CompTIA Security+ Exam Notes

CompTIA Security+ Exam Notes
Let Us Help You Pass

Thursday, February 12, 2026

File Integrity Monitoring Explained: How It Works and Why It Matters

 File Integrity Monitoring (FIM) 

File Integrity Monitoring (FIM) is a security control that detects unauthorized or unexpected changes to critical system files. It is used to identify suspicious activity, such as malware installation, privilege‑escalation attempts, configuration tampering, data manipulation, or attacker-persistence techniques.

At its core, FIM answers three essential questions:

  • What changed? (file, registry key, configuration, system object)
  • When did it change? (timestamp, event sequence)
  • Who or what made the change? (user account, process, system service)

Why FIM Matters

Attackers rarely compromise a system without leaving traces. Even “fileless” attacks eventually modify something persistent — a configuration file, a scheduled task, a registry entry, or a dropped payload.

FIM helps security teams:

  • Detect intrusions early
  • Identify tampering with security configurations
  • Comply with regulatory standards (PCI‑DSS, HIPAA, SOX, NIST, CIS)
  • Monitor insider threats
  • Maintain system baselines & change control discipline

How FIM Works (Step-by-Step)

1. Baseline Creation

When FIM is first deployed, it scans and records a “known-good state” of monitored files.

This baseline includes:

  • Cryptographic hashes (SHA‑256, SHA‑512)
  • File permissions
  • Ownership
  • Size
  • File attributes (hidden, read-only, etc.)
  • System Access Control Lists (SACLs)
  • Timestamps (creation, modification, access)

This baseline represents the trusted state.

2. Continuous Monitoring

FIM then continuously (or periodically) watches for:

  • File modifications
  • Deletions
  • Additions
  • Permission changes
  • Ownership changes
  • Registry alterations (on Windows)

Depending on the implementation, this can be:

  • Real‑time monitoring – uses kernel notifications, audit logs, or OS event hooks.
  • Scheduled scans – periodically re-hashes files and compares them to the baseline.

3. Change Detection

When changes occur, FIM evaluates:

  • Was the change authorized? (e.g., system patching, admin maintenance)
  • Was it suspicious or unexpected? (could indicate compromise)

Changes trigger alerts with details such as:

  • File name and path
  • Before vs. after hash values
  • User account making the change
  • Process responsible (e.g., PowerShell.exe, unknown binary)
  • Timestamp and event sequence

4. Logging & Alerting

FIM integrates with:

  • SIEM platforms (Splunk, Sentinel, QRadar)
  • EDR/XDR platforms
  • Compliance dashboards
  • SOC alerting systems

Alerts can be enriched with threat intelligence to determine if the modification correlates with known malicious behaviors.

What Files Are Typically Monitored?

Critical system files

  • OS executables
  • Kernel modules
  • Boot loaders
  • Driver files

Security configuration files

  • Firewall rules
  • PAM configurations
  • Authentication/authorization settings
  • Audit policies

Application & server configurations

  • Web server config (Apache, NGINX, IIS)
  • Database configs
  • Application settings files

Sensitive data files

  • Financial data
  • Customer data
  • PII/PHI
  • Encryption keys

Logs (in some cases)

Although logs are expected to change, FIM monitors suspicious tampering (e.g., deletions or timestamp manipulation).

Types of FIM

1. Host-based FIM

Runs on individual servers or endpoints.

Examples:

  • Microsoft Defender (with ASR & auditing)
  • Tripwire
  • OSSEC / Wazuh
  • AIDE (Linux)

2. Network-based FIM

  • Centralizes monitoring from multiple hosts.
  • Useful for large enterprise environments.

FIM vs. Change Control Systems

While Change Control manages authorized modifications (patching, updates, deployments), FIM detects all changes, authorized or not.

Good security design integrates FIM with change management so the system can automatically suppress alerts for approved updates and flag unauthorized ones.

Benefits of File Integrity Monitoring

Early breach detection

  • Unexplained file changes are often the first sign of compromise.

Compliance enforcement

  • Many standards explicitly require FIM, including PCI‑DSS 11.5.

Protects critical systems

Stops or flags:

  • Backdoor installation
  • Unauthorized configuration changes
  • Rootkit-like behavior
  • Tampering with identity or authentication mechanisms

Reduces attacker dwell time

Helps detect stealthy post‑exploitation actions early.

What FIM Does Not Do

FIM is not:

  • Antivirus
  • Patch management
  • A full EDR solution
  • An access control system

It complements these tools.

Summary

File Integrity Monitoring (FIM) is a foundational security control that continuously checks critical files for unauthorized changes by comparing them to a known-good baseline. It provides essential visibility, flags suspicious modifications, enhances compliance, and reduces the time an attacker can remain undetected.

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)