Cutting Through the Noise: Establishing LOTL Detection Baselines
One of the primary issues identified is the lack of security baselines within organizations, which permits the execution of living off the land binaries (LOLBins) without detection of anomalous activity. Additionally, organizations often fail to fine-tune their detection tools, resulting in an overwhelming number of alerts that are difficult to manage and act upon. This is compounded by automated systems performing highly privileged actions that can flood analysts with log events if not properly categorized.
Challenges in Distinguishing Malicious Activity
Even organizations with mature cyber postures and best practices in place find it difficult to distinguish between malicious LOTL activity and legitimate behavior:
📌LOLBins are commonly used by IT administrators and are therefore trusted, which can mislead network defenders into assuming they are safe for all users.
📌There is a misconception that legitimate IT administrative tools are globally safe, leading to blanket "allow" policies that expand the attack surface.
📌Overly broad exceptions for tools like PsExec, due to their regular use by administrators, can be exploited by malicious actors to move laterally without detection.
Siloed Operations and Untuned EDR Systems
The red team and incident response teams have frequently observed that network defenders:
📌Operate in silos, separate from IT teams, hindering the creation of user behavior baselines and delaying vulnerability remediation and abnormal behavior investigations.
📌Rely on untuned endpoint detection and response (EDR) systems and discrete indicators of compromise (IOCs), which may not trigger alerts for LOTL activity and can be easily altered by attackers to avoid detection.
Logging Configurations and Allowlisting Policies
Deficiencies in logging configurations and allowlisting policies further complicate the detection of LOTL activities:
📌Default logging configurations often fail to capture all relevant activity, and logs from many applications require additional processing to be useful for network defense.
📌Broad allowlisting policies for IP address ranges owned by hosting and cloud providers can inadvertently provide cover for malicious actors.
macOS Device Protections
Network defenders must also ensure adequate protections for macOS devices, which are often mistakenly considered inherently secure:
📌macOS lacks standardized system hardening guidance, leading to deployments with default settings that may not be secure.
📌The presumption of macOS safety can result in the deprioritization of standard security measures, such as security assessments and application allowlisting.
📌In mixed-OS environments, the lower representation of macOS devices can lead to a lack of attention to their security, making them more vulnerable to intrusions.