NSA issues LOTL mitigation advisory

On February 7, the National Security Agency (NSA) announced that it is partnering with the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the United Kingdom National Cyber Security Center (NSC-UK) on CISA’s Cybersecurity Technical Report (CTR) “Identifying and Mitigating Living Off the Land,” which provides guidance on defending against common living off the land (LOTL) techniques. This release follows a May 2023 joint Cybersecurity Advisory on LOTL techniques.

Rather than introducing malicious code to a system, LOTL threats use existing tools on the system to circumvent security capabilities, which makes these cyberattacks more difficult to detect and mitigate. These techniques can occur in multiple types of IT environments including on site, in the cloud, or hybrid environments. People’s Republic of China and Russian Federation state-sponsored actors often use these techniques to evade detection.

“Living off the land attacks have galvanized the cybersecurity community,” said Rob Joyce, NSA’s Director of Cybersecurity and Deputy National Manager for National Security Systems (NSS). “More than half a dozen international and domestic partner organizations signed on to our previous living off the land Cybersecurity Advisory. Industry also allowed us to reference their important contributions.

“Together with our partners and allies, we’re shining a light on attacks that occur in dark corners, and illustrating how the PRC behaves irresponsibly by holding civilian critical infrastructure at risk. CSAs like this arm all of us to improve defense and bring together a coalition that can do more as a group than any one of us can do alone,” said Joyce.

The CSA outlines how and why LOTL attacks are effective and includes best practice recommendations that are part of a multi-faceted and comprehensive approach to mitigating LOTL cyber threats. Best practices for prioritizing detection and hardening targets include implementing logging that allows for better detection of malicious LOTL activities, implementing authentication controls, maintaining user and admin privilege restrictions, auditing remote access software, establishing baseline behaviors, and refining monitoring tools and alerting mechanisms. The advisory also contains recommendations for software and technology manufacturers, technical details on threat actor activity, and information on network defense weaknesses.

Read the full report here.

Source: NSA

Stay in the know with breaking news from across the IC and IC contracting landscape by becoming a paid subscriber to IC News. Your support makes our work possible.