Living off the land: CISA issues guidance on detection

Special-operations forces operating deep in enemy territory are trained to live off the land. This refers not only to foraging or stealing food and water, but also to appropriating, repurposing, and leveraging the enemy’s tools, equipment, and weapons to achieve mission objectives.

In the context of cybersecurity, living off the land (LOTL) refers to an increasingly common cyberattack technique in which attackers, once they have infiltrated a target network, gain access to legitimate IT administration tools and use them to carry out malicious activities.

Joint guidance from CISA, FBI, and others

On February 7 this year, multiple government agencies published a document entitled “Joint Guidance: Identifying and Mitigating Living Off the Land Techniques.” Jointly authored by the US Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and a long list of other US, Australian, Canadian, UK, and New Zealand government security and cybersecurity agencies, the document goes into great detail about LOTL techniques, why they are increasingly popular, and why they can be extremely difficult to detect.

The document points to three chief reasons for the effectiveness and increasing popularity of LOTL techniques:

• The widespread lack of security and network-management practices that would allow organizations to detect anomalous and potentially malicious activity by legitimate admin tools and processes
• The fact that, so far, there is no conventional list of indicators of compromise (IOCs) associated with LOTL activities
• LOTL enables threat actors to launch attacks without having to develop and deploy custom tools to accomplish their goals, making it easier and faster to use LOTL.

Additionally, it lists organizational structures and practices that make it especially challenging to detect LOTL activity, even for organizations following security best practices:

• Cybersecurity personnel often operate in silos separate from IT teams.
• Security teams often rely primarily on endpoint detection systems, which are unlikely to alert to LOTL activities
• System logs are generally left in default configuration, which means that LOTL techniques may not be logged, and logging information may be insufficiently detailed to allow differentiation and detection
• The sheer volume of relevant log data compared to the small number of logged malicious activities makes detection even more difficult.

From China to your local cybergang

Interestingly, the guidance document is based on an earlier advisory issued by CISA in May 2023, entitled “People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection.” And it was published alongside another advisory entitled “PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure.”

These advisories focus on the activities of Volt Typhoon (aka Insidious Taurus), a Chinese state-sponsored cybercriminal organization. According to the FBI and other agencies, this group has been using LOTL techniques to dwell undetected in a variety of critical US infrastructure systems. The theory is that they are pre-positioning cyber assets in order to be ready to sow chaos and damage infrastructure in case of a major crisis or conflict between China and the US.

However, these techniques are increasingly being seen in use by a growing number of cybercriminals. As stated in the Summary section of the joint guidance document, “the authoring agencies are releasing this joint guide for network defenders (including threat hunters) as the malicious use of LOTL techniques is increasingly emerging in the broader cyber threat environment.”

So although the initial guidance regarding LOTL was primarily directed at organizations running critical infrastructure systems, it’s clear that the guidance provided here is important for anyone involved in cybersecurity.

Best practices to mitigate LOTL activity

The most recent advisory opens with a list of actions to be taken immediately “to mitigate Volt Typhoon activity:”

1. Apply patches for internet-facing systems. Prioritize patching critical vulnerabilities in appliances known to be frequently exploited by Volt Typhoon.
2. Implement phishing-resistant MFA.
3. Ensure logging is turned on for application, access, and security logs and store logs in a central system.
4. Plan “end of life” for technology beyond manufacturer’s supported lifecycle.

However, these are only a very first, emergency-level set of activities. The joint guidance document lists a set of best practices for detection, along with a different set of best practices for hardening systems against LOTL techniques. In summary form, these are:

Detection best practices:

1. Implement detailed logging and aggregate logs in an out-of-band, centralized location that is write-once, read-many to avoid the risk of attackers modifying or erasing logs.
2. Establish and continuously maintain baselines of network, user, administrative, and application activity and least privilege restrictions.
3. Build or acquire automation (such as machine learning models) to continually review all logs to compare current activities against established behavioral baselines and alert on specified anomalies.
4. Reduce alert noise by fine-tuning via priority (urgency and severity) and continuously review detections based on trending activity.
5. Leverage user and entity behavior analytics (UEBA).

Hardening best practices:

1. Apply and consult vendor-recommended guidance for security hardening.
2. Implement application allowlisting and monitor use of common LOLBins.
3. Enhance IT and OT network segmentation and monitoring.
4. Implement authentication and authorization controls for all human-to-software and software-to-software interactions regardless of network location.

The guidance document provides detailed, in-depth explanations of all these best practices. Many of these practices are likely to be familiar from general security recommendations that you may have seen in other contexts. However, the specific nature of LOTL attacks does make it especially important to set up controls and processes that can give you some edge in detecting them.

Secure by design

The final section of the guidance document provides a list of recommendations for software manufacturers to reduce their products’ vulnerability to abuse by LOTL techniques. These include:

• Minimize attack surfaces that can be leveraged by cyber threat actors using LOTL techniques.
• Embed security into product architecture.
• Mandate MFA, ideally phishing-resistant MFA, for privileged users and make MFA a default, rather than opt-in, feature.
• Provide high-quality logging for platforms and applications at no additional charge.
• Reduce the size of “hardening guides” that are included with products and strive to ensure that the size shrinks over time as new versions of the software are released.
• Remove default passwords, requiring customers to generate more secure ones.
• Remove or limit dynamic code execution, which can too easily be exploited by LOTL techniques.
• Eliminate hard-coded credentials.

Protect your company

Barracuda offers a comprehensive cybersecurity platform that protects your email, network, applications, and data. Visit our website to see how it works.