Updates & News

A Growing Problem: Adversaries using LOTL for undetected and persistent access

In 2023 and 2024, there has been a notable shift in threat actor attack strategies. Attackers are increasingly moving away from deploying malware, except perhaps during initial access to target networks or edge appliances. Instead, they are leveraging tools and processes generally used by legitimate users, making it challenging for conventional signature-based detection methods to identify compromises. Such detection techniques are crucial for endpoint agents, file analysis, and process analysis.

Attackers exploit legitimate processes and credentials, complicating the task for endpoint detection and response agents. These agents struggle because the processes attackers use are approved and expected to run on the host systems. This method, known as “living off the land” (lotl), involves using valid credentials or processes to blend in with normal activities without raising suspicion.

According to the 2024 Verizon DBIR report nearly 40% of all attacks include the use of valid credentials:

The attackers’ objective is to misuse these legitimate credentials and tools to infiltrate networks, compromise systems, escalate privileges, and move laterally until they gain the necessary access to execute their final objectives. This might include data exfiltration or deploying ransomware. High-profile incidents like the Kaseya Supply Chain ransomware attack and the UHG ransomware attack highlight the severity of this tactic, which resulted in tens of millions of dollars in damages and ransom payments.

Due to the use of legitimate tools and credentials, traditional and even newer endpoint detection methods often fail to detect these attackers’ presence and activities. This creates significant visibility gaps for organizations, increasing their attack surface and the anxiety associated with undetected breaches.

How SentryWire Helps with LOTL

To address the visibility gap created by the use of “living off the land” techniques by resourced threat actors, integrating passive full packet capture (FPC) with integrated network security monitoring (NSM) and event logging capabilities can significantly enhance detection and response capabilities. Here’s how this approach can be beneficial:

1. Comprehensive Data Collection

   1. Full Packet Capture: SentryWire passively records all packets that traverse the network, capturing a complete, binary-level replica of network traffic. This allows organizations to have a forensic record of all communications, including the content and timing of interactions, which can be critical in a post-breach analysis.

   2. Granular Visibility: Unlike endpoint agents that monitor activities on individual systems, FPC provides visibility across the entire network, capturing data in transit without relying on software installed on target systems. This is particularly effective against attackers using legitimate tools that might not be flagged by endpoint security systems.

2. Enhanced Detection with Network Event Logs

   1. Network Security Monitoring (NSM): SentryWire leverages an open-source network threat detection engine capable of real-time intrusion detection (IDS) and a network security monitoring (NSM) event log engine called Suricata. The system can augment visibility using rules, signatures, and anomaly detection to identify suspicious activities.

   2. Detection Evasive Tactics: By consuming the network flow logs, SentryWire can analyze network traffic to detect anomalies and patterns indicative of malicious activites, even if they originate from legitimate tools or processes. For example, unusual network traffic patterns, such as large data transfers at odd hours, can be detected even if they are conducted using legitimate credentials.

3. Forensic and Retrospective Analysis

   1. Data Retention for Forensic Analysis: FPC allows organizations to retain a historical archive of all network traffic, which can be invaluable for forensic investigation after a security breach has been detected. This capability enables security teams to rewind and review the sequence of events leading up to and following a breach, providing insights that are not always available through log files or endpoint data alone.

   2. Contextual Insight with Event Logs: Combining packet captures with event logs from Suricata provides a layered view of network activity, offering context around the packet flow. This can help in understanding the scope of an attack, identifying affected systems, and determining the data or credentials that may have been compromised.

4. Proactive Threat Hunting

   1. Threat Hunting Capabilities: Armed with detailed data from FPC and NSM logs, security analysts can proactively search for indicators of compromise (IoCs) and tactics, techniques, and procedures (TTPs) associated with advanced persistent threats (APTs) that typically employ “living off the land” strategies.

5. Compliance and Regulatory Adherence

   1. Regulatory Compliance: Many industries are subject to regulatory requirements that mandate the retention of data for a certain period. FPC can help fulfill these requirements, ensuring that all packet data is available for audit purposes.

By implementing a strategy that includes SentryWire’s highly scalable passive full packet capture and advanced network security monitoring, organizations can effectively mitigate the risks associated with sophisticated cyber threats that exploit legitimate tools and processes. This approach enhances the detection of subtle anomalies and provides robust data for incident response and recovery processes.

Links:

• SVR Cyber Actors Adapt Tactics for Cloud Access: https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-057a

• Identifying and Mitigating Living Off the Land Techniques: https://www.cisa.gov/resources-tools/resources/identifying-and-mitigating-living-land-techniques

• U.S. and International Partners Release Advisory Warning of PRC State-Sponsored Cyber Activity: https://www.cisa.gov/sites/default/files/2024-02/Joint-Guidance-Identifying-and-Mitigating-LOTL_V3508c.pdf

• PRC maintains a persistent foothold across American Infrastructure: https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-038a

• 2024 Verizon DBIR Report: https://www.verizon.com/business/resources/Tab5/reports/2024-dbir-data-breach-investigations-report.pdf

• 2024 Mandiant M-Trends Report: https://services.google.com/fh/files/misc/m-trends-2024.pdf

TSA Security Directive Pipeline-2021-02C

On July 21, 2022 The US Transportation Security Administration (TSA) revised and reissued their security directive for owners and operators of liquified natural gas facilities, natural gas and oil pipelines.

Revisions to the reissued cybersecurity guidance for pipeline owners and operators are summarized by TSA below:

The reissued security directive takes an innovative, performance-based approach to enhancing security, allowing industry to leverage new technologies and be more adaptive to changing environments. The security directive requires that TSA-specified owners and operators of pipeline and liquefied natural gas facilities take action to prevent disruption and degradation to their infrastructure to achieve the following security outcomes:

1. Develop network segmentation policies and controls to ensure that the Operational Technology system can continue to safely operate in the event that an Information Technology system has been compromised and vice versa;

2. Create access control measures to secure and prevent unauthorized access to critical cyber systems;

3. Build continuous monitoring and detection policies and procedures to detect cybersecurity threats and correct anomalies that affect critical cyber system operations; and

4. Reduce the risk of exploitation of unpatched systems through the application of security patches and updates for operating systems, applications, drivers and firmware on critical cyber systems in a timely manner using a risk-based methodology.

The core elements of Security Directive Pipeline-2021-02C are:

• Cybersecurity Implementation Plan

  • Critical Systems Identification

  • Network Segmentation

  • Access Control

  • Continuous Monitoring and Detection

  • Patch Management

• Cybersecurity Incident Response Plan

• Cybersecurity Assessment Plan

SentryWire is a Network Security Monitoring (NSM) appliance that installs easily, provides immediate visibility into your network and directly supports the guidance outlined in Security Directive Pipeline-2021-02C by:

1. Full packet capture for a historical look back at what happened and complete reconstruction of malicious activity with traceability to:

   1. Cybersecurity Incident Response Plan

   2. Cybersecurity Assessment Plan

2. Policies to define critical assets and services, providing traceability and visibility for:

   1. Critical Systems Identification

3. An extensible logging engine that generates a record for every packet that SentryWire captures to provide:

   1. Continuous Monitoring and Detection

4. A fast and flexible Intrusion Detection System (IDS) that uses industry standard alert format with IOC, behavioral and anomaly detection that links directly to the packets that triggered an alert for easy forensic reconstruction of events with contextual logs for:

   1. Continuous Monitoring and Detection