When implementing a SIEM infrastructure, we’re very careful to inventory all of the possible vectors of attack for our critical systems, but how carefully do we consider the SIEM itself and its logging mechanisms in that list?
For routine intrusions, this isn’t really a consideration. The average individual doesn’t consider the possibility of being watched unless there is physical evidence (security cameras, &c) to remind them, so few steps are taken to hide their activities… if any.
For more serious efforts, someone wearing a black hat is doing to do their homework and attempt to mitigate any mechanisms that will provide evidence of their activities. This can range from simple things like…
- adding a static route on the monitored system to direct log aggregator traffic to a null destination
- adding an outbound filter on the monitored system or access switch that blocks syslog and SNMP traffic
… to more advanced mechanisms like …
- installing a filtering tap to block or filter syslog, SNMP and related traffic
- filtering syslog messages to hide specific activity
Admittedly, these things require administrator-level or physical access to the systems in question, which is likely to trigger an event in the first place, but we also can’t dismiss the idea that some of the most significant security threats originate internally. I also look back to my first post about logging sources and wonder if devices like L2 access switches are being considered as potential vectors. They're not in the routing path, but they can certainly have ACLs applied to them.
I don’t wear a black hat, and I’m certain that the things I can think of are only scratching the surface of possible internal attacks on the SIEM infrastructure.
So, before I keep following this train of thought and start wearing a tin foil hat, let me ask these questions?
Are we adequately securing and monitoring the security system and supporting infrastructure?
If so, what steps are we taking to do so?
How far do we take this?