The ‘Living off the Land’ cyber security problem
Given the recent high-profile news from the UK GVT regarding suspected state sponsored cyber attacks, as well as a raft of dramatic advisories from the likes of the NCSC centred around the ‘Living off the Land‘ (LOTL) attack technique, why does LOTL seem so hard for cyber security teams to handle?
Here are a few likely reasons…
- Finding a needle in a haystack: Organisations struggle to sift massive amounts of log data, making it difficult to identify the relatively small signs of malicious LOTL activity. Default logging configurations often lack detail needed.
- Security in silos: Security teams working separately from IT teams often create communication gaps. This can hinder the ability to spot suspicious activity within normal IT workflows.
- Blinded by the baseline: Many organisations lack established baselines for network activity and user behaviour, and this makes it hard to distinguish normal behaviour from malicious LOTL. Without a clear understanding of “normal,” how are you expected to identify the “abnormal’ that can indicate an attack?
- Blunt tools: Out of date security tools or badly tuned Endpoint Detection and Response (EDR) systems with an over-reliance on very specific Indicators of Compromise (IOC) can be very ineffective against LOTL attacks. Attackers can easily evolve tactics leaving defenders without proper alerts.
- No smoking guns: Unlike some traditional cyber attacks, LOTL activity often lacks clear warning signs. This absence of the obvious “smoking gun” makes it incredibly challenging for network defenders to identify, track, and categorise malicious behaviour.
Ok, so it all reads pretty grim. What can we do to mitigate against LOTL?
- Maintain baselines for network, user and application activity: Provide a clear picture of “normal use” for easier anomaly detection. In parallel, use system hardening techniques using vendor recommendations, and implement the concept of least privilege to limit potential attacker access.
- Avoid log tampering: Implement detailed logging and aggregate logs in a secure, centralised location, ensuring they are set to “write once”. This will prevent attackers from tampering with evidence and will allow for safer analysis.
- Build or acquire automated machine learning models: These can continuously review centralised logs, comparing current activities against established baselines and generating alerts for suspicious anomalies.
- Use Behaviour Analytics: Analyse user and device behaviour patterns. This can help identify deviations in use that could indicate LOTL activity.
- Enhance network segmentation: Segmentation across IT and operational technology (OT) networks to limit attacker movement and potential damage is a must. Monitor each segment closely for suspicious activity.
- Implement application allow-listing: Restrict systems and users to only authorised applications. This can help prevent attackers from leveraging legitimate programs for malicious purposes.
- Monitor the use of common Living-Off-the-Land Binaries (LOLBins).
- Implement strong authentication and authorization: This stands to reason. Set strong authentication and authorization techniques for all interactions between users, systems, and software, regardless of location within the network.