Tracking System Changes

Wiki > Tracking System Changes
Description Kill Chain Stage
Tracking system changes is essential to reducing cyber security risk. It is used to ensure that any changes made to critical systems have been correctly authorised and have followed correct procedure. Malicious attackers may make system changes for reasons of concealment, sabotage or to destroy the integrity of a system or the data it contains.

 

 

 

7

 

5

 

Threat type to monitor
■    Unauthorised system activity

■    Suspicious behaviour of log source

■    Changes to system configuration

Monitoring setup
■    Active Directory

■    DHCP

■    DNS

■    Firewall

■    VPN Concentrator

Events Indicators
■    Server level configuration changes

■    Event source no longer logging

■    Sudden EPS variations beyond expected threshold

Rules
■    Syslog is disabled

■    No logs traffic from device in given timeframe

■    System auditing configuration change

■    Audit log cleared

■    Config change

■    Firewall service stopped/started/modified

■    SSH is enabled

■    Monitoring changes to specific monitored devices

■    Monitoring changes to SSH or Telnet settings

■    Active Directory policy modified

■    DNS Amplification

 

Category: