Chapter 6: Security & Risks
Threat model, attack surface analysis, risk mitigation controls, and residual risk acceptance
6.1 Threat Model Overview
The threat model for a log security system must account for adversaries who are motivated to tamper with, destroy, or suppress log evidence. Unlike most security systems where the goal is to protect data from unauthorized access, log security systems face the additional challenge of protecting data from authorized users — specifically, the IT administrators and security personnel who have legitimate access to the infrastructure. The threat model therefore places particular emphasis on insider threats and privilege abuse scenarios.
The threat model identifies eight primary threat categories, each representing a distinct attack vector against the evidence chain. Three threats are rated Critical because successful exploitation would directly compromise the admissibility or completeness of log evidence. Four threats are rated High because they could enable evidence manipulation if combined with other vulnerabilities. One threat is rated Medium because it affects availability rather than integrity. The controls described in Section 6.2 address each threat category with one or more countermeasures.
6.2 Threat Analysis and Controls
The following analysis addresses each of the eight threat categories identified in the threat model, describing the attack scenario, the potential impact on evidence integrity, and the primary technical and procedural controls that mitigate the risk.
| Threat | Severity | Attack Scenario | Impact | Primary Controls | Residual Risk |
|---|---|---|---|---|---|
| Insider Privilege Abuse | Critical | Admin with storage access deletes or modifies log files to cover tracks | Evidence destruction; compliance failure | WORM lock; SoD (ops ≠ audit); dual approval for admin actions; admin audit store | Low (requires compromise of multiple controls) |
| Storage Tampering | Critical | Attacker with physical/API access modifies stored log segments | Undetected evidence alteration | WORM/Object Lock; hash chain; integrity verification; HSM-signed manifests | Very Low (detectable via hash chain) |
| Key Compromise | Critical | Signing or encryption keys extracted from software key store | Forged signatures; decryption of all logs | HSM FIPS 140-2 L3; key ceremony dual control; key rotation; HSM audit log | Low (HSM prevents key extraction) |
| Network Interception | High | MitM attack intercepts log stream between collector and gateway | Log suppression; content modification | mTLS 1.3; certificate pinning; network segmentation; IDS monitoring | Low (mTLS prevents MitM) |
| Clock Manipulation | High | Attacker manipulates system clock to create false timestamps | Timeline confusion; alibi creation | GPS-disciplined NTP; drift monitoring; collector-side timestamp; dual timestamp | Medium (requires NTP server compromise) |
| Replay Attack | High | Attacker replays old log segments to flood or confuse the evidence store | Evidence dilution; storage exhaustion | Sequence numbers; deduplication; rate limiting; hash chain continuity check | Low (sequence numbers detect replays) |
| Supply Chain Attack | High | Malicious firmware or software in collector appliance exfiltrates or modifies logs | Covert evidence manipulation | Secure boot; firmware signing; TPM attestation; vendor security assessment | Medium (difficult to fully eliminate) |
| Denial of Service | Medium | Flood attack overwhelms collector or ingest gateway, causing log loss | Log gaps; compliance failure | Rate limiting; local buffering; HA architecture; capacity headroom (2× peak) | Low (buffering prevents loss during attacks) |
6.3 Defense-in-Depth Controls
The defense-in-depth strategy applies multiple independent controls at each layer of the evidence chain, ensuring that no single control failure can compromise evidence integrity. The controls are organized into four layers: cryptographic controls (hash chains, signatures, encryption), access controls (RBAC, SoD, dual approval), physical controls (WORM storage, HSM, tamper seals), and operational controls (monitoring, alerting, periodic verification).
Layer 1: Cryptographic Controls
SHA-256 hash chains link every log segment to its predecessor, making any modification detectable. ECDSA P-384 signatures on verification manifests provide non-repudiation. AES-256-GCM encryption protects confidentiality. All cryptographic keys are stored in FIPS 140-2 Level 3 HSMs.
Layer 2: Access Controls
Role-based access control enforces separation of duties between operators, security analysts, and auditors. Dual approval is required for all administrative actions on the vault. MFA is mandatory for all access to the audit zone. All access events are logged to an immutable admin audit store.
Layer 3: Physical Controls
WORM storage locks prevent deletion or modification at the storage platform level, independent of software controls. HSM appliances provide tamper-evident physical protection for signing keys. Tamper-evident seals on vault hardware provide visual evidence of unauthorized physical access.
Layer 4: Operational Controls
Continuous integrity monitoring verifies the hash chain of all stored segments on a scheduled basis. NTP drift monitoring detects clock manipulation attempts. Capacity monitoring ensures buffer headroom is maintained. Periodic penetration testing validates the effectiveness of all controls.