A newly released Joint Cybersecurity Advisory from the Cybersecurity and Infrastructure Security Agency (CISA) and allied partners has shed light on the use of “living-off-the-land” (LOTL) cyber attacks by state-sponsored threat actors. They allow malicious actors to use tools already installed on victims’ systems, which helps them fly under the radar and makes it difficult to detect through traditional security protocols.
Living-off-the-land (LOTL) techniques and procedures are a growing trend in cyberattacks against public safety, as both nation-state and cybercriminal threat actors seek new methods to infiltrate networks evading detection by traditional security systems. Attackers leverage legitimate tools and software already installed on a victim’s operating system, as opposed to traditional malware attacks, which rely on introducing new malicious files to the network to compromise targets. Using LOTL techniques, adversaries can execute a fileless attack, which allows them to maintain persistence, escalate privileges and execute commands while bypassing security software that is only scanning for known malware signatures.
Attackers employ a variety of tools to enable LOTL activity, with two of the most common being PowerShell (psh) and Windows Management Instrumentation (wmic). PowerShell is one of the top native tools observed in attacks to public safety, with at least eight separate threat groups employing it to discover information and execute code since January 2022, including advanced persistent threat actors (APTs) and extortion syndicates.
The attacks which have had the most impact to public safety systems are assessed to have used some aspect of LOTL tactics. The most capable cybercriminals have sought to copy the nation-state groups that have used LOTL in their tool kit, and are using it to stealthily shut down critical public safety systems and steal sensitive data from the targeted system. As such, defenders must prioritize detecting and limiting the use of LOTL techniques. Implementing advanced threat detection software, strong access controls and network traffic monitoring can identify malicious activity to help defend against LOTL attacks.
Defending against LOTL attacks can be challenging. Since they use authorized system tools, it’s significantly harder to distinguish their activity from legitimate user actions. Monitoring the behavior of commonly abused tools in an environment using process inspection solutions has proven to be highly effective. Most Endpoint Detection and Response (EDR) solutions rely on process inspection and utilize a variety of different policies to detect when trusted utilities are being used for malicious intent. Examples include enumerating domain administrators with “net group” or modifying a device’s firewall rules with “netsh”.
Depending on the goals of the attacker and what they are attempting to accomplish at any given stage in a compromise, some detection solutions can be more effective than others. For example, if an attacker is attempting to hide their activities by manipulating or deleting local logs with a trusted utility such as “wevtutil”, process inspection is the clear detection preference since this activity is executed on the local device. But if an attacker was attempting to discover or “sweep” for other devices in the network using the “ping” utility, then network monitoring would typically be more effective.
Ultimately, having both process and network detection solutions correlating activity together, as is the case with the Motorola Solutions ActiveEye Managed Detection and Response (MDR) service, is the ideal situation. If the attacker is attempting to move laterally in the network via remote network shares, process detection could alert on suspicious usage of the “net use” or “net share” command.
However, network detection would also be effective in identifying this activity as a suspicious Server Message Block (SMB) share mapping occurring between two devices. Detections from both solutions create a clearer picture of what the attacker is attempting to do so that network defenders can respond and isolate them before they can achieve an impact.
The ActiveEye MDR service combines an innovative security platform with an expert security operations center (SOC) team. The service allows any size organization to apply the most advanced cybersecurity technology and experienced team in the moments it matters most.
With ActiveEye MDR, you get:
Access to our co-managed ActiveEye security platform to optimize analysis and detection of threats across endpoints and networks
Threat Intelligence team to alert you to threats and threat actor trends, and guide the adoption of appropriate detection methods
A 24/7 security operations team to quickly investigate anomalous activity and augment your internal security team
Advanced threat research to proactively search for threats as new tactics and IOCs are discovered
Incident Response team to guide an assessment in the event your network is compromised
The Public Safety Threat Alliance (PSTA) is a public safety-focused information sharing and analysis organization (ISAO) established by Motorola Solutions that is recognized by the Cybersecurity and Infrastructure Security Agency (CISA). The PSTA has provided guidance on LOTL to its members and will continue to monitor intelligence reporting for credible threats to public safety organizations.