Asking AI - How to Defend Against Living off the Land Attacks
For nearly a year now, an ongoing cyber attack campaign called Volt Typhoon has been the subject of high level alerts from federal cybersecurity agencies in the US and its “Five Eyes” partner nations the UK, Canada, Australia and New Zealand.
The attack is notable for geo-political reasons; CISA (the US Cybersecurity and Infrastructure Security Agency) and others have attributed it to a Chinese state-sponsored group that is “pre-positioning itself in critical infrastructure organizations’ networks for disruption or destruction purposes”.
The attack campaign is well-known for using living off the land techniques once a foothold has been established in a target environment. It might be worth taking a moment here to answer this question:
What are living off the land techniques?
I’ve posted about these here before and you can check that post out for more detail, but the shorter version is:
This tactic makes use of the built-in functionality of the operating system (OS) in target environments, and the binaries, scripts, and libraries that are native to the OS. A couple of the biggest advantages of this approach are:
The adversary does not have to install malicious software (malware). This saves effort and makes attack activities much more difficult to detect for many security detection tools.
Native elements of an OS are often ignored / whitelisted within detection tools.
Examples of Native Tools Used for Living off the Land
Here’s a short list of some of the most commonly used native, built-in tools for living off the land in a Windows environment:
PowerShell: a scripting tool that is a core component of the Windows OS
FTP: a file transfer protocol built in to Windows and other operating systems
DNS: the domain name system that translates company network device names and website names to IP addresses to allow traffic to them. DNS is often used to exfiltrate (transfer out) data from a victim’s network.
BITS: Another file transfer service - Microsoft’s Background Intelligent Transfer Service - which will be whitelisted by security tools and allowed through firewalls.
Scheduled Tasks: Another handy and versatile built-in tool that will fly under the radar of many detection tools.
With all that in mind, today’s Asking AI prompt is about how to defend against living off the land attacks. I asked 6 GenAI apps for responses on this this morning: Microsoft Copilot, Inflection’s Pi, Claude 3 Opus (as the model chosen in Perplexity), Mistral Large (as the model chosen within Poe), ChatGPT (GPT-4), and Gemini Pro.
Here is my prompt:
You are a lead on cybersecurity threat hunting and incident response team. Your team knows that “living off the land” techniques have been used successfully in ongoing attack campaigns like Volt Typhoon. Please review the sections on PowerShell, Windows Command Shell, and Windows Management Instrumentation in this 2024 Threat Detection report from Red Canary: https://redcanary.com/threat-detection-report/techniques/windows-command-shell/
Then recommend the 3-4 most effective defensive strategies and/or practices to detect attacks leveraging these tools in living off the land attacks.
As expected, all of the GenAI apps I queried returned at least decent responses. The responses from ChatGPT and Gemini Pro were very short, not my favorites. Claude 3, Mistral, and Pi offered better answers. Copilot was today’s clear winner for me though, perhaps not surprisingly since it is a Microsoft product and the living off the land attack techniques described above make use of tools built into the Microsoft Windows operating system.
Having said that, Copilot’s list of citations (the sources it based its response on) go beyond just Microsoft and include links to MITRE ATTACK, OWASP, Mandiant, the SANS Institute, and other very high quality resources.
Here is Copilot’s response:
To defend against "living off the land" attacks that leverage PowerShell, Windows Command Shell, and Windows Management Instrumentation (WMI), here are the most effective strategies:
**1. PowerShell Execution Policy & Logging:**
- **Enforce Execution Policy:** Set PowerShell execution policies to restrict the execution of scripts to those that are signed by a trusted publisher.
- **Enable Script Block Logging:** This logs the content of all script blocks that PowerShell executes, which can help in forensic analysis and detection of malicious activity.
- **Transcription:** Enable PowerShell transcription to keep a record of all input and output, including any remote sessions.
**2. Constrained Language Mode:**
- Implement Constrained Language Mode to limit the PowerShell environment to a subset of its functionality, reducing the risk of many exploits.
**3. Application Control Policies:**
- Use AppLocker or Windows Defender Application Control to create whitelists of allowed scripts and executables, preventing unauthorized scripts from running.
**4. Monitor & Analyze Command-Line Activity:**
- **Command-Line Auditing:** Use tools like Sysmon to log command-line arguments of PowerShell, cmd.exe, and WMI-based tools. This can help identify suspicious patterns and commands.
- **Anomaly Detection:** Implement solutions that can analyze command-line activity for anomalies, such as unusual script execution or commands that are commonly used in attacks.
**5. WMI Monitoring and Event Logging:**
- **Event ID Monitoring:** Monitor for specific WMI-related event IDs that indicate creation, modification, or deletion of WMI objects and subscriptions.
- **Namespace Security:** Review and tighten the security of WMI namespaces to restrict permissions to necessary users and groups only.
**6. Network Segmentation and Access Controls:**
- Implement network segmentation to limit lateral movement within the network.
- Enforce strict access controls and privilege levels to minimize the potential impact of compromised credentials.
By implementing these strategies, you can significantly enhance your organization's ability to detect and respond to attacks that exploit these built-in Windows tools. It's also crucial to keep all systems updated with the latest security patches and to conduct regular security awareness training for all users. Remember, a proactive and layered approach to security is key to defending against sophisticated cyber threats.
As with all things in cybersecurity, there is no perfect, bullet-proof recipe for defending against attacks, but this guidance could easily serve as a good starting point for reviewing existing security measures and controls in this area and possibly sharpening them.
Two more things …
A hat tip to Terry Underwood - the author of the Learning to Read Substack - for his comment on last weeks Asking AI post that reminded me how useful it is to provide these GenAI apps with context within a prompt.
If any of you are interested in seeing Copilot’s full list of citations for its response, let me know in the comments and I will share those.