The news is rife with stories of successful attacks against servers, point-of-sale (POS) systems, IoT devices and more where an attacker has gained access to an organization’s IT assets and changed or inserted new files and data to do something malicious. Just a search on malware highlights a seemingly-endless list of variants including the recent exposure of NSA-backed malware that exploits Windows systems, the re-emergence of Dridex (designed to capture banking credentials), new malware targeting Mac users, new ransomware, and more!
The fact is that bad actors–whether black hat hackers, or malicious insiders–look to exploit vulnerabilities and trust models across your IT assets to either disrupt your operations, to provide some competitive advantage, and/or for their financial gain. Once inside your environment, many attacks will do one or more of: modifying critical system and application binaries and configuration files; accessing (to capture information) or modifying data files; and then modifying or deleting any log data to hide their tracks.
That in mind, it’s critical to know when a change or unauthorized access to a critical file is attempted, regardless of whether the attempt was successful or not. This is the realm of File Integrity Monitoring (FIM), a critical tool in the security defense of any organization wishing to protect its assets.
Yes, you’ll have noticed that this is the first blog in a series, because frankly there’s a fair amount to cover, and I want to break it into consumable chunks! In this first blog, I’ll cover the basics of what file integrity monitoring is, and why you should use it. In the coming weeks I’ll discuss how you can best apply FIM to your organization, and what to look for when selecting a FIM solution.
What is File Integrity Monitoring?
Even if you’re already familiar with the technology, it doesn’t hurt to spend a minute or two ensuring we’re all talking at the same level on what FIM is.
Today, most IT systems that store and process information use file-based architectures. The core operating system and applications binaries, system and application configuration data, organizational data, and logs are stored in files. These files ultimately:
- Determine how the operating system, its subsystems and hosted applications should operate;
- Track (in log files) the actions and activities that take place across the operating system and applications;
- Store business data.
When an attacker compromises these critical files, havoc ensues. Attackers may attempt to overtake the operating system or application, steal or modify business-critical information, or manipulate log files to hide any malicious activities. This is where File Integrity Monitoring helps, by ensuring that you’re notified when such suspicious activities take place on critical files.
Even authorized changes may result in misconfigurations or situations that can expose the organization to increased risk and compromise, such as where customer information from one bank was exposed when an authorized vendor uploaded a file to a server without enabling the proper security protocols (read HERE for more).
FIM technologies typically work with one of the following approaches:
1. Baseline comparison, wherein one or more file attributes will be captured or calculated and stored as a baseline that can be compared against at some future time. This can be as simple as the time and date of the file, however, since this data can be easily spoofed, a more trustworthy approach is typically used. This may include periodically assessing the cryptographic checksum for a monitored file, (e.g. using the MD5 or SHA-2 hashing algorithm) and then comparing the result to the previously calculated checksum.
2. Real-time change notification, which is typically implemented within or as an extension to the kernel of the operating system that will flag when a file is accessed or modified.
Regardless of approach, the end result is the same—to identify and alert you to any changes (creation, modification or deletion) to a monitored file or directory.
Do I Need File Integrity Monitoring?
To put it simply, yes.
The reality is that no matter the size of your organization, or the number of security countermeasures you have in place, with the increasing sophistication and diversity of modern threats means that it’s only a matter of time until your organization has been compromised.
That said, you may find yourself in one of the following scenarios that may help underscore your need to deploy file integrity monitoring:
- Your business is subject to regulatory compliance. Several regulations (e.g. PCI DSS, NERC CIP 007), or approaches commonly used to assure compliance with those regulations (e.g. ISO 17799), call out file integrity monitoring as an internal control that must be deployed to assure protection of your organization’s assets and data.
- Your business processes and stores highly sensitive data. Data is often the lifeblood of the business, and whether it is your data or your customers’, a breach that impacts its confidentiality, integrity, or availability can spell disaster for your business. There’s no room for error in securing sensitive data.
- Your business has a substantial server infrastructure. This doesn’t necessarily mean your business has a large headcount, but the more servers you have deployed means a greater attack surface. Certainly, any organization that owns and operates a data center would fall under this heading. Typically, the more servers you have, the more applications, databases, configuration files, log files, and data files you have that need to be monitored.
Whether one or multiple of the above scenarios maps to your business, or whether you just want to ensure you know that your environment is operating as you intended, implementing a File Integrity Monitoring solution can go a long way to helping assure the trust of your customers and the overall security and viability of your business.
Now that we’ve covered the ‘what’ and ‘why’ of file integrity monitoring, in my next blog I’ll be discussing best practices in terms of what files to monitor and how to get the best value fromyour file integrity monitoring solution.