Skip to content
NGTEdu Logo

NGTEdu

A PRODUCT OF NGTECH.CO.IN

NGTEdu Logo

NGTEdu

  • Home
  • Cyber Attacks
  • Malware
  • Vulnerabilities
  • Data Breach
  • Home
  • Cyber Attacks
  • File Integrity Monitoring (FIM): Your Friendly Network Detective Control
  • Critical Vulnerability
  • Cyber Attacks
  • Data Breach
  • Vulnerabilities

File Integrity Monitoring (FIM): Your Friendly Network Detective Control

5 years ago Mitch Parker
File Integrity Monitoring (FIM): Your Friendly Network Detective Control

Lateral movement is one of the most consequential types of network activity for which organizations need to be on the lookout.

After arriving at the network, the attacker keeps ongoing access by essentially stirring through the compromised environment and obtaining increased privileges (known as “escalation of privileges”) using various tools and techniques.

Attackers then use those privileges to move deeper into a network in search of treasured data and other value-based assets.

As such, lateral movement is an important approach that differentiates today’s advanced persistent threats (APTs) from traditional cyberattacks. It’s a sign of a threat actor that’s sophisticated enough to work towards avoiding detection and retaining access even if its presence is discovered on the machine that it first infected.

With this extended dwell time, the threat actor might not begin pilfering data until weeks or even months after the original breach occurred.

Network Knowledge: The Key to Beating Lateral Movement

In order to defend against lateral movement, it’s important to understand what the environment should look like, how it is managed and how it can be set up for optimal operations.

Having a security baseline that’s tied to the critical information security controls is of paramount importance in that effort. Indeed, as hardware, software and other assets deviate from their secure baselines, these changes become clear indicators of whether something is out of compliance with its “golden image.”

But what processes should you use to maintain the configurations? What is the process going to be for ongoing monitoring for change in these devices?

As an example, say that your router deviates from its baseline configuration. You need to be able to identify what those changes were in order to figure out if they’re part of suspicious activity on the network. Regardless of whether they’re benign or malicious, you then need to understand how those changes impact the rest of the environment at large and whether/how those events tie into operational uptime.

Detective-Based Controls to the Rescue

As we put this all together, the need becomes more apparent to have detection-based controls that tie into the operation of the environment. It’s imperative for this detective control to be able to tell us what is going on in our specific environment “in-time.”

What are detective controls, you ask?

Detective controls serve to detect and report undesirable events that are taking place.

The classic example of a detective control can be found in commercial or home burglar alarms (intrusion detection systems).

Such solutions typically monitor for indicators of unauthorized activity such as doors or windows being opened or glass being broken. They can also watch for suspicious movement, electrical outages, temperature changes and undesirable environmental conditions such as flooding, smoke, fire and excessive carbon dioxide in the air.

The Case for “File Integrity Monitoring”

File integrity monitoring (FIM) is an internal detective control or process that performs the act of validating the integrity of operating system and application software files using a verification method involving the current file state and a known, good baseline.

This comparison method often involves calculating a known cryptographic checksum of the file’s original baseline and comparing that with the calculated checksum of the current state of the file. Other file attributes can also be used to monitor integrity, as well.

Generally, the act of performing file integrity monitoring is automated using internal controls. Such monitoring can be performed randomly, at a defined polling interval or in real-time. These options provide the organization with an advantage when it comes to detecting attacks and identifying risk.

How It Works

True FIM detects change by first establishing a highly detailed baseline version of each monitored file or configuration in a known and trusted state.

Using real-time monitoring, it detects change that affects any aspect of the file or configuration and captures these in subsequent versions.

These versions, in turn, provide critical “before” and “after” views that show exactly who made the change, what changed and more.

Additionally, true FIM applies change intelligence to each change to determine if it impacts integrity rules, for example. This helps to determine if the change takes a configuration out of policy or if it is the setting that is typically associated with an attack.

This is truly important when you are trying to understand what is happening to your environment “in-time.” Remember, lateral movement is what attackers can do through large amounts of “dwell” time on your network as they prepare to escalate privileges and position themselves for all kinds of mischief.

Detecting Change with Detective Controls

By applying detective controls in your environment on critical servers, firewalls, file systems, network devices, data-base, applications, security infrastructure and so much more, Tripwire can effortlessly help companies be that much more focused on detecting change in these systems in a comprehensive way. It can thereby provide an analytical picture that helps to keep risk to a functional/operational level in an organization.

For more information about Tripwire’s approach to FIM, click here.

The post ” File Integrity Monitoring (FIM): Your Friendly Network Detective Control” appeared first on TripWire

Source:TripWire – Mitch Parker

Tags: APT, Critical Severity, TripWire, Vulnerability

Continue Reading

Previous Post Grid WordPress Plugin Flaws Allow Site Takeovers
Next New ‘MosaicRegressor’ UEFI Bootkit Malware Found Active in the Wild

More Stories

  • Cyber Attacks
  • Data Breach

Mozilla Adds One-Click Option to Disable Generative AI Features in Firefox

2 hours ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

Notepad++ Hosting Breach Attributed to China-Linked Lotus Blossom Hacking Group

3 hours ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

Researchers Find 341 Malicious ClawHub Skills Stealing Data from OpenClaw Users

14 hours ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Data Breach
  • Vulnerabilities

OpenClaw Bug Enables One-Click Remote Code Execution via Malicious Link

16 hours ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Data Breach

Microsoft Begins NTLM Phase-Out With Three-Stage Plan to Move Windows to Kerberos

16 hours ago [email protected] (The Hacker News)
  • Critical Vulnerability
  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

⚡ Weekly Recap: Proxy Botnet, Office Zero-Day, MongoDB Ransoms, AI Hijacks & New Threats

20 hours ago [email protected] (The Hacker News)

Recent Posts

  • Mozilla Adds One-Click Option to Disable Generative AI Features in Firefox
  • Notepad++ Hosting Breach Attributed to China-Linked Lotus Blossom Hacking Group
  • Researchers Find 341 Malicious ClawHub Skills Stealing Data from OpenClaw Users
  • OpenClaw Bug Enables One-Click Remote Code Execution via Malicious Link
  • Microsoft Begins NTLM Phase-Out With Three-Stage Plan to Move Windows to Kerberos

Tags

Android APT Bug CERT Cloud Compliance Coronavirus COVID-19 Critical Severity Encryption Exploit Facebook Finance Google Google Chrome Goverment Hacker Hacker News High Severity Instagram iPhone Java Linux Low Severity Malware Medium Severity Microsoft Moderate Severity Mozzila Firefox Oracle Patch Tuesday Phishing Privacy QuickHeal Ransomware RAT Sim The Hacker News Threatpost TikTok TripWire VMWARE Vulnerability Whatsapp Zoom
Copyright © 2020 All rights reserved | NGTEdu.com
This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Read More here.Cookie settingsACCEPT
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT