Denmark CFCS Issues Advisory on Incident LoggingDanish Cyber Authority Highlights Inadequate Logging Practices
Denmark's lead cyber agency, the Center for Cyber Security, or CFCS, has issued an advisory on cyber incident logging to build enterprise resiliency against cyberattacks.
The country witnessed two high-profile cyber incidents in a span of five months, the latest being a ransomware attack last month that affected the IT infrastructure at Vestas Wind Systems - the largest wind turbine manufacturer in the world.
Addressing CISOs and IT directors, the CFCS advisory on security incident logs follows the center's observation of Danish organizations' inadequate logging procedures leading to difficulties in identifying the source and impact of recent security incidents.
The CFCS describes logging as "the backbone of a robust cyber defense" as it helps prevent the reoccurrence of security incidents. The advisory covers various incident logging guidelines organizations must follow.
Advisory Logging Guidance
As a general logging practice, the CFCS says organizations must log the coordinated universal time, or UTC, to be able to chronologically piece together a security incident. It specifies the elements that organizations must consider while framing an incident logging policy and recommends that incident logs be maintained for a minimum of 13 months.
The advisory contains recommendations for the following logging activities:
- Logging DNS Queries: Internal Domain Name System or DNS server logs are important in determining which internal systems - PCs or servers - have attempted to resolve a domain name to an IP address and the time of the query. Logging of DNS queries could be used to identify malware communication with a command-and-control, or C2, server.
- Logging Dynamic Host Configuration Protocol: Not logging DHCP makes it very difficult for organizations to identify infected devices in the organizational network that were connected to a cybersecurity incident.
- Firewall and Anti-Malware System Logging: Logging of UTC time, source and destination IP address and port, protocol and firewall rules is advised, including information on blocking and approval of connections and the quantity of data sent and received. For anti-malware systems, the CFCS recommends copying and centralizing logs, including copies of the quarantined files, for subsequent analysis.
- Authentication Server Logging: Maintain logs of suspicious events, for instance when a regular user account is added to a regulated group. Also, keep track of unusually large numbers of failed login attempts preceding a successful login as this could indicate a brute force attack.
- Router and VPN Gateway Logging: In addition to logging the UTC time, log source IP addresses and temporary assigned addresses along with failed and successful logins.
- Web Server and Web Proxy Logging: As some threat actors may use web servers to access a network through websites and email services, CISOs should maintain "success" and "failure" audit logs, privileged account and password management logs and logs on whitelisted solutions and blocked PowerShells.
Logging Policy and Storage
CISOs are advised to ensure that the logging policy describes the log generation, collection, storage, retention periods, proactive and reactive log analysis and the deletion of logs. These policies and procedures must be made available to the company's security teams, appropriate government agencies and the security vendor investigating the cyber incident.
With respect to log collection and storage, CISOs are told that they must address the risk of manipulation of log data.
CISOs are also advised that log analysis must be supported with appropriate tools, such as a Security Information and Event Management, or SIEM, platform.
Challenges and Workarounds
Greg O'Reilly, application performance and observability consultant at Visibility Platforms, says the CFCS advisory is well-written and insightful. He tells Information Security Media Group that while he agrees logging is the backbone of organizational security, there's more to it than just API and event logs.
"One way to collect everything from everywhere, without spending huge sums on infrastructure, is to introduce a data pipeline solution," he says.
According to O'Reilly, a data pipeline solution can help CISOs rewrite log lines and choose where to direct copies of logs - to SIEM tools or to logging solutions. "Organizations can get meaningful information with reduced infrastructural spending. Performance is also improved as the data pipeline solution handles the heavy lifting," he says.
In addition to this, all of the data is stored in object storage as primary data, which can be indexed and mined in real time. An open data format also eliminates vendor lock-in, O'Reilly says.
The Vestas Cyberattack
On Nov. 19, Vestas Wind Systems announced that it had been the target of a cyberattack that affected the company's internal IT infrastructure, leading to a data breach.
At that time, Kristian Holmelund Jakobsen, press and information officer at Vestas Wind Systems told ISMG that preliminary investigations were underway and the company was working toward containing the situation and reestablishing the integrity of its IT systems.
In its latest announcement, Vestas says that investigations revealed the cyber incident to be a ransomware attack that affected the company's internal systems resulting in a data breach.
In CFCS' cyberthreat assessment, the center warns that the threat faced by Danish public authorities, private companies and citizens from cybercrime is very high. Its assessment of cyberespionage threats is equally serious. "Time after time, specific incidents and attack attempts have given credence to this assessment," the CFCS says.