Branchoria UFO Hackers UFO Hackers

The hacking cases, UFO claims, court battles, and evidence gaps behind a modern myth.

Within Lessons

Can Your Logs Survive the Intruder?

The case underlines that logs are only useful if they are centralised, protected and detailed enough to guide response during an incident.

On this page

  • The incident questions logs must answer quickly
  • Why local logs can fail after compromise
  • How central retention and tamper protection improve response
Preview for Can Your Logs Survive the Intruder?

Introduction

The Gary McKinnon case is often remembered because of its UFO-related motive, but one of its most durable cybersecurity lessons concerns evidence. When an attacker has already gained access to systems and administrative accounts, the most important question is often not how they entered but whether defenders can still see what happened. US prosecutors alleged that McKinnon accessed and damaged dozens of military and NASA systems between 2001 and 2002, creating a complex investigation that depended on reconstructing activity across many networks. [Department of Justice]justice.govDepartment of JusticeLondon, England Hacker Indicted Under Computer Fraud…One count charges McKinnon with accessing and damaging witho…

Usable Logs illustration 1 For incident responders, logs are only valuable if they survive the incident itself. A compromised machine may no longer be a trustworthy source of evidence. The practical lesson is straightforward: organisations need logging systems that remain available, intact and searchable even after an attacker has touched servers, workstations or privileged accounts. Modern guidance from NIST and CISA repeatedly emphasises centralised collection, protection against tampering and sufficient detail for investigation. NIST Publications+2NIST Computer Security Resource Center [nvlpubs.nist.gov]nvlpubs.nist.govIt describes several controls related to log management.Read more…

Can Your Logs Survive the Intruder?

An intrusion creates immediate pressure on responders. Within minutes they may need answers to questions such as:

  • Which accounts were used? [isaca.org]isaca.orglog management as an enabler for data protection and automated threat detectionLog Management as an Enabler for Data Protection and…Jul 5, 2023 — A proposed framework can be used to fast-track a log management pro…
  • Which systems were accessed?
  • When did the activity begin?
  • What administrative actions were performed?
  • Did the attacker move laterally to other machines?
  • What data or services were affected?

These questions cannot be answered reliably if the evidence has disappeared. Security logging is therefore not simply about recording events; it is about preserving a trustworthy record that remains available when systems are under attack. NIST’s guidance on log management stresses that logs support security monitoring, forensic analysis and incident response across the enterprise. [NIST Publications]nvlpubs.nist.govIt describes several controls related to log management.Read more…

The McKinnon case illustrates why this matters. Investigators dealing with alleged access to numerous military and NASA systems had to understand activity across multiple environments rather than examining a single compromised computer. Large-scale incidents quickly become difficult to reconstruct if records are fragmented or lost. [Department of Justice]justice.govDepartment of JusticeLondon, England Hacker Indicted Under Computer Fraud…One count charges McKinnon with accessing and damaging witho…

The Man Who Hacked the U.S. Government

Channel: Newsthink · Views: 816.8K · Uploaded: March 2024 · Length: 18 minutes

Open on YouTube

The Incident Questions Logs Must Answer Quickly

During an active intrusion, speed matters. A useful logging strategy prioritises the events most likely to reveal attacker behaviour.

Account and Privilege Activity

Compromised credentials are often involved in major breaches. Logs should clearly show successful and failed logins, privilege escalation, account creation, password changes and administrative actions. Without these records, responders may know that a system was compromised without understanding how control was maintained. CISA specifically highlights user activity and administrator actions as high-value logging categories. [CISA+2CISA]cisa.govUse Logging on Business SystemsLogging and monitoring empower your team to spot and respond to threats faster. Centralize your logs w…

System Changes

Attackers frequently modify systems after gaining access. They may install tools, alter configurations, disable security software or create persistence mechanisms. Detailed event records help responders determine whether suspicious changes occurred before, during or after a compromise. [NIST Publications]nvlpubs.nist.govIt describes several controls related to log management.Read more…

Movement Across the Environment

A single compromised machine is often only the starting point. Centralised logs make it possible to connect events across endpoints, servers, network devices and cloud services. This broader view helps investigators identify whether an incident is isolated or part of a wider campaign. [Industrial Cyber+2Huntress]industrialcyber.coIndustrial CyberTransnational cybersecurity agencies release guide on…Aug 26, 2024 — The document addresses that organizations impleme…

Usable Logs illustration 2

Why Local Logs Can Fail After Compromise

The most common logging mistake is assuming that a machine can safely store evidence about its own compromise.

If an attacker gains administrative control, local logs become vulnerable. Records may be deleted, altered, overwritten or disabled entirely. Even when an attacker makes no deliberate attempt to erase evidence, limited storage can cause older events to disappear before investigators arrive. NIST identifies protection and management of log data as a core requirement because security records themselves become targets during incidents. NIST Publications+2NIST Computer Security Resource Center [nvlpubs.nist.gov]nvlpubs.nist.govIt describes several controls related to log management.Read more…

There is also a trust problem. Once a system has been compromised, investigators must consider whether local evidence has been manipulated. A missing event may indicate either that the event never occurred or that someone removed the record. The uncertainty slows investigations and complicates recovery decisions.

Modern attackers increasingly use legitimate administrative tools and built-in operating system functions rather than obviously malicious software. Guidance on event logging and threat detection notes that these “living off the land” techniques can evade simple detection approaches, making comprehensive and well-preserved logs even more important. [The HIPAA Journal]hipaajournal.comguidance best practices for event logging threat detectionThe HIPAA JournalCISA & Partners Issue Guidance & Best Practices for Event…Aug 22, 2024 — The guidance can help network defenders defi…

How Central Retention and Tamper Protection Improve Response

The strongest defence against log loss is to move records away from the systems generating them.

Introduction to Log Management

Channel: CISA

Open on YouTube

Central Collection

Centralised logging sends events from servers, endpoints, network devices and applications to a separate repository. If one machine is compromised, its records already exist elsewhere. CISA recommends centralising logs because it improves both detection and investigation. [CISA]cisa.govUse Logging on Business SystemsLogging and monitoring empower your team to spot and respond to threats faster. Centralize your logs w…

Central collection also allows correlation. A suspicious login on one machine can be linked to network activity, authentication events and administrative actions elsewhere. Patterns that appear harmless in isolation become visible when viewed together. [Industrial Cyber+2Huntress]industrialcyber.coIndustrial CyberTransnational cybersecurity agencies release guide on…Aug 26, 2024 — The document addresses that organizations impleme…

Tamper Resistance

Good log management assumes attackers may try to remove evidence. Organisations therefore increasingly use controls such as:

  • Restricted write access to logging systems.
  • Separate administrative credentials for log platforms.
  • Immutable or write-once storage for critical records.
  • Cryptographic integrity checking.
  • Automated forwarding that occurs immediately after events are generated.

The goal is not to make tampering impossible but to make it detectable and difficult. NIST guidance repeatedly stresses protecting log integrity and securing log information from unauthorised modification. [NIST Publications+2Obsidian]nvlpubs.nist.govIt describes several controls related to log management.Read more…

Usable Logs illustration 3

Out-of-Band Storage

Recent CISA incident-response guidance goes further by recommending aggregation of logs in a central, out-of-band location. The idea is simple: if attackers compromise production systems, defenders should still possess an independent source of evidence outside the affected environment. [CISA]cisa.govCISA Shares Lessons Learned from an Incident Response…Sep 23, 2025 — Prepare for incidents by implementing comprehensive and verbo…

The Breach Happened — But the Logs Are Silent #auditsecintel #aisecintel

Channel: Dr. Deep Pandey

Open on YouTube

The Practical Policy Lesson

The McKinnon case is frequently discussed in terms of passwords, access controls and vulnerable systems. An equally important lesson is that organisations must plan for the moment when prevention fails.

Usable logs are not merely records of past events. They are a resilience mechanism. They allow responders to reconstruct actions, measure impact, identify affected systems and make informed decisions during a crisis. When logs remain centralised, protected and sufficiently detailed, defenders retain visibility even after an attacker has gained a foothold. When logs exist only on compromised machines, the investigation may begin with missing evidence and unanswered questions. CISA+3NIST Publications+3NIST Computer Security Resource Center [nvlpubs.nist.gov]nvlpubs.nist.govIt describes several controls related to log management.Read more…

Amazon book picks

Further Reading

Books and field guides related to Can Your Logs Survive the Intruder?. Use these as the next step if you want deeper reading beyond the article.

Browse more on Amazon: Security Engineering The Practice of Network Security Monitoring Blue Team : Incident Response Edition books

As an Amazon Associate I earn from qualifying purchases.

eBay marketplace picks

Marketplace Samples

Example marketplace items related to this page. Use the search link to explore similar finds on eBay.

Using USA
Browse more on eBay.co.uk

Example items shown for inspiration; availability and pricing can change. Branchoria may earn a commission if you purchase through outbound eBay links.

Endnotes

  1. Source: justice.gov
    Link: https://www.justice.gov/archive/criminal/cybercrime/press-releases/2002/mckinnonIndict.htm
    Source snippet

    Department of JusticeLondon, England Hacker Indicted Under Computer Fraud...One count charges McKinnon with accessing and damaging witho...

  2. Source: justice.gov
    Title: Department of Justice British National Charged with Hacking Into N.J
    Link: https://www.justice.gov/archive/criminal/cybercrime/press-releases/2002/mckinnonIndict2.htm
    Source snippet

    seven-count Virginia [Indictment]({{ 'indictment/' | relative_url }}) charges McKinnon for [intrusions]({{ 'intrusions/' | relative_url }}) into 92 computer systems belonging to the U.S. Army, Navy, A...

  3. Source: nvlpubs.nist.gov
    Link: https://nvlpubs.nist.gov/nistpubs/legacy/sp/nistspecialpublication800-92.pdf
    Source snippet

    It describes several controls related to log management.Read more...

  4. Source: csrc.nist.gov
    Link: https://csrc.nist.gov/pubs/sp/800/92/final
    Source snippet

    NIST Computer Security Resource CenterSP 800-92, Guide to Computer Security Log Managementby K Kent · 2006 · Cited by 515 — This publicat...

  5. Source: cisa.gov
    Link: https://www.cisa.gov/audiences/small-and-medium-businesses/secure-your-business/use-logging-on-business-systems
    Source snippet

    Use Logging on Business SystemsLogging and monitoring empower your team to spot and respond to threats faster. Centralize your logs w...

  6. Source: cisa.gov
    Title: It was developed by the Australian Signals Directorate.Read more
    Link: https://www.cisa.gov/resources-tools/resources/best-practices-event-logging-and-threat-detection
    Source snippet

    Best Practices for Event Logging and Threat DetectionAug 21, 2024 — This publication defines a baseline for event logging best practi...

  7. Source: huntress.com
    Title: What Is Centralized Logging?
    Link: https://www.huntress.com/cybersecurity-101/topic/centralized-logging
    Source snippet

    Benefits for Security TeamsOct 3, 2025 — Cybersecurity teams use centralized logging to: Respond faster: Detect and investigate threats a...

  8. Source: publish.obsidian.md
    Title: NIST Special Publication 800-92
    Link: https://publish.obsidian.md/addielamarr/NIST%2BSpecial%2BPublication%2B800-92
    Source snippet

    Special Publication 800-92 - addielamarrApr 14, 2024 — Secure log information: Ensure that logs are protected against unauthorized access...

  9. Source: cisa.gov
    Link: https://www.cisa.gov/resources-tools/services/logging-made-easy
    Source snippet

    Logging Made EasyCISA's Logging Made Easy (LME) is a centralized, no-cost log management and threat detection solution for small to mediu...

  10. Source: csrc.nist.gov
    Link: https://csrc.nist.gov/pubs/sp/800/92/r1/ipd
    Source snippet

    NIST Computer Security Resource CenterCybersecurity Log Management Planning Guideby K Scarfone · 2023 · Cited by 9 — This document define...

  11. Source: cisa.gov
    Link: https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-266a
    Source snippet

    CISA Shares Lessons Learned from an Incident Response...Sep 23, 2025 — Prepare for incidents by implementing comprehensive and verbo...

  12. Source: justice.gov
    Link: https://www.justice.gov/archive/usao/nj/Press/files/pdffiles/Older/edva_mckinnon_indictment.pdf
    Source snippet

    IndictmentDefendant GARY MCKINNON was an unemployed computer system administrator... conduct, intentionally caused damage without author...

  13. Source: csrc.nist.gov
    Title: log management
    Link: https://csrc.nist.gov/projects/log-management
    Source snippet

    Management | CSRCApr 28, 2021 — The main content of the new SP 800-92 Revision 1 is a playbook for cybersecurity log management planning...

  14. Source: nvlpubs.nist.gov
    Title: SP.800 92r1.ipd
    Link: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-92r1.ipd.pdf
    Source snippet

    Log Management Planning GuideOct 11, 2023 — Note: The original NIST SP 800-92 [SP800-92] used the term “log archival” instead of “cold da...

  15. Source: csrc.nist.rip
    Title: SP800 92
    Link: https://csrc.nist.rip/publications/nistpubs/800-92/SP800-92.pdf
    Source snippet

    SP 800-92, Guide to Computer Security Log ManagementSP 800-92, Guide to Computer Security Log Management (September 2006), is available a...

    Published: September 2006

  16. Source: csrc.nist.rip
    Title: rip Log Management
    Link: https://csrc.nist.rip/Projects/log-management
    Source snippet

    Management - CSRCApr 28, 2021 — The revised SP 800-92 will focus on log management principles, processes, procedures, and planning for or...

  17. Source: huntress.com
    Title: log management
    Link: https://www.huntress.com/cybersecurity-101/topic/log-management
    Source snippet

    What is Log Management in Cybersecurity3 Oct 2025 — Log management is the centralized process of collecting, storing, processing, and rev...

  18. Source: industrialcyber.co
    Link: https://industrialcyber.co/cisa/transnational-cybersecurity-agencies-release-guide-on-event-logging-best-practices/
    Source snippet

    Industrial CyberTransnational cybersecurity agencies release guide on...Aug 26, 2024 — The document addresses that organizations impleme...

  19. Source: hipaajournal.com
    Title: guidance best practices for event logging threat detection
    Link: https://www.hipaajournal.com/guidance-best-practices-for-event-logging-threat-detection/
    Source snippet

    The HIPAA JournalCISA & Partners Issue Guidance & Best Practices for Event...Aug 22, 2024 — The guidance can help network defenders defi...

  20. Source: Wikipedia
    Title: Gary [Mc Kinnon]({{ ‘mc-kinnon/’ | relative_url }})
    Link: https://en.wikipedia.org/wiki/Gary_McKinnon
    Source snippet

    Gary McKinnonIn November 2002, McKinnon was indicted by a federal grand jury in the Eastern District of Virginia. The indictment conta...

    Published: November 2002

  21. Source: criminal.laws.com
    Title: gary mckinnon
    Link: https://criminal.laws.com/gary-mckinnon
    Source snippet

    McKinnon - LAWS.com - Criminal22 Dec 2019 — He came to the attention of law enforcement authorities when he hacked into 97 computers betw...

  22. Source: GOV.UK
    Title: latest on gary mckinnon case
    Link: https://www.gov.uk/government/news/latest-on-gary-mckinnon-case
    Source snippet

    on Gary McKinnon case4 Nov 2010 — Mr McKinnon is accused by US authorities of the unauthorised access of 97 government computers concerne...

Additional References

  1. Source: guinnessworldrecords.de
    Link: https://guinnessworldrecords.de/world-records/90133-biggest-military-computer-hack
    Source snippet

    Biggest military computer hackGary McKinnon, a 42-year old Englishman, is accused of hacking into 97 US military computers (53 US Army, 2...

  2. Source: slideshare.net
    Link: https://www.slideshare.net/slideshow/nist-80092-log-management-guide-in-the-real-world/172260
    Source snippet

    NIST 800-92 Log Management Guide in the Real World | PPTThe document outlines the NIST 800-92 Log Management Guide, focusing on effective...

  3. Source: facebook.com
    Title: over 3000 downloads and countingcisas logging made easy lme is a no cost logging
    Link: https://www.facebook.com/CISA/videos/over-3000-downloads-and-countingcisas-logging-made-easy-lme-is-a-no-cost-logging/1206529520981869/
    Source snippet

    OVER 3,000 DOWNLOADS AND COUNTING! CISA's Logging...CISA's Logging Made Easy (LME) is a no-cost logging solution that helps smaller orga...

  4. Source: aha.org
    Link: https://www.aha.org/news/headline/2024-09-06-cisa-releases-guidance-best-practices-event-logging-and-cyberthreat-detection
    Source snippet

    American Hospital AssociationCISA releases guidance on best practices for event logging...Sep 6, 2024 — This document provides guidance...

  5. Source: researchgate.net
    Link: https://www.researchgate.net/publication/329973435_NIST_Special_Publication_800-92_Guide_to_Computer_Security_Log_Management
    Source snippet

    (PDF) NIST Special Publication 800-92, Guide to Computer...Dec 28, 2018 — NIST Special Publication 800-92, Guide to Computer Security Lo...

  6. Source: isaca.org
    Title: log management as an enabler for data protection and automated threat detection
    Link: https://www.isaca.org/resources/isaca-journal/issues/2023/volume-4/log-management-as-an-enabler-for-data-protection-and-automated-threat-detection
    Source snippet

    Log Management as an Enabler for Data Protection and...Jul 5, 2023 — A proposed framework can be used to fast-track a log management pro...

  7. Source: youtube.com
    Link: https://www.youtube.com/watch?v=AZFV6ZOLg7s
    Source snippet

    CISA's Logging Made Easy (LME)CISA's Logging Made Easy (LME) is a no-cost, centralized log management and threat detection solution desig...

  8. Source: youtube.com
    Link: https://www.youtube.com/watch?v=ND0zQX1rGdg
    Source snippet

    The Man Who Hacked the U.S. GovernmentGary McKinnon faced 60 years behind bars for the greatest U.S. military hack of all time. Go to my...

  9. Source: nextgov.com
    Title: cisa tells agencies what prioritize meet cybersecurity log mandate
    Link: https://www.nextgov.com/cybersecurity/2023/02/cisa-tells-agencies-what-prioritize-meet-cybersecurity-log-mandate/383333/
    Source snippet

    CISA Tells Agencies What to Prioritize to Meet...Feb 27, 2023 — The guidance document also explains how CISA and the FBI will work with...

  10. Source: itnews.com.au
    Title: profile gary mckinnon mastermind behind us military hack 82789
    Link: https://www.itnews.com.au/feature/profile-gary-mckinnon-mastermind-behind-us-military-hack-82789
    Source snippet

    Profile: Gary McKinnon mastermind behind US military hack4 Jun 2007 — Gary McKinnon is accused of illegally accessing 98 computers, vario...

Topic Tree

Follow this branch

Parent topic

Lessons What Security Teams Can Learn From Mc Kinnon

Related pages 5