Cyber attackers may use sophisticated techniques to camouflage their activity on victims’ networks, says the UK official National Cyber Security Centre in a warning to UK critical infrastructure operators.
Threat actors have been exploiting native tools and processes built into computer systems to gain persistent access and avoid detection, says the NCSC. This kind of tradecraft, known as ‘living off the land’, allows attackers to operate discreetly, with malicious activity blending in with legitimate system and network behaviour making it difficult to differentiate – even by organisations with more mature security postures.
The NCSC assesses it is likely this type of activity poses a threat to UK critical national infrastructure and so all providers are urged to follow the recommended actions to help detect compromises and mitigate vulnerabilities. See the United States federal CISA website for new ‘Identifying and Mitigating Living Off The Land’ guidance.
Paul Chichester, NCSC Director of Operations, said: “It is vital that operators of UK critical infrastructure heed this warning about cyber attackers using sophisticated techniques to hide on victims’ systems. Threat actors left to carry out their operations undetected present a persistent and potentially very serious threat to the provision of essential services.
“Organisations should apply the protections set out in the latest guidance to help hunt down and mitigate any malicious activity found on their networks.”
Sylvain Cortes, VP Strategy, Hackuity says: “Critical national infrastructure (CNI) remains a priority target for attackers, but the ‘living off the land’ (LOTL) technique, which the NCSC’s latest joint advisory warns of, seems to be on the rise – attackers can move around a network in a similar way to legitimate users. This type of attack poses a significant threat to UK CNI. The attackers’ aim is simple: to cause maximum disruption whilst flying under the radar of detection.
“I strongly advise organisations to apply the defense principles laid out in the latest guidance by the NCSC to target any malicious activity found on their networks, which suggests protection best practices, such as detailed logging of all activity and machine learning automation to review the logs for anomalies. Prevention is always better than cure, so having vulnerability management in place will help teams identify their specific weaknesses and accelerate targeted remediation. And greatly reduce the chances of an unwelcome visitor lurking in the shadows of their network.”