Why Log Tampering is So Crucial to Cybercrime

Logs, logs, logs! -NightCafe (by author)

Logs are everywhere in your computer, but not a lot of people think about them in the forefront of their mind as they just go about their business of collecting records in the background. The unknowingly valuable information in logs can include who accessed the system, when it was accessed, what files were opened, and what changes were made. They also help troubleshoot computer systems and keep track of users’ activity.¹

Log files contain plenty of attractions for malicious actors which is not limited to aiding in reconnaissance, gaining Personal Identifiable Information (PII), covering their tracks in a system, and disrupting or extorting a victim.²

Logs have plenty of value — NightCafe (by author)

In terms of reconnaissance, logs can reveal behaviors, defenses, and use of applications that have known vulnerabilities. This also includes detailed information on both the infrastructure, software configurations, presence of default passwords, user credentials, and ideas for privilege escalation to the best targets in the company/network.²

Not everyone thinks of PII data being stored in computer logs, but that’s simply not true nowadays. A lot of executive data and sensitive information pertaining to business meetings can be found on computer logs, so they can be a very lucrative target if they get into your system.²

Living off the land, or covering your tracks on a system is the key to persistence. If logs are not read-only, then an attacker can go in and change them. Changing logs hides an attacker from automated alarms and disguises the way they are attacking, which hinders defensive capabilities.²

Extortion and disruption attacks often are fueled by financially motivated criminals or politically motivated nation-state actors. With many compliance regulations in place nowadays, criminals are using clever news ways to attack their targets. If they spray the network with false logs that could put them out of compliance, it could cost the company a lot of money. This could cripple a company financially. If the malicious actors succeed a few times, their next targets will take them more seriously and can have an easier time with their extortion success.²

“Sir, we have the right logs, right? “— NightCafe (by author)

Logs can be tampered in three ways: injection, deletion, and alternation. Log injection means injecting false or malicious log entries into log files, which obfuscates their activities, misdirects investigators, or creates false narratives. Log deletion is when the log entries are erased from log files, which is used to conceal malicious activity or hide evidence of unauthorized access. Log alteration involves modifying existing log entries to misrepresent the data within them, which can change the narrative, conceal their activities, or create false records.³

Log Injection

Techniques: Exploit vulnerabilities in the logging infrastructure

Impact: False alarms, diversion of attention, manipulation of security analysis/monitoring

Point of Attack: Source system before logs transmitted, during transit, and at central log storage³

Log Deletion

Techniques: Exploiting vulnerabilities in log management software, manipulating file permissions to gain unauthorized access, or directly modifying log files using admin privileges

Impact: Hinder forensic investigators, auditors, and compliance officers

Point of Attack: Source system before logs transmitted, during transit, and at central log storage³

Log Alteration

Techniques: Modifying timestamps, changing content of log messages, manipulating metadata, or falsifying log events

Impact: Distort accuracy and reliability of log data, hindering incident response, forensic analysis, and compliance audits which can also lead to compromise of integrity of the investigative process

Point of Attack: Source system before logs transmitted, during transit, and at central log storage³

— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —

Log exfiltration, meaning taking the logs outside of the network, is not as common these days. If the attack is already inside the network, they would more likely tamper with the logs than steal them outright. Also, current log data is more valuable to an attacker than old log data, which would be what happens when you take it out of a system. An alarm could trigger and credentials would get rotated, rendering a lot of information useless to an attacker.²

Accept our log overlords… — NightCafe(by author)

What Can We Do to Prevent Log Tampering?

There are a few crucial things we can do to stop attackers from tampering with our logs.

1. Use Secure Logging Protocols (TLS) — (have encryption of the logs)
2. Implement Log Rotation Policies (makes it harder for attackers to access, modify, or erase large amounts of data)
3. Monitor and Make Alerts for Log Anomalies (gives real-time updates)
4. Separate and Secure your Log Servers (keeps them isolated with restricted access and behind strict firewalls)
5. Audit and Review your Logs (ensures completeness, accuracy, and consistency)
6. Education (train staff on importance, procedure, and best practices of log security)⁴

I would like to highlight #6 is really how everyone gets to the same point in understand how valuable protecting our systems has become in this day in age. One of the weakest links in our cybersecurity defenses happens to be the humans that deal the system, so educating and keeping them up to speed on the latest security protocols is a must. Thanks for reading, have a great day, and keep on learning!

He did say he wanted the logs… -NightCafe (by author)

Connect with Cybersecurity Stephen on LinkedIn

I am always looking to expand my network in the cybersecurity community, so add me on LinkedIn and let’s connect!

Buy Me a Coffee

If you appreciated the article or learned something valuable, consider buying me a coffee via the button below. Supporting me helps me stay motivated to write great educational content for everyone. No pressure, but I sincerely thank everyone that helps out. If you have any topics you would like covered, write them in a note, and I will write an insightful article for you.

References

(1) Lenovo. (2024). What is a Log in Computing?. https://www.lenovo.com/us/en/glossary/log/#:~:text=A%20log%20is%20a%20file,keeping%20track%20of%20user%20activity.

(2) Townsend, Kevin. (2024, June 6). Why Hackers Love Logs. Security Week. https://www.securityweek.com/why-hackers-love-logs/

(3) Kapsamer, Raphael. (2023, May 23). THE HIDDEN THREAT TO YOUR SECOPS: WHY LOG DATA INTEGRITY MATTERS. Tributech. https://www.tributech.io/blog/log-data-integrity

(4) LinkedIn Community. (n.d.). What are the best practices for detecting and preventing log tampering?. Retrieved on 6/8/2024 from https://www.linkedin.com/advice/3/what-best-practices-detecting-preventing-hhwbe