Full Report
Enhance your security with Wiz’s new hybrid File Integrity Monitoring (FIM) solution, combining agentless and runtime capabilities for comprehensive file monitoring.
Analysis Summary
This article focuses on the value and implementation of File Integrity Monitoring (FIM), specifically highlighting a hybrid approach combining agentless and runtime (agent-based) monitoring. It does not detail specific malware, attack tools, or threat actor TTPs in the context of an active cyber attack, but rather describes a security control used to *detect* such activities.
# Tool/Technique: File Integrity Monitoring (FIM)
## Overview
File Integrity Monitoring (FIM) is a critical security process that tracks and detects unauthorized changes to files and system configurations. It works by establishing a baseline of critical files and continuously monitoring them for modifications. This is vital because malicious actors frequently tamper with system files during attacks. The described solution implements a modern **hybrid FIM approach**, combining agentless monitoring for broad coverage and runtime (agent-based) monitoring for deep context.
## Technical Details
- Type: Technique / Security Control
- Platform: General enterprise environments, including systems hosting ephemeral containers.
- Capabilities: Establishing baselines, continuous change detection, context-rich runtime monitoring, custom rule creation, automated response actions.
- First Seen: Not applicable (FIM is a mature security concept, though the specific hybrid implementation discussed is modern).
## MITRE ATT&CK Mapping
FIM directly supports defensive capabilities. The relevant adversarial techniques are those FIM is designed to detect:
- **Defense Evasion**
- T1036 - Masquerading
- *FIM detects file modification associated with processes attempting to hide.*
- **Persistence**
- T1543 - Create or Modify System Process
- *FIM flags unauthorized changes to system startup files or services.*
- **Impact**
- T1486 - Data Encrypted for Impact
- *FIM can detect the rapid modification/encryption of critical files.*
- **Discovery**
- T1083 - File and Directory Discovery
- *Detection of unexpected access patterns preceding file modification.*
## Functionality
### Core Capabilities
- **Baseline Establishment:** Creating an initial state for critical files to compare subsequent changes against.
- **Unauthorized Change Alerting:** Identifying any deviation from the established file baseline.
- **Compliance Support:** Simplifying adherence to regulations like PCI-DSS and HIPAA through detailed monitoring records.
- **Agentless Monitoring:** Providing comprehensive coverage across the environment without the overhead of deploying agents everywhere.
### Advanced Features
- **Runtime Context:** Agent-based monitoring provides crucial context, such as identifying the exact actor responsible for a file modification, distinguishing between legitimate system processes and suspicious activity.
- **Ephemeral Container Monitoring:** Runtime monitoring is essential for tracking transient file systems typical of containerized workloads.
- **Custom FIM Rules:** Security teams can define monitoring policies for organization-specific sensitive files (e.g., proprietary data, IP).
- **Automated Response:** Support for creating custom response policies (e.g., automatically terminating processes detected modifying critical files).
## Indicators of Compromise (Not applicable - FIM is a detection control, not malware itself)
- File Hashes: N/A
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: N/A
- Behavioral Indicators (What FIM looks for): Unauthorized modification of sensitive files (e.g., password databases, system configuration files, application binaries).
## Associated Threat Actors (Not applicable - FIM is a defensive tool)
- N/A (Its purpose is to detect activity by any threat actor attempting file tampering)
## Detection Methods
- **Signature-based detection:** N/A (FIM relies on integrity checks against a baseline, not signatures).
- **Behavioral detection:** The core function of FIM is behavioral analysis focusing on unauthorized file system manipulation (writing, deleting, changing permissions).
- **YARA rules if available:** N/A
## Mitigation Strategies
- **Implement Hybrid FIM:** Deploy a unified policy that leverages agentless monitoring for breadth and runtime monitoring for depth and context.
- **Define Sensitive File Scope:** Utilize custom FIM rules to specifically monitor files containing customer data, intellectual property, and critical configurations required for compliance.
- **Configure Automated Response:** Implement Threat Detection Rules (TDR) to automatically terminate unauthorized processes detected interacting maliciously with monitored files.
- **Harden System Processes:** Ensure only necessary and validated system processes have write access to critical operating system files.
## Related Tools/Techniques
- Host-based Intrusion Detection Systems (HIDS)
- Application Whitelisting (Complementary control preventing unauthorized execution)
- Cloud Workload Protection Platforms (CWP) utilizing runtime sensors.