and should be monitored. It’s also possible to grant a user elevated
               privileges without giving that user full administrative access. With this

               in mind, it’s also important to monitor user activity when the user has
               certain elevated privileges. The following list includes some examples
               of privileged operations to monitor.

                    Accessing audit logs

                    Changing system time

                    Configuring interfaces

                    Managing user accounts

                    Controlling system reboots

                    Controlling communication paths


                    Backing up and restoring the system

                    Running script/task automation tools

                    Configuring security mechanism controls

                    Using operating system control commands

                    Using database recovery tools and log files

               Many automated tools are available that can monitor these activities.
               When an administrator or privileged operator performs one of these
               activities, the tool can log the event and send an alert. Additionally,

               access review audits detect misuse of these privileges.



                  Detecting APTs


                  Monitoring the use of elevated privileges can also detect advanced
                  persistent threat (APT) activities. As an example, the U.S.
                  Department of Homeland Security (DHS) and the Federal Bureau
                  of Investigation (FBI) released a technical alert (TA17-239A)

                  describing the activities of an APT targeting energy, nuclear, water,
                  aviation, and some critical manufacturing sectors, along with some
                  government entities in late 2017.

                  The alert details how attackers infected a single system with a