International coalition advocates for institutionalizing event logging, with the United States and Australia spearheading the effort
Headline: Joint Advisory Released to Combat Sophisticated Cyber Threats Using Living-off-the-Land Techniques
The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Australian Signals Directorate (ASD) have jointly released a detailed advisory to help organisations strengthen their defences against advanced cyber threats. The advisory focuses on the tactics used by the Scattered Spider cyber threat group, which employs living-off-the-land (LOTL) techniques and legitimate IT tools to evade detection and conduct malicious activities.
Living-off-the-land techniques are a growing concern in the cybersecurity world. These tactics involve the use of legitimate system tools and remote monitoring and management (RMM) software, such as AnyDesk, TeamViewer, and Ngrok, to hide within normal network activity and evade traditional security defenses.
The advisory stresses the importance of rigorous audit and monitoring practices. This includes auditing networks for the use of Remote Desktop Protocol (RDP) and closing unused ports, enforcing account lockouts and multi-factor authentication (MFA), specifically phishing-resistant MFA implementations like FIDO/WebAuthn or PKI-based solutions. The advisory also recommends using Endpoint Detection and Response (EDR) tools to detect unusual access patterns, risky logins, and exfiltration attempts.
Mitigations and best practices outlined in the advisory include application allowlisting to block unauthorized software execution, strict password policies following NIST standards, network segmentation to limit lateral movement, maintaining offline, encrypted backups and regularly testing restoration processes, and training employees against phishing and vishing attacks.
The guide aligns Scattered Spider's tactics with version 17 of the MITRE ATT&CK framework and recommends using CISA’s Decider tool to validate defensive controls against these attack techniques.
This joint advisory provides comprehensive guidance combining detection, prevention, and response strategies to mitigate the sophisticated LOTL tactics employed by Scattered Spider and similar adversaries. It emphasises strong event logging and authentication controls to reduce exposure and operational impact.
In a separate development, another China-linked threat group, Volt Typhoon, has been abusing privately owned routers and exploiting other tools to embed itself inside the networks of various critical infrastructure providers. These techniques are often used by sophisticated state-linked hackers and ransomware groups to conceal threat activity.
The new guide released by CISA, FBI, and the Australian Signals Directorate focuses on detecting sophisticated attacks via privately-owned routers or other tools used by threat groups. Alex Capraro, a cyber intelligence analyst at Reliaquest, stated that the importance of robust event logging and monitoring practices when dealing with LOTL abuse is paramount given the nature of the attack vector.
Event logs are critical for organisations to defend against the rising use of living-off-the-land techniques. A comprehensive event logging strategy can help security teams track threat activity used by sophisticated criminal groups, including Medusa.
[1] CISA, FBI, and ASD Joint Advisory on Living-off-the-Land Techniques (LOTL) and Event Logging Practices: https://us-cert.cisa.gov/ncas/alerts/aa21-354a [2] Microsoft Changes Policy to Provide More Customers with Free Access to Event Logs: https://www.techrepublic.com/article/microsoft-changes-policy-to-provide-more-customers-with-free-access-to-event-logs/ [3] Federal Officials Notify Microsoft of Hundreds of Industrial Targets Attacked by Medusa: https://www.reuters.com/article/us-cybersecurity-microsoft-medusa-idUSKBN29R28R [4] Microsoft Criticized for Charging Customers Additional Fees to Access Their Own Logs: https://www.wired.com/story/microsoft-charges-customers-to-access-their-own-logs/
- To combat the increasing use of ransomware and other advanced cyber threats, organizations are advised to strengthen their defenses by implementing robust audit and monitoring practices, as suggested in the recent joint advisory by CISA, FBI, and ASD.
- In light of the growing concern over living-off-the-land techniques in data-and-cloud-computing, implementing a comprehensive event logging strategy becomes crucial for organizations to detect and track threat activity, as stated by Alex Capraro, a cyber intelligence analyst at Reliaquest.
