As a security architect and the technical leader for the Logging Made Easy project, I am often asked “what logs should I be collecting?” I absolutely hate the standard ‘it depends’ response. So, I’ve been answering with a question of my own: “For what?” This has led to a number of interesting discussions on the topic of who should be logging what, and when. By Adam B.
Before getting down to specifics, take some time to think about the logging practices, sources and tools available to you. Picking the right tool is part of the journey - you wouldn’t expect a chef to use a single knife, nor would you expect a developer to work with a single technology stack. You need to decide what are the ‘right tools for the job at hand’.
The article then discusses:
- Doing away with “one size” solutions
- Alternatives to ATT&CK framework
- MITRE ATT&CK
- Reconnaissance
- Resource development
- Gaining initial access
- Execution of attacker controlled code
- Persistence
- Privilege escalation
- Defence evasion
… and much more. The cloud allows you to use resources as and when they are needed. However, depending on your provider, getting access to raw logs may be difficult or impossible. This is because of the division of “shared responsibility”. But what does shared responsibility mean for logging? Good read!
[Read More]