The insidious danger of living off the land cyberattacks, especially from nation-state threat actors like China’s Volt Typhoon APT group, makes it imperative that targeted organizations adopt best practices around event logging and threat detection. To that end, security agencies from the U.S., Australia and their allies last month jointly released an informational publication offering key advice around such practices.
Among their top recommendations is to develop enterprise-approved event logging policies for capturing meaningful system events involving LOLBins, aka the living off the land binaries that come pre-installed in IT systems, which bad actors can abuse for their own nefarious purposes. These policies should also spell out which important details to record when an event transpires – such as event type, device identifier and the command that was executed.
The document also recommends maintaining consistent data-recording and timestamp format for your logs, as well as retaining log records for a sufficient period of time – considering that sometimes attacker dwell time can last for months as malicious actors bide their time before striking.
Additional best practices listed in the document include prioritizing which log sources to collect across IT networks, OT systems, mobile devices and cloud computing services; devising secure, timely and centralized storage practices; ensuring event log integrity; and developing a detection strategy for relevant threats.
Living off the land techniques can be especially difficult to detect in a timely fashion because once an unauthorized party gains a foothold into a targeted system, that actor can disguise its malicious activity and lateral movement as legitimate network activity by using tools that also have day-to-day legitimate uses.
One of the most concerning developments of the past year was the news that Chinese state-sponsored threat actor Volt Typhoon has been quietly targeting U.S. critical infrastructure facilities using LOTL techniques – perhaps as a precursor to a future debilitating attack. To enable its attacks, this APT group uses such features as PowerShell and Windows Management Instrumentation Console commands.
The document notes that while the abuse of legitimate tools can be initially hard to detect, properly conducted logging activity allows threat hunters and analysts to identify anomalous behaviors or actions involving LOTL tools and commands. Telltale clues may include logging into a system during unusual hours from an unrecognized device, or downloading and exporting unusually large volumes of data, perhaps signaling a mass exfiltration of sensitive materials.
Back in February 2024, the special report issued by the National Security Agency and additional U.S. and international governmental agencies spelled out why LOTL attacks can be so difficult to contend with. Among the challenges: “Network defenders often operate in silos separate from IT teams and their operational workflows,” the report stated. Plus they use endpoint detection and response (EDR) systems that “may not alert to LOTL activity,” and they rely on “default logging configurations, which do not comprehensively log indicators of LOTL techniques or sufficiently detailed information to differentiate malicious activity from legitimate IT administrative activity.”
While the February report noted that there is “no foolproof solution to fully prevent or detect LOTL activity,” it did state that “by applying these best practices organizations can best position themselves for more effective detection and mitigation.”
Understanding Living off the land (LOTL) Techniques:
Living off the land (LOTL) techniques refer to a cyberattack strategy where attackers exploit legitimate tools and features already present within a system to carry out malicious activities. This approach allows threat actors, such as nation-state groups, to blend in with normal network operations, making their activities difficult to detect. By using common tools like PowerShell or Windows Management Instrumentation (WMI), attackers can mask their actions as regular administrative tasks, which complicates timely detection and response. Consequently, robust logging practices are essential to capture the subtle signs of LOTL activity and distinguish them from legitimate IT operations.