MIL-OSI Security: Tackling the Elusive Foe of Cyber Threat Actors in “Living Off the Land” Intrusions
In a bold move to enhance cybersecurity defenses, the National Security Agency (NSA) has announced a collaboration with the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the United Kingdom National Cyber Security Center (NCSC-UK). This partnership focuses on developing strategies to counter increasingly prevalent “Living Off the Land” (LOTL) cyber intrusions, a sophisticated form of cyberattack that leverages existing tools within a system to carry out malicious activities.
The cooperation has culminated in the release of CISA’s Cybersecurity Technical Report (CTR) titled “Identifying and Mitigating Living Off the Land,” which aims to provide comprehensive guidance on thwarting LOTL techniques. This critical release builds upon a joint Cybersecurity Advisory issued in May 2023, which also addressed the challenges presented by LOTL tactics.
LOTL intrusions stand out because they do not rely on the deployment of external malicious code. Instead, attackers exploit tools that are already part of a system’s software environment, thereby sidestepping traditional security measures. This method of attack can be employed across various IT infrastructures, whether on-site, cloud-based, or in hybrid arrangements. It has become a favored technique among threat actors sponsored by national governments, notably those affiliated with the People’s Republic of China and the Russian Federation, for its ability to evade detection seamlessly.
Rob Joyce, the NSA’s Director of Cybersecurity and Deputy National Manager for National Security Systems (NSS), emphasized the gravity of these attacks and the united front forming to combat them. “Living off the land attacks have galvanized the cybersecurity community,” Joyce noted. “Our previous advisory on the subject drew support from over half a dozen international and domestic organizations, as well as pivotal contributions from the industry sector.”
Joyce further highlighted the shared goal of shedding light on these covert operations, particularly pointing out the irresponsible conduct of the PRC in jeopardizing civilian critical infrastructure. “This collective effort enhances our defensive capabilities and forges a stronger coalition that significantly amplifies our individual efforts,” he added.
The CSA details the reasons LOTL attacks have become an effective modus operandi for cybercriminals, offering a set of best practice recommendations designed to fortify defenses against such threats. Among these practices are the implementation of sophisticated logging for improved detection of LOTL activities, the establishment of robust authentication controls, and the diligent maintenance of user and admin privilege limitations. The advisory also underscores the importance of auditing remote access software, setting baseline behavioral norms, and refining monitoring tools to enhance alerting mechanisms.
In addition to providing a roadmap for IT professionals and network administrators, the advisory extends its guidance to software and technology manufacturers, offering insight into threat actor behaviors and network defense vulnerabilities. By disseminating technical specifics and recommendations, the report aims to bolster the cybersecurity posture of organizations and individuals against LOTL intrusions.
The concerted effort by the NSA, CISA, FBI, and NCSC-UK to address the LOTL threat landscape underscores the importance of international collaboration in the fight against sophisticated cyber threats. As cyber adversaries continue to evolve, so too must our strategies for detecting and neutralizing their tactics. The “Identifying and Mitigating Living Off the Land” report represents a significant step forward in this ongoing battle, providing crucial insights and recommendations that will aid in securing our digital frontiers.
For those seeking to bolster their defenses against LOTL tactics, the full report is an invaluable resource. Read the full report here.
