The Cybersecurity and Infrastructure Security Agency, National Security Agency, Federal Bureau of Investigation, and other authoring agencies have released a joint guidance about common living off the land techniques and common gaps in cyber defense capabilities.
Living Off The Land is a covert cyberattack technique in which criminals carry out malicious activities using legitimate IT administration tools.
These publications are a reaction to recent warnings about attacks on critical infrastructure by groups allegedly connected to the Chinese government.
The FBI recently used a court order to remove malware from hundreds of routers across the US because it believed the attack was the work of an Advanced Persistent Threat group known as Volt Typhoon.
US officials said the botnet was designed to give Chinese attackers persistent access to critical infrastructure.
In May of 2023, Microsoft uncovered stealthy and targeted malicious activity by Volt Typhoon.
The activity focused on post-compromise credential access and network system discovery aimed at critical infrastructure organizations in the United States.
It's not just the US. The Dutch Military Intelligence Service found a Remote Access Trojan on one of their networks which they identified as Chinese malware.
The Living of the Land guide does not exclusively focus on Chinese state actors though.
It's important to be aware of what your cybersecurity team, internal or managed should be looking for when it comes to suspicious use of legitimate tools, unusual network connections, and other signs of malicious activities.
Many organizations lack effective security and network management practices that support detection of malicious LOTL activity-this makes it difficult for network defenders to discern legitimate behavior from malicious behavior and conduct behavioral analytics, anomaly detection, and proactive hunting.
There is a general lack of conventional indicators of compromise associated with the activity, complicating network defenders' efforts to identify, track, and categorize malicious behavior.
Implement write once, read many detailed logging to avoid the risk of attackers modifying or erasing logs.
Reduce alert noise by fine-tuning via priority and continuously review detections based on trending activity.
Understanding the context of LOTL activities is crucial for accurate detection and response.
Many of the tips that Malwarebytes provides for avoiding ransomware will prove to be useful in state sponsored attacks as well, although the latter can be even more targeted in some situations.
Deploy Endpoint Detection and Response software like ThreatDown EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
Once you've isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.
Further on, CISA urges software manufacturers to implement secure by design rules in their software, to reduce the prevalence of weak default configurations and passwords, recognize the need for low or no-cost enhanced logging, and other exploitable issues identified in the guide.
Living off the Land is one of six cyberthreats that resource-constrained IT teams need to be ready to combat in 2024, covered in our 2024 State of Malware report.
This Cyber News was published on www.malwarebytes.com. Publication date: Fri, 09 Feb 2024 14:13:03 +0000