What to monitor to stop hacker and malware attacks

Most organizations under attack have no clue they're being targeted. Here are security events to look for in case of a breach

The 2012 Verizon Data Breach Investigations Report released last week continues to reverberate. The stats that jumped out at me: 96 percent of data breaches were relatively easy for attackers to pull off, and 97 percent of those attacks were easily avoidable.

Want to protect yourself against malicious hackers and malware? Do the basics better and more consistently. Patch better, isolate better -- and for god's sake, enable your monitoring.

According to the report, 85 percent of victims were unaware of their compromised state for weeks- to months-long stretches. When they did become aware, 92 percent of the time it was because an outside third party told them. That's embarrassing.

In which group would you rather be? The 85 percent hanging their heads in shame or the 15 percent who had a clue?

I know InfoWorld readers care more than the average IT working stiff. It's why you read our publication and this blog in particular. I also realize that our readers are tasked with dozens of different projects every year, each one a high priority that overrides previous priorities.

But the bottom line is this: If you don't have a good security event logging program, become the champion in your organization and create one.

What to monitor

You should enable event log monitoring on all managed workstations and servers. Don't make the mistake of only monitoring servers -- 99 percent of the malicious action begins on a regular end-user's workstation before it spreads to the servers holding the data. Often, by the time attackers reach the servers, they are operating with an elevated end-user's credentials, and event log monitoring becomes much tougher.

In the interest of giving specific advice, I've assembled the Windows security event log IDs [Excel format] that you should be monitoring on Microsoft operating system, although the events and behaviors they cover should be monitored on any OS used by your organization. Microsoft probably has the best security event log ID descriptions, so it's a good place to start. (Note: I am a full-time employee of Microsoft.)

High-criticality events. Here are the events I consider most relevant and require immediate investigation, unless the event that occurred through approved change/configuration control requirements.

High-criticality events

Vista/W2K8/Win7 W2K3/XP legacy Event description
4618 - A monitored security event pattern has occurred.
- 550 Possible denial-of-service (DoS) attack.
4649 - A replay attack was detected. (Note: This may be nonmalicious and frequently reoccurring in some environments.)
4692 - Backup of data protection master key was attempted.
4693 - Recovery of data protection master key was attempted.
4694 - Protection of auditable protected data was attempted.
4695 - Unprotection of auditable protected data was attempted.
4719 612 System audit policy was changed.
4765 - SID History was added to an account.
4766 - An attempt to add SID History to an account failed.
4794 - An attempt was made to set the Directory Services Restore Mode.
4816 - RPC detected an integrity violation while decrypting an incoming message.
4964 - Special groups have been assigned to a new log-on.
5124 - A security setting was updated on the OCSP Responder Service.
1 2 3 Page 1
Page 1 of 3
8 pitfalls that undermine security program success