Tracking System Changes
Wiki > Tracking System Changes
Description | Kill Chain Stage | ||
Tracking system changes is essential to reducing cyber security risk. It is used to ensure that any changes made to critical systems have been correctly authorised and have followed correct procedure. Malicious attackers may make system changes for reasons of concealment, sabotage or to destroy the integrity of a system or the data it contains.
|
|
||
Threat type to monitor | |||
■ Unauthorised system activity
■ Suspicious behaviour of log source ■ Changes to system configuration |
|||
Monitoring setup | |||
■ Active Directory
■ DHCP ■ DNS ■ Firewall ■ VPN Concentrator |
|||
Events Indicators | |||
■ Server level configuration changes
■ Event source no longer logging ■ Sudden EPS variations beyond expected threshold |
|||
Rules | |||
■ Syslog is disabled
■ No logs traffic from device in given timeframe ■ System auditing configuration change ■ Audit log cleared ■ Config change ■ Firewall service stopped/started/modified ■ SSH is enabled ■ Monitoring changes to specific monitored devices ■ Monitoring changes to SSH or Telnet settings ■ Active Directory policy modified ■ DNS Amplification |
Category: Use Case