This is a key pain point for those of you trying to meet compliance requirements. Just about every regulation out there requires you to review failed logons but offer no guidance on what to look for.
But there’s more to logon auditing than compliance. Attackers cannot successfully move laterally along the horizonal kill chain without making noise. If you know what to listen for, you can detect the bad guys as they feel their way around your network and within a given system as well.
Distinguishing malicious logon failures from innocent logon failures is challenging for a variety of reasons:
- Each Windows computer role (workstation, server and domain controller) contribute failed logon events to your overall audit trail. I’ll help you understand which systems log which events and why
- The logon failure codes in the security log are the same whether the user mistyped his password or an attacker is trying to guess the password
- Some Windows clients and applications make more than one logon attempt per user attempt, thus inflating the number of innocent logon failures
- Confusion over the meaning of logon failure codes
- Distinguishing between “low and slow” attacks
But beyond logon failure events, more recent versions of Windows include new events that can alert you to behavior that likely indicates an attacker gathering information about target accounts.
In this real training for free™ webinar, I will first acquaint you with the two different audit categories used for tracking logon failures - Logon/Logoff and Account Logon - and show you the difference between the two. I’ll be using Windows Server 2016 for demonstrations and point out any minor differences between its events and those logged by earlier versions of Windows.
Next, I’ll share my tips for building your alert rules and reports to try to recognize malicious logon events that indicate an attack. I’ll use a variety of techniques - some simple and others that require some sophisticated analysis. You also need to take into account your particular environment in terms of authentication types used, exposure to hostile networks, password quality among your users and their logon habits. Baselines are important and we’ll discuss how to establish them.
Manage Engine is our sponsor and Nitin Devanand will briefly show you how Log360 is an integrated solution that combines EventLog Analyzer, ADAudit Plus, and Cloud Security Plus into a single console to help you manage your network security, Active Directory auditing, and public cloud management easily.
This will be real training on a very important area of the Windows security log. Don’t miss it. Please register now!