Event-type audit logs record specific events on a system. Tracking the events recorded in these audit logs ensures that the events leading up to a security breach, the events that comprise the breach, and any after effects of the breach are understood. No security breach happens in a vacuum. There are discernable events that create favorable conditions for an attack. Careful monitoring of event logs can give hints that an attack is about to take place and allow you to stop it before it happens. Tracking the events before, during, and after an attack can give systems administrators valuable information to reduce the risk of similar attacks in the future.

There are three levels of events:

• System-level events: These focus on user logon attempts, system resource usage, and other low-level events that affect the integrity of the entire system.
• Application-level events: These are specific to a given application, including error messages, file modifications, and security alerts within the application.
• User-level events: These are initiated by individual users and include authentication attempts, commands and applications used, and security violations. This type of event log is discussed in the next section.

Each of these event types holds valuable information about potential and actual security breaches. An example of Event Viewer log information from a Windows Server system appears in FIGURE 13-4.

User audit logs store information on authentication attempts, resources used, commands and applications run, and security violations committed by users. Most importantly, this type of log provides accountability because it ties specific actions to individual users. When suspicious activity is detected in the event audit log, it can be cross-referenced with the user log to determine who was logged onto the system at the time of the breach, and what he or she was doing.

Unauthorized access attempts are a key signal that an attack may be in progress. A single failed access attempt is likely just a typing error on the part of a legitimate user, but 10 failed access attempts signal an attempt at password cracking. The information stored in this audit log can be combined with the user and event logs to give a complete picture of the system before, during, and after an attack.

Consider the case of Acme Communications, a mobile phone manufacturer. The company stores proprietary and experimental product designs, project plans, and long-term strategy documents on a file server. The file server is located behind a firewall and protected by an intrusion detection system and is relatively secure against an attack from outside the organization.

In a press release, the company’s major competitor announces that it has a working prototype and will release a consumer model with many of the same features and cutting-edge technology that Acme has spent the past 3 years developing. It is clear to Acme management that its competitor must have obtained the designs stored on the file server.

While analyzing the audit logs, systems administrators locate several instances of access to product design documents on the file server over several months originating from a workstation in the customer service department. Normally, there would be no reason for anyone outside of engineering to access those documents.

Digging further, the systems administrator cross-references with the user audit log and discovers that the same customer service representative accessed the design documents in each instance. Before accusing the employee of leaking the designs, the systems administrators checked the unauthorized access audit log. They discovered that in the weeks before the first incident, there were hundreds of unsuccessful attempts to log on to that user’s network account.

By analyzing information from all three audit logs, systems administrators were able to get a clear idea of what happened. The customer service representative’s network account was breached, and the attacker used that access to find sensitive information, which was then leaked to Acme’s competitor.