INVISIBLE ATTACKER
CONTEXT
Information security has long relied on access-control technologies that are necessary, but not
sufficient. Access control divides the system into known-good and known-bad states. These
partitions are useful for defining and enforcing authorized access, but they do not hold up in all
cases when deliberate malice is involved.
VULNERABILITIES IDENTIFICATION & TRACKING
Attackers inject false messages into log files,
find events that are not tracked, and/or
tamper with log messages
Ensure a reliable event stream reports log
messages to a central secure log server
COUNTERMEASURE(S)
Network-only logging won't cut it; logging and monitoring must be done at an application level.
Application sensors should be deployed at boundary-crossing layers like the API gateway. These
sensors should record access, exception, malicious and related events.
ASSURANCE
Red team testing should be done to ensure that the logging systems do in fact detect
malicious use.
07
|
The Curious Case of Invisible Attacker
