{"id":88006,"date":"2024-07-24T15:45:17","date_gmt":"2024-07-24T05:45:17","guid":{"rendered":"https:\/\/www.aspistrategist.ru\/?p=88006"},"modified":"2024-07-24T15:45:17","modified_gmt":"2024-07-24T05:45:17","slug":"living-off-the-land-the-silent-cyber-threat-to-critical-infrastructure","status":"publish","type":"post","link":"https:\/\/www.aspistrategist.ru\/living-off-the-land-the-silent-cyber-threat-to-critical-infrastructure\/","title":{"rendered":"Living off the land: the silent cyber threat to critical infrastructure"},"content":{"rendered":"
<\/figure>\n

Cyber defences can be alert to malware. It\u2019s much harder to be alert to intruders who use the targeted system\u2019s own resources against the owner.<\/p>\n

In cybersecurity, such attack methods are called \u2018living off the land\u2019 (LOTL), and they\u2019re practiced by the Chinese group APT40, the subject of a 9 July cybersecurity advisory<\/a> from eight countries, including Australia.<\/p>\n

Countermeasures to LOTL are available, but they\u2019re not used widely enough. The main one is looking not for inserted code, since there isn\u2019t any, but monitoring the system for signs that its own features are doing abnormal things.<\/p>\n

The advisory mirrored one issued in February 2024 regarding the Volt Typhoon group. Although both groups use complex attack methods, their objectives are distinct: APT40 focuses on espionage, whereas Volt Typhoon appears to be targeting critical infrastructure with little to no espionage value, apparently to sabotage or to prepare to do so in case of conflict. A key similarity between these groups is their use of LOTL techniques to breach large, defended infrastructure, potentially years ago, then quietly lurk on the network.<\/p>\n

\u2018Living off the land\u2019 refers to using built-in command-line tools, programs, processes, trusted network protocols and other native functionalities within a victim\u2019s environment to conduct malicious activities, as opposed to deploying known malware tools or noisy commercial products. LOTL operators such as APT40 and Volt Typhoon exploit tools such as PowerShell, Windows Management Instrumentation and remote desktop services to gain and maintain access to targeted systems. In many cases, tools and network communications have been whitelisted, or are used so often by trusted users that they are not locked down or audited as other tools might be.<\/p>\n

Additionally, LOTL requires a hands-on approach, in which attackers manually breach defences and conduct their operations. It must be an approach that\u2019s crafted specifically for the targeted system and uses what\u2019s found within the system. By using capabilities and tools built into the target, attackers can avoid triggering security systems such as intrusion-detection systems that typically rely on matching against known signatures or known behaviours when malware is transferred or executed.<\/p>\n

This approach presents significant challenges to defenders and detection, as it enables the attackers to mask their activities within the noise of normal operations.<\/p>\n

As APT40\u2019s primary mission is espionage, the group infiltrates networks to steal sensitive data. But Volt Typhoon\u2019s focus on critical infrastructure poses a different kind of threat: by targeting water and power utilities, transportation systems and other essential services, it aims to sabotage and disrupt operations. The use of LOTL techniques in these scenarios exacerbates the challenge, as it allows attackers to lurk undetected within critical systems, possibly for years, poised to strike at any moment.<\/p>\n

This underscores the need for advanced defensive strategies. Traditional security tools relying on signature-based detections are insufficient against LOTL-type threats. Instead, organisations should use a multifaceted approach that includes advanced anomaly-detection systems.<\/p>\n

Those systems analyse patterns of normal behaviour and flag any deviations that may indicate malicious activity, even when traditional malware is not present. Anomaly detection can be done at multiple levels, from simple network communications, such as a new asset, to a new protocol in use. More specialised solutions can parse the network protocols, inspect them and look for anomalies in usage, such as seeing an approved protocol that\u2019s taking a different action or different direction.<\/p>\n

Even more granular is advanced anomaly detection, which looks at how the values, parameters and set points used within those protocols are used. It can thereby determine whether, for example, the speed of a motor is set abnormally high, or a furnace is set to an abnormally hot temperature.<\/p>\n

When LOTL attackers bypass security defences without hauling in detectable code, anomaly detection is the next best hope for survival after an incident. In the early phase of attacks, their reconnaissance activities should set off anomaly-detection solutions, regardless of what tool the attackers use.<\/p>\n

Second, all subsequent hacking operation activities would trigger anomalies, as the normal activity of regular users usually doesn\u2019t include the same operations that the attackers are doing.<\/p>\n

Finally, although it might be a last resort, knowing when the actual critical process, such as a furnace temperature or motor speed, is being tampered with is also within the realm of anomaly detection. In the past, anomaly detection was difficult to deploy in IT systems, but, leveraging artificial intelligence and focusing on industrial control systems, it\u2019s come of age.<\/p>\n

Further, organisations should consider enhancing their incident-response capabilities. This should include regular training for IT staff to recognise and respond to potential LOTL activities, as well as implementing robust monitoring and logging practices. By maintaining comprehensive system activities logs, trained organisations can retrospectively identify and analyse suspicious behaviour that may have gone unnoticed in real time.<\/p>\n

Most large organisations are dealing daily with breaches, and many security operations centres are busy with daily tickets and incidents. Organisations are in a constant state of recovery. Knowing this, being prepared for a targeted attack from a highly capable nation-state threat is sure to include testing and influencing incident-response and disaster-recovery plans. Tabletop exercises can also expose some of the areas for improvement and expose incorrect assumptions, such as \u2018backups are reliable\u2019, or \u2018the furnace can safely shut down\u2019.<\/p>\n","protected":false},"excerpt":{"rendered":"

Cyber defences can be alert to malware. It\u2019s much harder to be alert to intruders who use the targeted system\u2019s own resources against the owner. In cybersecurity, such attack methods are called \u2018living off the …<\/p>\n","protected":false},"author":2029,"featured_media":88008,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_mi_skip_tracking":false,"footnotes":""},"categories":[1],"tags":[17,52,1395,749,95],"class_list":["post-88006","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-general","tag-australia","tag-china","tag-critical-infrastructure","tag-cyber-espionage","tag-cyber-security"],"acf":[],"yoast_head":"\nLiving off the land: the silent cyber threat to critical infrastructure | The Strategist<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.aspistrategist.ru\/living-off-the-land-the-silent-cyber-threat-to-critical-infrastructure\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Living off the land: the silent cyber threat to critical infrastructure | The Strategist\" \/>\n<meta property=\"og:description\" content=\"Cyber defences can be alert to malware. It\u2019s much harder to be alert to intruders who use the targeted system\u2019s own resources against the owner. In cybersecurity, such attack methods are called \u2018living off the ...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.aspistrategist.ru\/living-off-the-land-the-silent-cyber-threat-to-critical-infrastructure\/\" \/>\n<meta property=\"og:site_name\" content=\"The Strategist\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/ASPI.org\" \/>\n<meta property=\"article:published_time\" content=\"2024-07-24T05:45:17+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2024\/07\/GettyImages-2150300298.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1024\" \/>\n\t<meta property=\"og:image:height\" content=\"589\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Chris Grove\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@ASPI_org\" \/>\n<meta name=\"twitter:site\" content=\"@ASPI_org\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Chris Grove\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.aspistrategist.ru\/#website\",\"url\":\"https:\/\/www.aspistrategist.ru\/\",\"name\":\"The Strategist\",\"description\":\"ASPI's analysis and commentary site\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.aspistrategist.ru\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-AU\"},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-AU\",\"@id\":\"https:\/\/www.aspistrategist.ru\/living-off-the-land-the-silent-cyber-threat-to-critical-infrastructure\/#primaryimage\",\"url\":\"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2024\/07\/GettyImages-2150300298.jpg\",\"contentUrl\":\"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2024\/07\/GettyImages-2150300298.jpg\",\"width\":1024,\"height\":589,\"caption\":\"PRODUCTION - 30 April 2024, Lower Saxony, Hanover: A server cabinet with flashing lights and cables is on display at the State Criminal Police Office of Lower Saxony. The LKA Lower Saxony focuses on prevention in the area of cybercrime and provides information on key areas of cybercrime such as identity theft and hacker attacks. Photo: Julian Stratenschulte\/dpa (Photo by Julian Stratenschulte\/picture alliance via Getty Images)\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.aspistrategist.ru\/living-off-the-land-the-silent-cyber-threat-to-critical-infrastructure\/\",\"url\":\"https:\/\/www.aspistrategist.ru\/living-off-the-land-the-silent-cyber-threat-to-critical-infrastructure\/\",\"name\":\"Living off the land: the silent cyber threat to critical infrastructure | The Strategist\",\"isPartOf\":{\"@id\":\"https:\/\/www.aspistrategist.ru\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.aspistrategist.ru\/living-off-the-land-the-silent-cyber-threat-to-critical-infrastructure\/#primaryimage\"},\"datePublished\":\"2024-07-24T05:45:17+00:00\",\"dateModified\":\"2024-07-24T05:45:17+00:00\",\"author\":{\"@id\":\"https:\/\/www.aspistrategist.ru\/#\/schema\/person\/38573951d9c3bc2586ee0823b697e047\"},\"breadcrumb\":{\"@id\":\"https:\/\/www.aspistrategist.ru\/living-off-the-land-the-silent-cyber-threat-to-critical-infrastructure\/#breadcrumb\"},\"inLanguage\":\"en-AU\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.aspistrategist.ru\/living-off-the-land-the-silent-cyber-threat-to-critical-infrastructure\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.aspistrategist.ru\/living-off-the-land-the-silent-cyber-threat-to-critical-infrastructure\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.aspistrategist.ru\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Living off the land: the silent cyber threat to critical infrastructure\"}]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.aspistrategist.ru\/#\/schema\/person\/38573951d9c3bc2586ee0823b697e047\",\"name\":\"Chris Grove\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-AU\",\"@id\":\"https:\/\/www.aspistrategist.ru\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/f02e3e5e5b8c38db8cfd27be995ef559?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/f02e3e5e5b8c38db8cfd27be995ef559?s=96&d=mm&r=g\",\"caption\":\"Chris Grove\"},\"url\":\"https:\/\/www.aspistrategist.ru\/author\/chris-grove\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Living off the land: the silent cyber threat to critical infrastructure | The Strategist","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.aspistrategist.ru\/living-off-the-land-the-silent-cyber-threat-to-critical-infrastructure\/","og_locale":"en_US","og_type":"article","og_title":"Living off the land: the silent cyber threat to critical infrastructure | The Strategist","og_description":"Cyber defences can be alert to malware. It\u2019s much harder to be alert to intruders who use the targeted system\u2019s own resources against the owner. In cybersecurity, such attack methods are called \u2018living off the ...","og_url":"https:\/\/www.aspistrategist.ru\/living-off-the-land-the-silent-cyber-threat-to-critical-infrastructure\/","og_site_name":"The Strategist","article_publisher":"https:\/\/www.facebook.com\/ASPI.org","article_published_time":"2024-07-24T05:45:17+00:00","og_image":[{"width":1024,"height":589,"url":"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2024\/07\/GettyImages-2150300298.jpg","type":"image\/jpeg"}],"author":"Chris Grove","twitter_card":"summary_large_image","twitter_creator":"@ASPI_org","twitter_site":"@ASPI_org","twitter_misc":{"Written by":"Chris Grove","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebSite","@id":"https:\/\/www.aspistrategist.ru\/#website","url":"https:\/\/www.aspistrategist.ru\/","name":"The Strategist","description":"ASPI's analysis and commentary site","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.aspistrategist.ru\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-AU"},{"@type":"ImageObject","inLanguage":"en-AU","@id":"https:\/\/www.aspistrategist.ru\/living-off-the-land-the-silent-cyber-threat-to-critical-infrastructure\/#primaryimage","url":"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2024\/07\/GettyImages-2150300298.jpg","contentUrl":"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2024\/07\/GettyImages-2150300298.jpg","width":1024,"height":589,"caption":"PRODUCTION - 30 April 2024, Lower Saxony, Hanover: A server cabinet with flashing lights and cables is on display at the State Criminal Police Office of Lower Saxony. The LKA Lower Saxony focuses on prevention in the area of cybercrime and provides information on key areas of cybercrime such as identity theft and hacker attacks. Photo: Julian Stratenschulte\/dpa (Photo by Julian Stratenschulte\/picture alliance via Getty Images)"},{"@type":"WebPage","@id":"https:\/\/www.aspistrategist.ru\/living-off-the-land-the-silent-cyber-threat-to-critical-infrastructure\/","url":"https:\/\/www.aspistrategist.ru\/living-off-the-land-the-silent-cyber-threat-to-critical-infrastructure\/","name":"Living off the land: the silent cyber threat to critical infrastructure | The Strategist","isPartOf":{"@id":"https:\/\/www.aspistrategist.ru\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.aspistrategist.ru\/living-off-the-land-the-silent-cyber-threat-to-critical-infrastructure\/#primaryimage"},"datePublished":"2024-07-24T05:45:17+00:00","dateModified":"2024-07-24T05:45:17+00:00","author":{"@id":"https:\/\/www.aspistrategist.ru\/#\/schema\/person\/38573951d9c3bc2586ee0823b697e047"},"breadcrumb":{"@id":"https:\/\/www.aspistrategist.ru\/living-off-the-land-the-silent-cyber-threat-to-critical-infrastructure\/#breadcrumb"},"inLanguage":"en-AU","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.aspistrategist.ru\/living-off-the-land-the-silent-cyber-threat-to-critical-infrastructure\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.aspistrategist.ru\/living-off-the-land-the-silent-cyber-threat-to-critical-infrastructure\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.aspistrategist.ru\/"},{"@type":"ListItem","position":2,"name":"Living off the land: the silent cyber threat to critical infrastructure"}]},{"@type":"Person","@id":"https:\/\/www.aspistrategist.ru\/#\/schema\/person\/38573951d9c3bc2586ee0823b697e047","name":"Chris Grove","image":{"@type":"ImageObject","inLanguage":"en-AU","@id":"https:\/\/www.aspistrategist.ru\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/f02e3e5e5b8c38db8cfd27be995ef559?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/f02e3e5e5b8c38db8cfd27be995ef559?s=96&d=mm&r=g","caption":"Chris Grove"},"url":"https:\/\/www.aspistrategist.ru\/author\/chris-grove\/"}]}},"_links":{"self":[{"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/posts\/88006"}],"collection":[{"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/users\/2029"}],"replies":[{"embeddable":true,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/comments?post=88006"}],"version-history":[{"count":3,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/posts\/88006\/revisions"}],"predecessor-version":[{"id":88010,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/posts\/88006\/revisions\/88010"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/media\/88008"}],"wp:attachment":[{"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/media?parent=88006"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/categories?post=88006"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/tags?post=88006"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}