U.S. and U.K. cybersecurity experts have released a technical report offering guidance on defending against cyberattacks that use “living off the land” techniques.
According to the National Security Agency, hostile Chinese and Russian actors often use LOTL as an intrusion method, where legitimate tools already installed on the target system are exploited to conduct malicious activity. It warned that LOTL attacks are possible in many system setups, including cloud and hybrid environments, or even on site.
The NSA partnered with the Cybersecurity and Infrastructure Security Agency, the FBI and the U.K. National Cyber Security Centre on the report.
To mitigate the cyberthreat, the CISA guidance suggests adopting stricter log-in procedures, improved user authentication and remote access software audits. Other suggested ways to harden LOTL targets and prioritize detection include maintaining user and admin restrictions and creating baseline behaviors.
The guidance also offers security suggestions for software and technology developers, as well as information on network defense vulnerabilities.
The CISA report builds on a cybersecurity advisory issued in May 2023 on a China-sponsored LOTL cyberthreat. According to Rob Joyce, NSA cybersecurity director, partner organizations and industry stakeholders locally and abroad helped with that CSA, leading to the development of better-informed advisories.