Joint Guidance authored by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Federal Bureau of Investigation (FBI), and other agencies including the United Kingdom National Cyber Security Centre (NCSC-UK) was published on February 7th, 2024. The guidance provides information on common living off the land techniques (LOTL) attributed to state-sponsored threat actors. These techniques have been particularly effective, and their recommendations should not go unnoticed. The following information highlights how the Vectra AI platform can help you actualize the detection best practice recommendations and serve as a key component for your LOTL defensive strategies.
LOTL Best Practice Recommendations
Best practice recommendation (#1) underlines the importance of detailed logging in an out-of-band location. This helps ensure the risk of attackers modifying or erasing logs is mitigated. It also enables defenders with the ability to conduct behavior analytics, anomaly detection, and proactive hunting. Additionally, highlights the importance of maintaining longer log histories which can be beneficial for incident response.
With a focus on the network, Vectra Recall provides visibility into network traffic by extracting metadata from all packets and storing it out-of-band (in Vectra cloud) for search and analysis. Every IP-enabled device on the network is identified and tracked. This data can be stored based on time horizon preferences. Captured metadata includes all internal (east-west) traffic, internet-bound (north-south) traffic, and virtual infrastructure traffic. This visibility extends to laptops, servers, printers, BYOD and IoT devices as well as all operating systems and applications, including traffic between virtual workloads in data centers and the cloud, even SaaS applications.
By providing this comprehensive source of security-enriched network metadata we aim to empower security teams with the capabilities to conduct LOTL incident investigations by ensuring network log data is available in an out-of-band location.
Detection Best Practice Recommendations
Best practice recommendations (#3 and #4) highlight the need to establish and continuously maintain baselines and then compare current activities against established behavioral baselines and alert on specified anomalies. There is a specific emphasis on paying close attention to privileged accounts.
The detection portfolio provided by Vectra AI includes a comprehensive set of detections. Of note, are the detection capabilities focused on clearly baselining the behavior of privileged accounts and surfacing anomalies based on established patterns. Examples of Vectra’s Privilege Account Analytics include:
- A privileged account is used to access a privileged service but is doing so from a host which the account has not been observed on but where the host (using other accounts) has been seen accessing the service.
- An account is used to access a service from a host which the account is not usually on and from which the service is not usually accessed and at least the service (and likely the account) has a high privilege score OR the privilege score of the host is suspiciously low in comparison to the privilege levels of the account and service.
- A privileged account is used to access a privileged service and is doing so from a host which the account has been observed on but where the host has not been seen accessing the service.
AI-Driven Prioritization with Vectra AI
The dynamic nature of the modern enterprise can make consistent and effective network security baselines that support detection of malicious LOTL activity very difficult. As highlighted in the guidance, distinguishing malicious LOTL activity from legitimate behavior is challenging due to the relatively small volume of malicious activity within large volumes of log data. And while Security Operations teams can put focus on detecting these types of events, they often struggle to discern legitimate behavior from malicious behavior due to the sheer number of inbound alerts and environmental complexities.
Fine-tuning alert noise via priority (urgency and severity) and continuously reviewing detections based on trending activity is recommended best practice (#4). This takes a lot of time and effort for most teams. With Vectra AI-driven Prioritization, we provide this programmatically by:
- Assigning individual attack behaviors to an entity (hosts and/or accounts)
- Combining this information with additional scoring parameters including breadth (how many detections are associated with an entity), velocity (how quickly unique detection events are occurring), and attack profile (patterns of attack behavior) to provide an Attack Score
- When configured, customer input (account group importance) is combined with Attack Score
- The output is a single Urgency score for the entity
This enhanced scoring algorithm highlights the most critical threat in an actionable and prioritized list allowing teams to focus on what is most important.
Empower Your Team
Detecting LOTL activity is challenging and requires multifaceted security strategies as highlighted above. There is no one-size-fits-all approach, and each enterprise will need to evaluate and tailor the recommendations to align with their existing detection programs. It is important however to ensure that this guidance is reviewed and, if possible, implemented with urgency. With these types of attacks increasing, correlating and analyzing these techniques will be an important component of your team's detection and response capabilities.
Interested in learning more about how Vectra AI can assist your team in LOTL defensive strategies?