Sadly, perpetrators of malicious changes in IT don't just announce themselves. While on the surface, File Integrity Monitoring (FIM) doesn't appear all that sexy to security practitioners, it is a great way to deal with sneaky bad guys. It's forensic in nature - providing the ability to look at changes after-the-fact to figure out what happened. The security use cases for FIM are compelling. There are many types of attacks and many attack vectors, but they have one thing in common - they change the system in some way..Monitoring for changes is often the best defense available. Consider web defacement - while you try to prevent it, keeping an eye on changes to index.html or index.php is a very good way to quickly figure out you've been hacked, and if you're monitoring for it, you can react quickly to fix the problem.
Almost every internal or external attack on IT involves changes to your systems and configurations. FIM can monitor for such changes, including changes to executables, log and audit files, content files, database files, web files and configuration files.
The whole point of FIM validating integrity by comparing the current state to the known, good baseline at specified defined intervals.. FIM can also provide real time alerting to any file or configuration changes on a system. FIM uses hashing algorithms like MD5 or SHA1 to compare the files. Changes in files can be due to an attack, but they can also be due to misuse or error on the part of employees.
FIM, also known as “change audit” is best known as a compliance requirement for PCI and HIPAA. In fact, FIM had its roots in PCI. For PCI, section 10.5.5 requires FIM and change detection tools to ensure that alerts are generated if log data is changed, which is a great idea, because miscreants often try to "cover their tracks" by destroying log data. Section 11.5 requires FIM for alerting on unauthorized modification of configuration and critical system files, and requires file comparisons at least once a week. However, that is only part of the story with FIM. There are also great reasons to use FIM to improve your IT security posture.
Security Use Cases for FIM
Zero-day exploits - Ugh... zero-day exploits. Signatures won't work, because nobody's reported it yet. Endpoint security controls won't catch them. However, FIM can be used to identify trojans and other malware that gets introduced into healthy IT assets by providing visibility to file changes.
Indicators of Compromise (IoC) - FIM can be used to monitor for Indicators of Compromise (IoC), such as newly-created and randomly named DLL files in the user profile directory of systems. FIM can be your guard dog against IoCs.
Monitoring business-critical servers - You can use FIM to moniitor a hardened system - a critical server that has had unnecessary files and functions removed. FIM can be used to assure settings and files are kept at the "known good state."
Watching for patching mishaps - You can use FIM to monitor systems that may be inadvertently "unhardened" during patch processes.
The venerable and vulnerable /etc/passwd - UNIX uses the /etc/passwd file as a database about users who may log in to the system or identities that own processes. Monitoring /etc/passwd is a great use case for FIM.
Keeping an eye out for damaging web defacement - You can monitor your index.php or index.html files to watch for a defaced website. This use case has gottena lot of attention recently due to Syrian Electronic Army takedowns.
Remediation after a security incident - FIM can allow you to identify compromised hosts after a security incident. FIM can capture changes to files, and once you know what has occurred, you need to fix all affected assets. Best way to do that: find what changed and on what hosts, when the incident occurred.
FIM in OSSEC
OSSEC, which stands for Open Source SECurity, is a widely deployed open source FIM, It is also the FIM component of commercially-available AlienVault(TM) Unified Security Management (USM.) OSSEC uses SHA1 hash comparisons of files to compare files to find changes. OSSEC is powerful because it includes numerous detection techniques including log monitoring, and rootkit detection, in addition to FIM.
Syscheck is the integrity checking daemon within OSSEC. It’s purpose is simple, identify and report on changes within the system files. When you first install OSSEC it runs an initial syscheck scan. It goes through and captures the check sum of the files you specified in your configuration file – /var/ossec/etc/ossec.conf. Once the baseline is set, syscheck detects changes by comparing all the checksums on the scan. Below is a picture of how OSSEC works.
FIM - Powerful, but potentially noisy
FIM, poorly implemented, can generate lots of irritating noise - since changes occur nonstop in IT. It is important to carefully select which files you choose to monitor with FIM, limiting the scope to truly relevant files on critical resources.
In addition, FIM is only part of the unified security story Having FIM integrated with security event management (SIEM) and log management is also critical to success, Correlation of FIM change data with other data, such as intrusion detection alarms and other security events and information is valuable in reducing noise, as well as providing visibility for IT professionals to figure out that security incidents and breaches have occurred.
Since bad guys are not likely to stop being sneaky, FIM remains a useful security technology, in addition to being a compliance requirement..