Insufficient Logging
Category: Monitoring & Operational Security
Severity: Medium
MITRE ATT&CK Mapping: T1562.006 (Impair Defenses: Indicator Blocking)
Description
Inadequate logging of security events, user activities, and system operations, creating blind spots that can hide malicious activities and impair incident response capabilities.
Technical Details
Attack Vector
- Missing security event logging
- Incomplete activity tracking
- Insufficient log detail
- Selective logging bypass
Common Techniques
- Exploiting logging gaps
- Operating in unlogged areas
- Avoiding logged activities
- Minimizing log footprint
Impact
- Detection Evasion: Malicious activities going undetected
- Forensic Limitations: Insufficient data for incident investigation
- Compliance Violations: Failure to meet logging requirements
- Security Visibility Loss: Reduced understanding of security posture
Detection Methods
Log Analysis
- Analyze log coverage and completeness
- Identify logging gaps and blind spots
- Monitor log generation patterns
- Assess log quality and detail
Security Monitoring
- Monitor security event coverage
- Track logging system performance
- Detect logging failures
- Analyze monitoring effectiveness
Mitigation Strategies
Logging Enhancement
- Implement comprehensive logging
- Use structured logging formats
- Deploy centralized logging systems
- Monitor logging effectiveness
Security Monitoring
- Implement security event monitoring
- Use log aggregation systems
- Deploy real-time monitoring
- Monitor system activities
Real-World Examples
Example 1: Missing Authentication Logging
# Insufficient authentication logging
def authenticate_user(username, password):
if verify_credentials(username, password):
# Missing success logging
return create_session(username)
else:
# Missing failure logging
return None
# Should log both success and failure
def authenticate_user_secure(username, password):
if verify_credentials(username, password):
logger.info(f"Authentication successful for user: {username}")
return create_session(username)
else:
logger.warning(f"Authentication failed for user: {username}")
return None
Example 2: Incomplete API Request Logging
# Insufficient API logging
def handle_api_request(request):
# Only logs endpoint, missing critical details
logger.info(f"API request to {request.endpoint}")
return process_request(request)
# Should log comprehensive request details
def handle_api_request_secure(request):
logger.info({
"event": "api_request",
"endpoint": request.endpoint,
"method": request.method,
"user": request.user,
"ip": request.remote_addr,
"timestamp": time.time(),
"parameters": request.params
})
return process_request(request)
Example 3: Missing Error Logging
# Insufficient error logging
def process_tool_request(tool_name, params):
try:
return execute_tool(tool_name, params)
except Exception as e:
# Silent failure - no logging
return {"error": "Tool execution failed"}
# Should log errors with context
def process_tool_request_secure(tool_name, params):
try:
return execute_tool(tool_name, params)
except Exception as e:
logger.error({
"event": "tool_execution_error",
"tool": tool_name,
"error": str(e),
"parameters": params,
"timestamp": time.time()
})
return {"error": "Tool execution failed"}
References & Sources
- Red Hat - “Model Context Protocol (MCP): Understanding security risks and controls”
- Cisco - “AI Model Context Protocol (MCP) and Security”
Related TTPs
Insufficient logging creates significant security visibility gaps that can hide malicious activities and impair incident response capabilities.