The Federal Bureau of Investigation (FBI), the Australian Signals Directorate’s Australian Cyber Security Centre (ACSC), the U.S. Cybersecurity and Infrastructure Security Agency (CISA), and the National Security Agency (NSA), together with their global partners, have published guidance on event logging and threat identification.
HIPAA-covered entities must use hardware, software, and/or procedural systems to document and keep track of activity in data systems including electronic protected health information (ePHI), and routinely check these records for unauthorized activity. This consists of application records that monitor user activity in ePHI systems, like files opened, records viewed, and the design, reading, modifying, or deleting of ePHI-associated records. Furthermore, system-level records need to catch specifics such as successful and unsuccessful sign-in attempts, devices utilized for access, and the programs that were either used successfully or unsuccessfully.
The new guidance from CISA and its associates is for medium to large companies, providing guidelines to boost event logging and threat identification in enterprise systems, web services, business mobility, and operational technology (OT) systems. This guidance assists network defenders in establishing a baseline for event logging, discovering threats, and supporting incident response teams in mitigating cyber threats, which include attacks using fileless malware and living-off-the-land (LOTL) strategies that threat actors utilize to stay away from discovery.
The guidance outlines the objectives for a good event logging system, emphasizing the design of logs that are both functional and effective for experts. This enables network defenders to quickly make educated decisions according to notifications and analytics. The system must alert network defenders of activities that are possibly associated with malicious activities, like the installation of new software programs, changes in configurations, or events showing LOTL strategies or post-compromise lateral movement. Decreasing notification noise is likewise important to save questions time and reduce storage fees.
Recommendations in the guidance consist of the following:
- setting up an enterprise-accepted event logging policy
- prioritizing event log access and connection
- making sure storage and logs are secure
- creating a detection technique for pertinent threats.
The guidance shows a case analysis of the Volt Typhoon threat actor, which employed LOTL strategies to attack Windows-based systems and avert discovery. It highlights anomalous behaviors related to LOTL strategies that can help network defenders distinguish these activities from legitimate ones. This guidance would be helpful if included in the HIPAA training requirement for entities covered by HIPAA.