Transnational cybersecurity agencies publish joint guidance on identifying, mitigating living-off-the-land techniques

Global cybersecurity agencies published Wednesday joint guidance to provide threat detection information and mitigations applicable to ‘living-off-the-land’ (LOTL) activity, regardless of the threat hacker. Many organizations do not implement security best practice capabilities that support the detection of LOTL, so this technique continues to be effective with little to no investment in tooling by malicious cyber actors. The guidance provides several observed network defense weaknesses that make it difficult for IT administrators to distinguish malicious activity from legitimate behavior, even for those organizations with more mature cyber postures. 

Titled, ‘Identifying and Mitigating Living Off the Land Techniques,’ the document is based on previously published products, red team assessments, and/or observations from incident response activities at critical infrastructure organizations, including those compromised by the PRC state-sponsored cyber group known as Volt Typhoon.

The guidance has been co-authored by CISA, the National Security Agency (NSA), the Federal Bureau of Investigation (FBI), and the U.S. Department of Energy (DOE); Environmental Protection Agency (EPA); Transportation Security Administration (TSA); Australian Signals Directorate’s (ASD’s) Australian Cyber Security Centre (ACSC); Canadian Centre for Cyber Security (CCCS) a part of the Communications Security Establishment (CSE);  U.K. National Cyber Security Centre (NCSC-UK); and New Zealand National Cyber Security Centre (NCSC-NZ). 

These global security agencies also published Wednesday a cybersecurity advisory that focuses on the malicious activities carried out by a state-sponsored cyber hacker from the People’s Republic of China (PRC) known as Volt Typhoon. The advisory emphasizes the need for urgent actions to protect critical infrastructure from hacking compromises and the maintenance of persistent access.

The document identified that LOTL is particularly effective because many organizations lack effective security and network management practices, such as established baselines, that support the detection of malicious LOTL activity—this makes it difficult for network defenders to discern legitimate behavior from malicious behavior and conduct behavioral analytics, anomaly detection, and proactive hunting. 

It also reveals a general lack of conventional indicators of compromise (IOCs) associated with the activity, complicating network defenders’ efforts to identify, track, and categorize malicious behavior. It also enables cyber threat actors to avoid investing in developing and deploying custom tools.

Even for organizations adopting best practices, distinguishing malicious LOTL activity from legitimate behavior is challenging because network defenders often operate in silos separate from IT teams and their operational workflows; and rely predominantly on untuned endpoint detection and response (EDR) systems, which may not alert to LOTL activity, and discrete IOCs that attackers can alter or obfuscate to avoid detection. 

They may also maintain default logging configurations, which do not comprehensively log indicators of LOTL techniques or sufficiently detailed information to differentiate malicious activity from legitimate IT administrative activity; and have difficulty in identifying a relatively small volume of malicious activity within large volumes of log data.

The guidance document recommends that software manufacturers reduce the prevalence of exploitable flaws in software that enable LOTL. Software defects or ‘unsecure’ default configurations often allow cyber threat actors to carry out malicious cyber activity using LOTL techniques. 

“The authoring agencies strongly encourage software manufacturers to take ownership of their customers’ security outcomes by applying the secure by design recommendations in this guide and in CISA’s joint secure by design guide Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Secure by Design Software,” it outlined. 

Technology manufacturers can reduce the effectiveness of LOTL techniques by producing products that are secure by design, including by disabling or removing unnecessary protocols by default; limiting network reachability to the extent feasible; and limiting processes and programs running with elevated privileges. They must also enable phishing-resistant MFA as a default feature; provide high-quality secure logging at no additional charge beyond processing and storage costs, eliminate default passwords and credentials when installing software; and limit or remove dynamic code execution.

The authoring agencies urge critical infrastructure organizations to apply prioritized best practices and detection guidance to hunt for potential LOTL activity. These recommendations are part of a multifaceted cybersecurity strategy that enables effective data correlation and analysis. There is no foolproof solution to prevent or detect LOTL activity fully, but by applying these best practices organizations can best position themselves for more effective detection and mitigation. 

The agencies identified that detection best practices include implementing detailed logging and aggregate logs in an out-of-band, centralized location that is write-once, read-many to avoid the risk of attackers modifying or erasing logs. They also recommend establishing and continuously maintaining baselines of network, user, administrative, and application activity and least privilege restrictions.

Additionally, the guidance suggests building or acquiring automation (such as machine learning models) to continually review all logs to compare current activities against established behavioral baselines and alert on specified anomalies. It also proposes reducing alert noise by fine-tuning via priority (urgency and severity) continuously reviewing detections based on trending activity, and leveraging user and entity behavior analytics (UEBA). 

When it comes to hardening best practices, the latest document suggests applying and consulting vendor-recommended guidance for security hardening; implementing application allowlisting and monitoring use of common LOLBins; enhancing IT and OT network segmentation and monitoring; and implementing authentication and authorization controls for all human-to-software and software-to-software interactions regardless of network location.

The guidance recognizes that LOTL detection requires organizations to undertake contextual analyses of multiple data sources to identify command executions, file interactions, privilege escalations, and other network activities that differ from normal administrative actions. Implementing these recommendations depends on each organization’s risk landscape and resource capabilities. However, establishing and maintaining an infrastructure that collects and organizes data for defenders is essential for detecting LOTL techniques.

Network defenders must implement prioritized detection and hardening recommendations to enable behavior analytics, anomaly detection, and proactive hunting. They must also implement comprehensive and verbose, detailed logging and aggregate logs in an out-of-band, centralized location where adversaries cannot tamper with them, to enable behavior analytics, anomaly detection, and proactive hunting. They must also establish and continuously maintain a baseline of installed tools and software, account behavior, and network traffic. This way, network defenders can identify potential outliers, which may indicate malicious activity.

The guidance also calls for the use of automation to continually review all logs and increase the efficiency of hunting activities, reduce alert noise, and leverage user and entity behavior analytics (UEBA) to analyze and correlate activities across multiple data sources, to identify potential security incidents that may be missed by traditional tools, and to profile and monitor user behavior, detecting insider threats or compromised accounts.

The document also suggests applying hardening guidance to strengthen software and system configurations based on vendor-provided or industry, sector, or government hardening guidance to reduce the attack surface. It also calls for implementing application allowlisting to constrain the execution environment and configure allowlisting for business roles; enhancing network segmentation and monitoring to limit lateral movement possibilities for threat actors; and implementing authentication controls. 

Additionally, the authoring agencies recommend network defenders apply the following to better position themselves to mitigate LOTL techniques by exercising due diligence when selecting software, devices, cloud service providers, and managed service providers. They must also audit remote access software and their configurations on devices on the network to identify currently used and/or authorized remote access software. Furthermore, they must limit exposure to defensive configurations and restrict outbound internet connectivity.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.