effectiveness of the incident response and adapt it according to your specific requirements.
Check out how Lumu provides a detailed breakdown of the endpoint telemetry collected for this incident in the Log Tampering Detection article.
What are Log Tampering incidents?
Log Tampering incidents are a critical alert indicating that threat actors have intentionally manipulated the system event logs of one of your organization’s endpoints. The system event logs act as the digital footprints of everything that happens on a device. When an attacker breaches a system, their actions (such as logging in, escalating privileges, or downloading data) are recorded in these logs. This functionality makes the system event logs a primary target when carrying out an attack into an organization.
Lumu detects the following methods of log tampering:
- Clear system logs: Wiping the entire event log to remove all recent historical data, leaving investigators with no forensic trail.
- Stop system logs: Disabling or halting the background services responsible for writing logs before executing malicious actions so that no record is ever created.
- Modify system logs: Carefully altering specific entries within a log file to remove only the lines related to the attacker's activities while leaving the rest intact to avoid raising immediate suspicion.
This type of incident work as an indicator of a broader attack happening within your organization since the attackers tamper logs to:
- Prepare for an upcoming attack: Attackers may disable modify or shutdown system logs before launching their primary objective (like deploying ransomware or exfiltrating data) to ensure their malicious actions are never recorded in the first place.
- Deleting the tracks of an executed Attack: Attackers may delete logs after a breach to erase their digital footprints, attempting to hide their presence and activities from security teams.
General Playbook
This is the general playbook for Log Tampering incident operation. It covers the main steps that you can take when investigating and remediating this type of incident.
Example Scenario
Now, let’s delve into a common scenario that an organization can find when operating Log Tampering incidents. This will help exemplify the value this feature can provide. Let’s consider a scenario where Lumu notifies your organization that the system event logs of a specific endpoint have been tampered.
To resolve the incident, the analyst starts by determining the type of method used for this incident (Clear, Stop or Modify logs).
1. Organization A gets notified of a Log Tampering incident in one of their endpoints that have installed the Lumu Windows Agent. By inspecting the incident, the analyst in charge is able to identify the method used to tamper with the system logs.
Lumu’s detection capabilities are trained to recognize the system's normal behavior. However, if the Event log service was shutdown, the analysts should investigate the operational status of the endpoint first. Standard system reboots or power-offs naturally stop logging services, which can trigger this alert as a reflection of normal system behavior rather than malicious tampering.
2. From the Lumu Portal, analysts access the details of the incident to realize the endpoint’s event logs were cleared. They start the investigation by making use of the snapshot of the system event logs at the time of the incident which allows them to access a wider context of the attack.
3. After verifying the Context Data of the incident, the specialist identifies that the log-clearing event was executed using built-in Windows utilities, such as the wevtutil cl Security command, which can allow attackers to reduce their footprint and avoid signature-based detection. This can indicate that the attacker is utilizing Living off the Land (LotL) techniques to reduce their footprint and evade signature-based detection.
4. Then, analysts verify that the actions made in the event logs are not related to a scheduled maintenance operation. Having determined that this is a malicious log tampering event, the analyst immediately disconnects the device from the network to contain the asset to avoid a further compromise.
5. Then, the analysts start a thorough investigation to determine the root cause by correlating the activity with other recent security alerts or indicators of compromise. Recognizing that log tampering typically occurs in the middle of a broader attack chain to conceal evidence of other malicious operations, the analysts leverage the Context Data provided in the Lumu Portal to identify suspicious network activity (such as connections to known IoCs), unauthorized RDP sessions, privilege escalation, or malicious processes that executed on the device moments before the logs were altered.
6. During the investigation, they identify and remove the malicious scripts that were responsible for clearing the logs to erase traces. Because attackers who clear logs often intend to maintain access, the analysts also audit the system for persistence mechanisms, such as unauthorized Scheduled Tasks or modified Registry Run keys.
7. They then perform an account compromise verification to discard lateral movement. By using Lumu Discover, analysts can identify if any account has been compromised before, as it provides invaluable data about the organization’s extended attack surface to validate whether the user in the attack has been exposed previously. If any accounts are compromised, an account reset must be executed.
8. Once analysts have remediated the incident, they verify that the Windows Event Log service is running and properly configured to capture data again. Then, they document their findings and keep the asset under surveillance for signs of suspicious behavior, ensuring that the threat has been completely eradicated.
Preparation
This is the initial phase where organizations take preventive measures to respond effectively to incidents, some recommended steps to prepare your company to deal with a Log Tampering incident are listed below:
How Lumu Helps
Lumu provides the ability to illuminate the blind spots in your network by providing coverage of your entire infrastructure, namely on-premises, public and private clouds, and roaming devices.
Recommended Actions
- To gain full visibility into your network, set up collectors such as Virtual Appliances, Gateways, Agents and integrations to ensure that all your network metadata is ingested in the Lumu platform, especially the firewall and proxy metadata. Learn more in our deployment guide.
- Ensure you cover remote users in your compromise assessment. Learn more about Lumu Agent and VPN and SDP configuration.
- Identify your vital assets (clients, IoT, clouds, remote devices, etc.) and assign labels to your traffic to help quickly identify the compromise distribution across your infrastructure in a way that makes sense for your organization.
- Control your attack surface by ensuring that services and connections exposed to external environments are governed by strict policies and controls. Verify that only essential services are exposed, and access is restricted to specific roles via secure, authenticated channels. Regularly monitor and enforce these measures to minimize vulnerabilities.
- Conduct regular awareness campaigns on security policies and risks employees face, and what actions to take when faced with a cyberattack.
- Keep your endpoint protection and operating systems updated.
- Implement best practices for Identity and Access Management (IAM).
Detection & Analysis
Organizations should prioritize rapid incident detection and validation to enable effective containment and eradication. Early detection limits the spread of infection and simplifies the response process. During this phase, security teams monitor and analyze alerts and data from systems, networks, and logs to identify potential incidents, understand the threat's scope, impact, and potential source, assess its severity, and gather forensic information. Proper documentation and communication are essential for successful incident response.
Some steps are listed below:
- Alert Monitoring: Collect and monitor data from network, host, and application logs, along with external sources like threat intelligence, to identify attack vectors and signs of potential incidents.
- Incident Identification: Determine whether an event qualifies as an incident or precursor by analyzing and correlating monitoring data.
- Incident Analysis: Classifying the incident type, incident response teams should quickly analyze and validate incidents. Once an incident is confirmed, the team conducts an initial analysis to determine its scope, including affected systems, origin, and attack methods. This analysis helps prioritize actions like containment and deeper investigation.
- Enrichment and Investigation: Gathering additional information (e.g., threat intelligence, forensics analysis) to understand the scope and impact. Maltiverse by Lumu is vital in this procedure.
- Documentation: Recording the details of the incident, timelines, and results of the analysis. An IR team that suspects an incident has occurred should immediately begin recording all facts related to the incident.
How Lumu Helps
Lumu unlocks the value of your own network metadata by implementing the concept of Continuous Compromise Assessment that provides comprehensive and detailed visibility into your network infrastructure. Lumu illuminates the various activities associated with indicators of compromise (IoCs) detected on your network and provides all the contextual information needed for in-depth analysis through the Lumu Portal. Lumu Continuous Compromise Assessment technology provides real-time monitoring over network and identity infrastructure. It correlates network and identity metadata to identify anomalies and contact with malicious infrastructure, providing your organization with multiple tools to determine adverse activity.
- Use the IoC information provided by Lumu to check if the log files of your defensive infrastructure (e.g. endpoint protection, firewall, UTM gateway) contain this malicious communication.
- Identify the endpoints contacting the adversarial infrastructure related to Log Tampering incidents. This can be IoCs related to brute force, scanning infrastructure or ransomware gangs.
- Use the Attack Distribution feature of the Lumu Portal to see how the compromise spreads inside your network. Identify how your assets are communicating with the adversarial infrastructure and detect endpoints within the internal network exhibiting anomalous behavior.
- You can use the Lumu’s Compromise Radar feature to find out the frequency and behavior of malicious communication, so you can differentiate occasional contact from persistent and automated compromises that have the power to cause harm to the organization.
- Use the threat intelligence information provided in each IOC in the Lumu Portal to enrich the context of the activity. Additionally, correlate this with other detections, like Unusual Login, to verify whether the attack attempts were successful.
- If an incident is confirmed, use this information in incident documentation and analysis.
- If possible, reverse-engineer the malware in a secure environment (or sandbox) to understand its behavior and the functionality it implements.
Containment, Eradication & Recovery
This phase has two key goals: stopping the spread of the threat and preventing further damage within the network. Organizations should implement strategies and procedures based on the risk level of the detected compromise. Containment strategies will vary depending on the type of incident and must consider potential damage or theft of resources, the need for evidence preservation, service availability, and the time and resources required for effective response.
Below are some steps to follow in this phase:
- Containment: Implement immediate actions or long-term strategies to isolate or limit the spread of the incident.
- Eradication: Identify the root cause of the incident and eliminate it.
- Recovery: Recover affected systems to a known good state and confirm normal operations, perform testing to ensure systems are no longer compromised, and prevent future incidents.
How Lumu Helps
Confirmed compromise intelligence about the compromised device helps security analysts to understand where and how to contain and eradicate the compromise.
Recommended Actions
- Lumu Defender integrates with your security stack and gives your organization the ability to orchestrate an effective automated response to contain any cyber threat, in line with your policies.
- Lumu orchestration can assist you in identifying whether the endpoints that reported the Log Tampering were observed displaying anomalous behavior before.
- Use the threat Intelligence information, Mitre ATT&CK TTPs, and IoCs details from Lumu Portal to configure your security infrastructure scheme (firewalls, IDS, IPS, email gateways, etc) to avoid similar malicious activity.
- Lumu Portal provides your organization with information and details about the devices or IP addresses involved in the incident to initiate targeted investigations into the related internal devices.
- Based on your containment strategy, consider isolating the affected devices to prevent lateral movement and limit the spread of the incident within the network.
- Identify related services and users and reset the credentials of all involved systems.
- If you suspect the initial attack vector was via email, check the details in the organization's mail server log files.
- Remove threats, and replace or restore the compromised assets to their previous state. Wipe and baseline affected systems if needed.
- Use Lumu technology to establish monitoring to detect further suspicious activity.
- The incident and its effects need to be remediated across the entire network.
- Complete malware scanning of all systems across the affected network.
Post-Incident Activity
This phase is designed to incorporate the lessons learned from each incident and to evaluate future improvements.
How Lumu Helps
Lumu helps refine your current and future defense and response by continuously monitoring that the compromise has been eradicated.
Recommended Actions
- Use Lumu Continuous Compromise Assessment to monitor continuously any communication between your assets and adversarial infrastructure to make sure that no additional contacts are reported.
- Use the context information in the Lumu Portal for details on how the adversary works.
- Conduct root cause analysis and evaluate the habits of the users.
- Explore the related sources, Mitre ATT&CK Matrix, and articles provided by Lumu in the Context area to understand more about the Tactics, Techniques and Procedures used by adversaries and document the incident.
- Use the incident information to adjust your security policies and Mitre Matrix context to evaluate your security strategy. This may involve changing the configuration of the company's assets and conducting awareness campaigns, focusing on the users that own those devices.
- Coordinate with your endpoint protection technology vendor’s updates if needed.
- Document and share with the stakeholders all the lessons learned from the incident and recommendations of any aspect that could be improved to help prevent a similar cyber incident from reoccurring.