Scenario S-010 - Tampering with Logging Infrastructure
| Element | Description |
|---|---|
| Scenario ID | S-010 |
| Target asset | SIEM / Central Logging Platform storing system, network, and application logs |
| Threat source | External attacker or malicious insider with privileged access |
| Attack vector | Deletion or modification of audit logs, manipulation of event records |
| Potential impact | Loss of visibility, undetected attacks, operational errors, and delayed incident response |
| Likelihood | 🟧 Medium - attackers with sufficient privileges can alter logs if protections are weak |
| Impact rating | 🟥 High - compromised logging infrastructure undermines monitoring and incident detection |
| Risk rating | 🟥 High |
Mitigation:
- Implement write-once-read-many (WORM) or immutable log storage.
- Restrict administrative access to the logging platform via RBAC and MFA.
- Forward logs to a separate, hardened SIEM instance or cloud archive.
- Enable integrity monitoring and alerting on log modifications or deletions.
- Regularly back up logs and perform retention checks.
Owners:
- Sec - monitoring, alerting, incident response.
- Ops - backup, access management, and system hardening.
- Dev - ensure applications securely forward logs and do not bypass logging controls.
References:
- ISO 27001 - Control 8.3 Information access restriction.
- ISO 27001 - Control 8.16 Monitoring activities.
- NIST CSF - DE.CM Continuous Monitoring.
- NIST CSF - PR.PT Protective Technology.
- EBIOS RM - Threat scenario modeling for log tampering and loss of visibility.
Response actions:
- Containment - Isolate compromised logging nodes and block malicious accounts.
- Investigation - Identify modified or missing logs, assess attack impact.
- Recovery - Restore logs from immutable backups or replicated archives.
- Post-incident - Review and update logging architecture, reinforce access controls, and improve monitoring rules.