Every IT systems that store and process information of any kind actually use ‘file-based architectures’. The core operating system and applications (software) binaries, configuration data of system and applications, organisational data, and all logs are stored in files somewhere.
What these files actually do?
These files ultimately determine how the operating system, its subsystems and hosted applications should operate.
These files track (in log files) the actions and activities that take place across the operating system and applications.
These files, of course, store our business data too.
Once inside your environment, many attackers will do one or more of the following:
✪ They may modifying critical system and application binaries and configuration files.
✪ They may access (to capture information) or modify data files.
✪ And then may modify or delete any log data to hide their tracks.
Even authorized changes may result in misconfigurations or situations that can expose the organization to increased risk and compromise, such as where customer information from one bank was exposed when an authorized vendor uploaded a file to a server without enabling the proper security protocols.
This is where File Integrity Monitoring helps, by ensuring that you’re notified when such suspicious activities take place on critical files.
FIM technologies typically work with one of the following approaches:
1. Baseline comparison, wherein one or more file attributes will be captured or calculated and stored as a baseline that can be compared against at some future time. This can be as simple as the time and date of the file, however, since this data can be easily spoofed, a more trustworthy approach is typically used. This may include periodically assessing the cryptographic checksum for a monitored file, (e.g. using the MD5 or SHA-2 hashing algorithm) and then comparing the result to the previously calculated checksum.
2. Real-time change notification, which is typically implemented within or as an extension to the kernel of the operating system that will flag when a file is accessed or modified.
Regardless of approach, the end result is the same—to identify and alert you to any changes (creation, modification or deletion) to a monitored file or directory.
Do You Need File Integrity Monitoring? Yes!
What Files Should I Monitor?
While it’s not the silver bullet to protecting against malware and other attack vectors, a well-configured File Integrity Monitoring (aka FIM) deployment can go a long way to identifying anomalous changes across your IT environment, such as changes to legitimate binaries, configuration files, and the like.
1. Operating system directories and files.
It’s important to assure that your base operating system is functioning as expected, so monitoring the system binaries and libraries should be your first step.
On Windows, the core OS binaries and key configuration files are typically located under:
On Linux, the critical directories to monitor include:
2. Applications directories and files.
The system is the foundation on which the application sits, however, it is the applications that your employees, partners, and customers interact with, and that store and manage your data. Thus, you should monitor application binaries accordingly.
On Windows systems, most applications (by default) store their binaries and configuration files under:
C:Program Files (x86)
Linux systems typically install applications into:
Depending on the type of server and applications being run, additional files and/or directories may also need to be monitored. For example, if the server is a web server, the directory where the web site files reside should be monitored as well. This will vary by organization based on web server used and configuration of the web server.
3. Configuration files.
Modifying system and application binaries can be challenging, since they are often locked when the system starts up or when the services/daemons are running. That said, configuration files define how the system and applications on the system function and are typically read only when the system service or application starts up.
Configuration settings can be stored in many ways. On Windows platforms, the Windows Registry is typically used for configuration purposes. Text-based configuration files can be found across Windows, Unix/Linux, and OS X.
Attackers may target any of these configuration locations for a planned attack, or an administrator may inadvertently misconfigure a system, causing that system to be exposed and putting the data on that system and the rest of your infrastructure at risk.
4. Log files.
Log files contain the transaction and activity history for the core operating system, its subsystems, and applications that reside on the system. They are often the first place an attacker will look to hide their tracks.
While actively written log files will continually change, only the system or application should be writing to them. To ensure that log files are not tampered with, you should establish an active log management collection method to pull (or push) the logs from the system to a separate log management solution for centralized monitoring and tamper-proof storage.
Archived log files are static in nature, so you can also monitor for any changes or deletions of those files.
5. Digital keys and credentials.
Even with the availability of directory systems and hardware security modules, many systems and applications store their keys and credentials for authentication and encryption on a system. Monitoring those credential/key stores is also important to ensure your system is protected.
For example, Unix systems store their password file under /etc, and Windows under C:\Windows\System32\config. Windows Credentials is also there. You may be using other popular authentication applications such as Secure Shell (SSH) application.
6. Content files.
Your corporate and your customer data is the lifeblood of your organizations. Data leakage remains one of the top security concerns of most organizations.
Even content as simple as your website is mission-critical. The effects on your brand and reputation can be significant should an attacker deface your public presence. Monitoring content files for unauthorized changes within the web server is critical to ensure the integrity and confidentiality of that data.
The more your monitor, better it is. Types of files is secondary. This given list of file types represents the key file types that attackers will look to modify, or even delete, when they try to steal data or disrupt your operations. There’s no question. Security is hard, but implementing a file integrity monitoring solution can go a long way to delivering on your security goals.