Living off the land in a victim’s network
In January of this year, the directors of the United States Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA) and Federal Bureau of Investigation (FBI) appeared before a committee on Capitol Hill. During their testimonies, they attested to the present and growing cyber threat that Chinese state-sponsored cyber attackers, such as Volt Typhoon, pose to U.S. critical national infrastructure (CNI) — primarily communications, energy, transportation systems and water and wastewater systems sectors.
The directors emphasized how Volt Typhoon’s choice of targets and pattern of behavior has not been consistent with traditional cyber espionage or intelligence gathering operations. Rather, the U.S. government officials believe that this surreptitious actor is simply pre-positioning themselves on CNI IT networks and waiting to exploit their access through lateral movement to OT assets to disrupt critical infrastructure during military conflicts or geopolitical tensions.
Despite sophisticated threat and detection tools, such cyber adversaries have proven that they are able to establish and maintain a presence on a victim’s network for extended periods of time. One CNI organization was said to have been compromised for over five years unbeknownst to the network owner before finally being discovered. So, how can malicious cyber actors remain undetected for so long?
According to a recent U.S. government advisory, one of the primary tactics, techniques, and procedures (TTPs) used by cyber attackers like Volt Typhoon to establish and sustain a clandestine presence in a network is living off the land (LOTL). It’s an effective technique that requires a strong focus on stealth that allows the adversary to maintain long-term, undiscovered persistence on a victim network.
LOTL uses built-in network administration tools that enable the attacker to evade detection by blending in with normal system and network activities, avoiding endpoint detection and response (EDR) products, and limiting the amount of activity that is captured in default logging configurations. So, the challenge for the network defender is that many of the behavioral indicators of LOTL can also be legitimate system administration commands that appear in benign activity.
Additionally, many organizations do not implement security and network management best practice capabilities — such as established baselines — that support detection of such malicious LOTL activity. This makes it even harder for network defenders to discern legitimate behavior from malicious behavior.
Volt Typhoon typically targets and gains initial access to a victim’s network through network infrastructure devices, especially internet-connected ones — for example, firewalls and routers. Which is why the advisory recommends using tools and technology that helps detect anomalies that could represent an IOC in these devices.
They are targeted because they are the backbone of a network, and they are where threat actors can escalate their privileges and then proliferate across a network enterprise. For these devices, any changes to their configurations could be representative of malicious activity which would not necessarily trigger alerts in typical security solutions. But, considering importance of secure and segmented infrastructure to the overall resilience of the enterprise, all of these changes should be analyzed to firstly determine whether or not they were planned or unplanned — the latter being a potential IOC — and then proactively assessed to determine whether these changes have introduced new vulnerabilities.
Hardening the network can stop or limit LOTL TTPs
Although it’s critical to detect potential IOCs that could represent the possible presence of an adversary utilizing the LOTL approach, it is equally important to harden and ensure the resilience of the network — both to prevent the adversary from infiltrating in the first place and to also limit their ability to move laterally within the network should they be successful in gaining access. For this reason, additional attention should be focused on network infrastructure appliances.
For hardening these devices against a LOTL TTP, recently published guidance, developed by the U.S. government alongside several other U.S. agencies and international partners, recommends:
- Reviewing current configurations against a known, secure baseline. This can catch IOCs that may not get reverted through regular group policy updates, such as firewall changes, adding/removing users, and privilege escalation.
- Ensuring that device configurations adhere to vendor-provided or industry, sector, or government (e.g., U.S. National Institute of Standards and Technology (NIST)) hardening guidance to reduce the attack surface.
- Properly implementing and managing network segmentation, limiting only allowed traffic to systems and protocols that require access, in accordance with zero trust principles.
Continuous monitoring is key
Assessing network infrastructure intermittently, or worse, sampling a subset of devices, to draw conclusions for the security posture of all devices in the enterprise is a flawed approach. This has been the way that some CNI organizations have assessed their routers, switches and firewalls. But it is simply insufficient for critical infrastructure, which is increasingly being targeted by the most sophisticated cyber attackers, to harden their networks or detect the presence of an adversary in this way.
This is why CNI organizations should adopt technology solutions that continuously monitor for configuration change across all network appliances in the enterprise. Any unplanned changes to device configurations, even if they appear to be benign in nature, could be a sign of compromise and should be reviewed to ensure segmentation fidelity remains as intended. Even better, these solutions should proactively assess any configuration changes against trusted hardening benchmarks to alert to any new vulnerabilities or identify any misconfigurations that could be exploited in the future. Without this continuous and proactive approach to configuration security, threat actors like Volt Typhoon will continue to leverage weaknesses in network infrastructure, use LOTL to blend into normal network activity and reconfigure these devices to enable their proliferation and to strategically preposition themselves for future attacks on U.S. critical national infrastructure.