To fight against living off the land (LOTL) techniques, the National Security Agency (NSA) has published a best practice guide for event logging.
The publication details best practices for event logging and threat detection in cloud services, enterprise networks, mobile devices, and operational technology (OT) networks to ensure continued delivery of critical systems.
The document notes that advanced persistent threat actors (APTs) are employing LOTL techniques in order to avoid detection.
The guide is aimed at a specific audience including senior information technology (IT) and OT decision makers, network administrators and critical infrastructure providers.
The Best Practices for Event Logging and Threat Detection cybersecurity information sheet has been published in cooperation with the Australian Signals Directorate’s Australian Cybersecurity Centre (ASD ACSC), the Canadian Centre for Cyber Security, the UK’s National Cyber Security Centre, CSA Singapore and other international partners.
Four Key Factors to Consider in Logging Best Practices
Developing and implementing an enterprise approved logging policy improves an organization’s chances of detecting malicious behavior on their systems.
When pursuing logging best practices, the guide suggested four key factors to consider. These are:
Enterprise Approved Logging Policy
Developing and implementing an enterprise approved logging policy improves an organization’s chances of detecting malicious behavior on their systems.
The NSA and co-authors recommend that such a policy should include details of the events to be logged, event logging facilities to be used, how event logs will be monitored, event log retention durations, and when to reassess which logs are worthy of collection.
A logging policy should also consider any shared responsibilities between service providers and organizations.
Centralized Log Access and Correlation
The prioritized lists of log sources detail the likelihood of assets being targeted by malicious actors and the potential impact of their compromise in enterprise networks, OT, cloud computing, and enterprise mobility using mobile computing devices.
In the context of LOTL, enterprise networks provide malicious actors with a variety of native tools to exploit and the guide gives a list of log sources organizations should prioritize in their networks. These include critical systems and data holdings, internet facing-services and edge devices.
Secure Storage and Log Integrity
The guide recommends organizations implement a centralized event logging facility such as a secured data lake to enable log aggregation and then forward select processed logs to analytic tools, such as security information and event management (SIEM) solution and extended detection and response (XDR) solutions.
Many commercially available network infrastructure devices have limited local storage, the guide notes. Forwarding event logs to a centralized and secure storage capability prevents the loss of logs once the local device’s storage is exhausted.
Detection Strategy for Relevant Threats
Organizations are recommended to consider implementing user and entity behavioral analytics capabilities to enable automated detection of behavioral anomalies on networks, devices or accounts.
It is noted that such behavioral analytics play a key role in detecting malicious actors employing LOTL techniques.
LOTL Case Study, Volt Typhoon
The NSA highlighted the case of Volt Typhoon, a Chinese threat group that uses LOTL techniques to target critical infrastructure.
Volt Typhoon’s campaign has been enabled by privately-owned SOHO routers, infected with the ‘KV Botnet’ malware.
The NSA’s guide highlights that while Volt Typhoon uses LOTL techniques to make detection more difficult, the behaviors that the malware exhibits would be considered abnormal compared to business-as-usual activity and could be used to create detection use cases.