News
Comment: ’living off the land’ threat to U.S. critical infrastructure (Five Eyes report)
May 2023 by Toby Lewis, Global head of threat analysis de Darktrace
The latest Five Eyes report, which indicates that a state-sponsored actor from China is using living off the land techniques to attack U.S. critical infrastructure? The comment from Toby Lewis, Global head of Threat Analysis at Darktrace.
This is a great report, highlighting tradecraft that we’re now seeing consistent with a whole range of threat groups regardless of motivation. The prevalent use of so-called ’living off the land’ techniques represents the desire by threat actors to blend in with the background noise of the environments they operate in, without the potentially noisy use of malware and other hacking tools that could be more detectable by traditional Antivirus and approaches using rules and signatures.
The intent is to operate in the noise floor of network monitoring, using tooling that is a) already present and installed by default; and b) often used by the legitimate system administrator teams for their own roles. This makes it incredibly difficult to simply alert on the general existence of the tool, which would clearly trigger through their own IT Operations.
These techniques are designed to evade legacy security tools, which work from a knowledge base of ’known’ bads. Detecting these attacks requires technology like AI that understands your data and the unique profile of how legitimate administrators actually use the tools listed in the report. Only with this unique understanding of user behaviour can organizations identify the subtle signs that a threat actor has their hands on the keyboard rather than the IT team. - Toby Lewis, Global Head of Threat Analysis at Darktrace
