File Integrity Monitoring (FIM) using Defender for Cloud to comply with PCI DSS requirement

In this post, I want to discuss how File Integrity Monitoring (FIM) can be implemented using Microsoft Defender for Cloud which is one of the requirements of PCI DSS.

What is FIM?

FIM, also known as a change detection solution,  is one of the requirements for PCI DSS which verifies whether an application, operating system, registry have not been compromised. FIM is very useful when the server gets compromised and the attacker starts installing unauthorized applications or malicious code, malware, spyware, changes OS and application files. Microsoft Defender for Cloud can be the saviour here as it provides FIM for Azure VM and non-Azure Servers.

How FIM helps in becoming PCI DSS compliant

PCI DSS Requirement 11.5 describes FIM and the details given below are from the official PCI web page pcisecuritystandards.org.

PCI DSS Requirements Testing Procedures Guidance

11.5: Deploy a change-detection mechanism (for example, file-integrity monitoring tools) to alert personnel to unauthorized modification (including changes, additions, and deletions) of critical system files, configuration files, or content files; and configure the software to perform critical file comparisons at least weekly.

Note: For change-detection purposes, critical files are usually those that do not regularly change, but the modification of which could indicate a system compromise or risk of compromise. Change-detection mechanisms such as file-integrity monitoring products usually come pre-configured with critical files for the related operating system. Other critical files, such as those for custom applications, must be evaluated and defined by the entity (that is, the merchant or service provider).

11.5.a:  Verify the use of a change-detection mechanism by observing system settings and monitored files, as well as reviewing results from monitoring activities. Examples of files that should be monitored: • System executables • Application executables • Configuration and parameter files • Centrally stored, historical or archived, log and audit files • Additional critical files determined by entity (for example, through risk assessment or other means).

11.5.b: Verify the mechanism is configured to alert personnel to unauthorized modification (including changes, additions, and deletions) of critical files, and to perform critical file comparisons at least weekly. 

Change-detection solutions such as file-integrity monitoring (FIM) tools check for changes, additions, and deletions to critical files, and notify when such changes are detected. If not implemented properly and the output of the change-detection solution monitored, a malicious individual could add, remove, or alter configuration file contents, operating system programs, or application executables. Unauthorized changes, if undetected, could render existing security controls ineffective and/or result in cardholder data being stolen with no perceptible impact to normal processing.

How to achieve FIM using Defender for Cloud

Microsoft Defender for Cloud (previously Azure Security Center) comes with two plans. Plan one is free and the other one is paid. If we use the paid plan of Defender for Cloud then we will get workload protections features (also known as advanced features). FIM is one of the premium features of the paid version of Defender for Cloud.

The technology behind FIM here in Azure are Log Analytics agent, Log Analytics workspace, and Azure Change Tracking. Log Analytics agent uploads data to Log Analytics workspace of the current state of the items. FIM uses Azure Change Tracking to track and identified the changes in those servers. Now we will see in detail how the PCI DSS requirement 11.5 can be achieved using Defender for Cloud. 

Enable FIM 

Login to Azure portal (portal.azure.com) and go to Defender for Cloud->Workload protections->File integration monitoring.

1.1.png

Choose the correct workspace name and click on Enable button. The server should be connected to the Log Analytics workspace. In the below image, we can see 5 servers are connected to the selected workspace.

1.png

Click on the File Integrity Monitoring button. FIM will be enabled for these 5 servers and will start tracking changes in Windows files, registry, and Linux files. We can modify these settings (add/remove change tracking for specific registry value, add/remove change tracking for specific Windows/Linux file path) as per our needs.

2.png

This is the FIM dashboard where we can see all the detected changes. When any changes will happen we can see it here. Right now everything is zero. It will take some time to reflect on the changes for the first time.

3.png

Now we have to do some registry and files changes so FIM can detect them and show them to the dashboard. For example, add a new registry value. We add a new value to the registry named FIMTEST, FIMTEST1, FIMTEST3, and FIMTEST4.

4.png

Another example, install Wireshark on the server. The installation wizard changes files in Program Files and will be detected by FIM.

6.png

FIM has detected the both registry's new value and file changes on a certain location. FIM dashboard is showing the changes as shown in the below image.

7.png

Here, Value Before is blank and Value After has data (FIMTEST). It means FIMTEST is a new entry to the registry and it could be a malicious entry by a bad actor and should be reviewed. 

8.png

Here, both Value Before and Value After having data but the data is not the same. It means the existing registry value has been modified. It could be modified by malicious applications or bad actors. 

9.png

We can check specific changes using the Log Analytics query. For example, we are looking for all the changes under the registry key HKEY_LOCAL_MACHINE.  Below query shows the multiple new entries that we added previously. 

ConfigurationChange
| where RegistryKey == @"HKEY_LOCAL_MACHINE"

10.png

If we want the alert should be triggered whenever any such events occurred then we can create an Alert that is also one of the items in requirements 11.5. Click on the New alert rule and follow the wizard. 

11.png

The triggered alert will be shown in Alets's dashboard of Azure Monitor. It's saying the registry value has changed.

12.png

SecMon team should have deeper look at the alerts and investigate if it's malicious and unauthorized. we can see the details of the alert including the cafeteria of the alert triggered. We can see the query behind the alert.

13.png

There are many more scenarios for alerting, below are a few more queries that we use for more alerting.

ConfigurationChange
| where ConfigChangeType == "Files" and FileSystemPath contains " c:\windows\system32\drivers\"
ConfigurationChange
| where FieldsChanged contains "FileContentChecksum" and FileSystemPath == "c:\windows\system32\drivers\etc\hosts"
ConfigurationChange
| where ConfigChangeType == "WindowsServices" and SvcName contains "w3svc" and SvcState == "Stopped"
ConfigurationChange
| where ConfigChangeType == "Daemons" and SvcName contains "ssh" and SvcState!= "Running"
ConfigurationChange
| where ConfigChangeType == "Software" and ChangeCategory == "Added"
ConfigurationData
| where SoftwareName contains "Monitoring Agent" and CurrentVersion!= "8.0.11081.0"

Conclusion

We can see all the requirements like identifying and tracking the changes on the registry, file, and services are tracked and in case of any suspicious activity, an alert will be triggered, and hence, PCI DSS requirement 11.5 can be easily achieved by Defender for Cloud's FIM.

Hope this was helpful, contact me on Twitter @sakaldeep for any queries.