Professional Documents
Culture Documents
Detect, Harden, Mitigate Living Off the Land Attacks
Detect, Harden, Mitigate Living Off the Land Attacks
mitigate and
harden systems
against LoTL
attacks?
www.thecyphere.com info@thecyphere.com
Detection
www.thecyphere.com info@thecyphere.com
Comprehensive and verbose
logging
www.thecyphere.com info@thecyphere.com
Use centralised logs to proactively hunt for
potential threats or vulnerabilities, enabling
defenders to stay ahead of adversaries.
Maintain extensive log histories, providing a
more comprehensive view of past events and
activities.
Prioritise logs and data sources to detect
malicious activity.
Default logging configurations may be
insufficient; consider enhanced logging
capabilities.
Encourage software manufacturers to provide
high-quality audit logs without additional
charges.
Gain visibility into tool usage within the
environment.
www.thecyphere.com info@thecyphere.com
For cloud environments:
www.thecyphere.com info@thecyphere.com
For Microsoft environments:
www.thecyphere.com info@thecyphere.com
Establish Baseline for
Network Defense
www.thecyphere.com info@thecyphere.com
Apply restrictions to network logins
accordingly to reduce noise and provide
detailed behaviour insights.
Clearly define the behaviour of privileged
accounts, including typical tool usage,
executed commands, active timeframes, and
device interactions.
Modify network login policies to limit
unnecessary access paths based on
legitimate activity profiles.
Baseline behavioural sequences of privileged
accounts to detect deviations, such as
unusual application calls
typical usage patterns.
Define systems and tools' behaviour
bounded by time, hosts, and user
accounts.
targets for threat actors due to
unnecessary privileges and lack of MFA.
www.thecyphere.com info@thecyphere.com
Inventory existing configurations, policies, and
software:
Uninstall unnecessary software to limit
tools available to threat actors.
Utilise EDR tools for this role.
Scrutinise at-risk hosts, such as public-facing
servers:
Threat actors often rely on LOLBins for
initial attacks.
Track infrastructure sweeps, open issues, and
high-risk items:
Prioritise efforts proactively.
Establish a baseline for LOLBins and monitor
changes:
understand attackers' usage patterns.
create alerts for deviations and investigate
executions.
www.thecyphere.com info@thecyphere.com
Automated Log Review and
Hunting
www.thecyphere.com info@thecyphere.com
Perform routine checks of PLIST files and
macOS scheduled tasks for unauthorised or
modified entries in macOS environments.
Conduct regular audits of the Windows.
Registry for changes to auto-start locations in
Windows environments.
Implement file integrity monitoring on auto-
start keys and create detections for unusual
scheduled tasks.
Monitor for unusual API calls in cloud
environments, particularly those involving
security group changes and access to
sensitive data.
Investigate unusual account behaviour, such
as out-of-hours logins and concurrent sign-ins
from disparate locations.
Consider leveraging machine learning-based
anomaly detection capabilities in the cloud for
advanced log analysis.
www.thecyphere.com info@thecyphere.com
Focus on detecting irregular API call patterns,
unusual cloud storage access, and atypical
network traffic.
www.thecyphere.com info@thecyphere.com
Disable and issue alerts for the installation and
usage of unnecessary remote access tools.
Implement a threat detection maturity model
to refine and optimise alerting mechanisms in
IDS or SIEM.
Adopt a standardised alert naming convention,
incorporating maturity levels and MITRE
ATT&CK phases to streamline incident
response triage.
www.thecyphere.com info@thecyphere.com
User and Entity Behavior
Analytics (UEBA)
www.thecyphere.com info@thecyphere.com
Hardening
www.thecyphere.com info@thecyphere.com
Vendor-specific hardening
guidlines
www.thecyphere.com info@thecyphere.com
Use CISA's Microsoft 365 security baseline
guides for Microsoft cloud infrastructure.
Refer to CISA's Google Workspace security
baseline guides for Google cloud
infrastructure.
Minimise running services and apply least
privilege principles for universal hardening.
Secure critical assets with vendor-specific
hardening measures.
Avoid caching credentials on remote hosts
when using administrative tools.
www.thecyphere.com info@thecyphere.com
Application allowlisting
www.thecyphere.com info@thecyphere.com
Network segmentation
www.thecyphere.com info@thecyphere.com
Implement MFA
www.thecyphere.com info@thecyphere.com
Mitigation
www.thecyphere.com info@thecyphere.com
Do the due deligince
www.thecyphere.com info@thecyphere.com
Limit defensive
configuration exposure
www.thecyphere.com info@thecyphere.com
When there are no executables
or viruses to identify, many
security packages give the
green light. Because no trace is
left behind by these fileless
hazards, organisations must
regularly monitor and perform
threat-hunting exercises.
www.thecyphere.com info@thecyphere.com
LIKE THIS?
www.thecyphere.com info@thecyphere.com