Surviving the Digital Wilderness: An Introduction to LOTL and LOLbins
The document titled "Joint Guidance: Identifying and Mitigating LOTL Techniques" provides guidance on how organizations can better protect themselves against Living Off the Land (LOTL) techniques. These techniques involve cyber threat actors leveraging legitimate tools and software present within the target's environment to conduct malicious activities, making detection more challenging. This approach aims to reduce the availability of legitimate operating system and application tools (LOLBins) that threat actors can exploit.
The guidance is based on insights from a joint advisory, red team assessments by the authoring agencies, authoring agency incident response engagements and collaborative efforts with the industry. It stresses the importance of establishing and maintaining an infrastructure that collects and organizes data to help defenders detect LOTL techniques, tailored to each organization's risk landscape and resource capabilities.
Main keypoints
📌 Authoring Agencies: The guide is authored by major cybersecurity and national security agencies from the U.S., Australia, Canada, the United Kingdom, and New Zealand, focusing on common LOTL techniques and gaps in cyber defense capabilities.
📌 LOTL Techniques: Cyber threat actors use LOTL techniques to compromise and maintain access to critical infrastructure, leveraging legitimate system tools and processes to blend in with normal activities and evade detection.
📌 Challenges in Detection: Many organizations struggle to detect malicious LOTL activity due to inadequate security and network management practices, lack of conventional indicators of compromise, and the difficulty of distinguishing malicious activity from legitimate behavior.
📌 Detection Best Practices: Recommendations include implementing detailed logging, establishing activity baselines, utilizing automation for continuous review, reducing alert noise, and leveraging user and entity behavior analytics (UEBA).
📌 Hardening Best Practices: Suggestions involve applying vendor-recommended security hardening guidance, implementing application allowlisting, enhancing network segmentation and monitoring, and enforcing authentication and authorization controls.
📌 Software Manufacturer Recommendations: The guide urges software manufacturers to adopt secure by design principles to reduce exploitable flaws that enable LOTL techniques. This includes disabling unnecessary protocols, limiting network reachability, restricting elevated privileges, enabling phishing-resistant MFA by default, providing secure logging, eliminating default passwords, and limiting dynamic code execution.
Secondary keypoints
📌 The guidance is aimed at helping organizations mitigate Living Off The Land (LOTL) techniques, where threat actors use legitimate tools within the environment for malicious purposes.
📌 Organizations are advised to exercise due diligence when selecting software, devices, cloud service providers, and managed service providers, choosing those with secure by design principles.
📌 Vendors should be held accountable for their software's default configurations and adherence to the principle of least privilege.
📌 Software manufacturers are encouraged to reduce exploitable flaws and take ownership of their customers' security outcomes.
📌 Network defense strategies include monitoring for unusual system interactions, privilege escalations, and deviations from normal administrative actions.
📌 Organizations should establish and maintain an infrastructure for collecting and organizing data to detect LOTL techniques, tailored to their specific risk landscape and resource capabilities