File Integrity Monitoring (FIM) Tools ‘in Action’ for Endpoint Intrusion Detection and Response
Your security systems can’t stop an attack unless they detect there is one, making file integrity monitoring (FIM), or the ability to automatically track changes to the environment, crucial in detection and prevention.
This detection needs to be not only fast but deep enough to stop the likes of the SolarWinds Sunburst attack, which leveraged beaucoup lateral movement and a variety of live-off-the-land tactics, such as Windows powershell grabs, the deletion of digital trail files, privilege escalations, and system hijackings.
In the following video, I demonstrate how the Atomic OSSEC file integrity monitoring and intrusion detection system (IDS) solution can provide defense in depth against a similar, simulated attack.
File Integrity Monitoring (FIM) in Action
FIM is a security model in which we track the changes on a system over time and associate those changes with the users that made them. It enables us to understand when changes have been made in a system. This is part of the security stack that we can call integrity.
In the video, I simulate an attack on a web server, show the change that was made in real time, and the automatic response, including some machine learning logic applied at that time. Through FIM, you get alerts, can create artifacts of the incident, and, of course, revise what is being changed in the system as part of both an automatic and sustained response.
You can look at the activity from the command line interface level first, look at the enemy code… or on a more dynamic GUI management console. Then, take measures to stop it fast, such as replacing infected files with new rules-based ones.
Using the command line to show how quickly this is detected, we spot a web server with a vulnerable web application! And we can see artifacts associated with the change. Save the file and it becomes an artifact (see Figure 1).
Figure 1.
The file says: Who did it, what command did it, was it bash or shell?, and reveals the fact that the malware or hacker is deleting files to hide their trail.
In this case, the hacker is using vulnerable PHP which they have exploited through remote code injection, a common method of attacking web targets. The malware tries to reproduce and spread.
Atomic OSSEC immediately creates a vulnerability report that a Web server has created a file and has run it, which is suspicious activity. You can tell the code to delete the file.
Now, you want to protect your system from this attack in the future, and from any possible lingering effects from the encounter. This means forensic analysis, where you look at the steps the hacker took to capture privileges and use those privileges. In essence, you study the code and behavior that was used to breach the surface and make in-roads. There may still be a lateral infection or vulnerabilities in your systems. You can create rules that if ‘parent user’ is Such and Such, then deny. This is all in a real time model. It’s deep and fast detection, plus security analysis in real time, enabling faster response.
Atomicorp brings distributed but deep security against today’s sophisticated attacks. Our defense is in depth, layered from the microprocessor out to the physical layer.
The Atomic OSSEC security solution works across Linux, Windows, MacOS, and additional operating systems, with security at the kernel level, also supporting legacy OSs like AIX and Solaris. Cloud-friendly, it comes with support for all the major cloud platform providers and more.
Watch Atomic OSSEC FIM Detect and Stop a Web Attack
Watch a FIM example at the command line level to see the real-time speed of Atomic OSSEC in comparison to timer-based systems. Visit our FIM page, and scroll down to Real-time File Integrity Monitoring and Intrusion Detection.
Request the full FIM solution demo.