By: Nihad Hassan
April 16, 2021
File Integrity Monitoring Tools
By: Nihad Hassan
April 16, 2021
The number of cyberattacks is increasing rapidly, especially after the start of the COVID-19 pandemic, which leads to a spike in cyberattacks worldwide. According to the FBI, there were about 4,000 cyberattacks a day since the beginning of the COVID-19 pandemic. This represents a 400% increase from the previous year before the coronavirus crisis.
The most notable cyberattack type was ransomware. Cybercriminals exploited the COVID-19 crisis and intensified their efforts to target healthcare institutions such as hospitals and pharmaceutical producers. Healthcare providers' sensitive nature makes them lucrative targets to ransomware operators, as they are more willing to pay the ransom immediately to avoid ceasing their operations.
With the ongoing news about data breaches and cyberattacks happening every day, utilizing file integrity monitoring (FIM) programs becomes an essential component of any cyber defense plan.
This article will define what is meant by a file integrity monitoring software and introduce the most popular four programs.
What Is File Integrity Monitoring (FIM)?
An FIM is a software solution created to monitor the unauthorized change of applications, drivers, databases, virtual images, network devices software, critical operating system files, and other IT infrastructure elements such as file contents, registry settings, users and groups, files security attributes and permissions. The software works by taking a snapshot of the monitored files and comparing them with other good versions (or baseline) taken before. The purpose is to detect any minor changes in monitored files, such as a change in size or other attributes, to determine if they were tampered with or modified. If a suspicious change is detected, the FIM programs will alert the IT administrator and execute predefined security controls to minimize the risk.
Why is File Integrity Monitoring important?
Threat actors employ various techniques to alter important system files –on servers and endpoint devices - to plant their malware and ensure it will remain running for a long time without detection. FIM solutions play an essential role in stopping intruders from making unintended changes to the target IT environment and help digital forensic examiners speed up the incident response process if an instruction successfully took place.
File Integrity Monitoring programs become very important for the following reasons:
It can detect unintended changes made by IT staff or other employees and alert system administrators to correct the issue before being exploited by threat actors.
Verify successful updates of the operating system, software programs, and drivers by comparing the files after updating with a checksum calculated from a post-patched device.
Detect intrusion early before it extends into other resources. For instance, many ransomware variants change file names and associated security attributes (change file permissions) before beginning the encryption routine. Such actions trigger the FIM solution to close the connection and prevent the ransomware from communicating with its command and control server (C&C) to continue the encryption process.
Implementing an FIM solution helps the organization meet compliance requirements imposed by many regulations such as GLBA, SOX, HIPAA, and PCI DSS.
Now that we have a fair understanding of how FIM solution work and its role in detecting and preventing various cyber threats let me introduce the most popular FIM programs.
File Integrity Monitoring programs
There are a variety of FIM solutions to choose from, both commercial and open-source versions.
OSSEC is an open-source intrusion detection system that runs on both Linux and Mac OS X. The tool can be configured to meet various security needs through its extensive configuration options, allowing additional custom rules to manage all types of expected alerts. OSSEC has a host-based intrusion detection feature that runs on all primary operating systems, including Windows. OSSEC can detect unauthorized file system modification and alerts system administrators about it once happening.
SolarWinds (see Figure 1) is a popular commercial file integrity monitoring program; it can monitor files across all popular platforms such as Windows and Linux, in addition to cloud storage (Azure and AWS IaaS, PaaS, and SaaS). SolarWinds has more than 1,200 monitoring templates in addition to 1000 templates developed by the community. IT administrators can customize monitoring by writing customized scripts in PowerShell, REST API, WMI, and SNMP.
Trustwave is a commercial cloud-based file integrity monitoring software. However, it is developed – and priced - for more than file monitoring. It offers threat intelligence capabilities, layered detection and proactive threat hunting, log monitoring, incidence management, and file comparison features. I don't recommend using Trustwave if the only solution needed is a file integrity monitoring function.
Tripwire is a commercial solution that is available on-premise or as a cloud-based managed service. The program is famous for its intrusion detection function but also offers a robust file integrity monitoring feature. This tool has a user-friendly interface and comes equipped with many out-of-box functions. Tripwire can detect all changes, notify who made each one and help IT administrators enforce change and configuration management policies.
Any organization can benefit from deploying an FIM solution. As cyberattacks increase at an explosive rate, file integrity monitoring has become a requirement to meet many compliance requirements in addition to its great benefits in reducing and mitigating data breaches.