A Lacework perspective on recent CISA guidance on “Identifying and Mitigating Living Off the Land Techniques”

On February 7, 2024, the U.S. Cybersecurity and Infrastructure Security Agency (CISA), in partnership with U.S. government agencies and Australian, New Zealand, Canadian, UK security agencies, released joint guidance for security practitioners. The guidance focuses on addressing nation-state threats, and particularly, persistent threats that utilize living off the land (LOTL) techniques to invade and persist for extended periods within networks and cloud environments.

Why are both persistent threats and risk important?

The CISA joint guidance highlights the importance of addressing both potential risks and active threats within your environment. It also underscores the criticality of quick detection and remediation of threat actors operating discretely and masking their actions under normal network activities and components. While some security vendors focus primarily on risks (e.g. cloud security posture management [CSPM] vendors), we believe that risks alone provide an incomplete picture. Only when risk data (showing what could be exploited) is combined and enriched with threat data (showing what is actually occurring in your environment) can the full picture come into focus, enabling rapid prioritization and remediation of the key threats attacking your environment.

In security, time is your biggest enemy, as it takes 241 days1 on average to detect and contain a breach but just 5 hours for an attacker to exfiltrate data. This presents an almost Herculean task to security practitioners attempting to sort the true threats from an avalanche of alert noise and false positives. 

In particular, LOTL techniques utilize the target estate’s already existent administration tools to ensure persistence. As the advisory notes, care must be taken not to assume that the activity detected is malicious. So detection, even pervasive detection, often isn’t enough to determine if you are affected. The joint agencies point out that you must further investigate, or find other connected indicators of compromise to confirm intent. This is an exceptionally difficult problem in today’s dynamic cloud deployments. 

What does the CISA joint guide say about persistent threats?

The joint guide “focuses on how to mitigate identified gaps and to detect and hunt for LOTL activity”2 and in particular cyber threat actors “leveraging LOTL techniques to compromise and maintain persistent access to critical infrastructure organizations” who “conduct their operations discreetly as they can camouflage activity with typical system and network behavior, potentially circumventing basic endpoint security capabilities.” 

What problems do LOTL techniques pose for security practitioners?

One of the most insidious aspects of LOTL techniques is the ability for malicious actors to camouflage themselves among normal network activity, making it very difficult to detect them using normal threat hunting techniques. The joint guide describes3 use of LOTL techniques “to blend in with normal system activities and operate discreetly with a lower likelihood of being detected.” While other security vendors may provide threat detection tools, such tools often cause a deluge of signals and alerts, drowning the security team in false positives or low priority noise. This makes it very difficult to find the ‘needle in the haystack’ under all this noise, and frequently causes burnout and stress to security operations teams.

Now that we have described the problem, let’s look at the CISA joint guide recommendations and how Lacework can help.

What best practices does the CISA joint guide recommend?

The CISA joint guide recommends the following best practices4:

“Detection Best Practices:

  1. Implement detailed logging and aggregate logs in an out-of-band, centralized location that is write-once, read-many to avoid the risk of attackers modifying or erasing logs.

  2. Establish and continuously maintain baselines of network, user, administrative, and application activity and least privilege restrictions.

  3. Build or acquire automation (such as machine learning models) to continually review all logs to compare current activities against established behavioral baselines and alert on specified anomalies.

  4. Reduce alert noise by fine-tuning via priority (urgency and severity) and continuously review detections based on trending activity.

  5. Leverage user and entity behavior analytics (UEBA).”

How can Lacework help?

Lacework was founded from day one to address this problem by using the power of data and behavioral analytics to rapidly identify both risks and anomalous threats in your environment, along with full context to quickly prioritize remedial action. This enables security practitioners to focus on activities with the greatest security impact while ignoring distracting false positives. 

Lacework pioneered lightweight agent-based data logging to the cloud, to both allow centralized behavioral analytics and anomaly detection and also secure the logs from attack. The Lacework platform observes an enormous amount of network, workload, and runtime data and uses this to power advanced machine learning techniques to observe what is normal network activity and generate a baseline. From that point, Lacework can rapidly identify anomalous patterns of activity.  

Lacework is further able to provide value in a secure by design and private by design manner by keeping your private data secure within your own environment. Other security vendors, by default, use a “snapshot and shift” model, which can copy your data into their cloud environment. That approach puts your data at risk, or provides expensive outpost kludges with overly-broad permissions. Lacework designed our analytics to be private by design and secure by design from the get-go, respecting your privacy and confidentiality.

In addition, Lacework utilizes advanced composite alerts to piece together small breadcrumbs of data across your entire environment into high-fidelity composite alerts which provide an early warning system for intruders in your environment. This approach can help identify attackers while they are still in the early discovery phase and before causing significant harm or data exfiltration from your environment. By combining risk data (cloud posture) with threat data (workload analysis) to provide enriched context, Lacework equips security practitioners with a clear understanding of the blast radius of a potential threat or attack, which is critical in prioritizing investigations and responding quickly to what is happening.

Silos provide cover for threats

Threat actors understand that siloed security tools provide them with opportunities to remain hidden and the cover to persist for extended periods. Often data from each security tool cannot be analyzed in full context, which makes it difficult to act upon. Attempting to stitch data together from different solutions to gain the necessary visibility is increasingly difficult and creates gaps from trying to normalize data from these different tools.  This results in slow response times, partial visibility, and no prioritized roadmap of which risks and threats are most important within your environment.

Effective security requires a unified approach

To address the silo problem, the Lacework platform uses both risk and threat data, each contextually enhanced by the other, to provide a precise, actionable view of the top threats in your environment. This enables you to rapidly focus on prioritized issues and quickly mitigate threat actors before they can cause damage. No more drowning under log events and alerts, no wasted time on false positives, and much less stress and burnout on your team. One of our customers was able to leverage our real time application insights to deprioritize 99% of their critical vulnerabilities, allowing them to focus on those that would actually reduce their risk posture and showing the power of risk informed by threat context. Another customer was able to reduce by an order of magnitude the time they spend on configuring and analyzing alerts. That is the power of the platform, and clearly demonstrates why a unified approach beats point solutions.

In line with recommendations5 from the CISA joint report, Lacework provides 90 or up to 180 days of data, enabling you to review historical activities and baselines in your system to pinpoint exactly what happened when. This is particularly important for companies impacted by an attack who may need to file regulatory reports (e.g. SEC materiality filings in the U.S., or Network and Information Security (NIS2) and Digital Operational Resilience Act (DORA) in the EU when they come into force), as Lacework provides the context, history, and documentation to bolster such a regulatory filing, or a decision not to file, in a clear and understandable manner. Also in line with recommendations6, Lacework baselines the normal behavior of networks, privileged accounts, and automated tools and systems, thus rapidly flagging anomalous behavior which deviates from norms, even very early in an attack. By using the power of data, machine learning, and composite alerts7, the Lacework platform provides precisely what the CISA joint guide recommends, allowing you to focus on the highest risks and reduce alert noise8. Lacework utilizes both an alert maturity model9 and the MITRE ATT&CK framework to enable fast incident response and prioritization. 

Detect and minimize the impact of compromised credentials

Lacework cloud identity entitlement management (CIEM) enables you to utilize user and entity behavior analytics10 to quickly detect the use of compromised credentials, immediately see the potential impact of the attack, rapidly respond, and reduce the risk of future attacks. Lacework captures and analyzes every behavior and event associated with each user or machine identity within your cloud. We automatically correlate these signals together to understand their relationship and to identify active threats within your environment. Lacework correlates anomalous activities like impossible travel, infrastructure discovery and account manipulation, and we automatically combine these active threats together to determine (with high confidence) that a threat actor is inside your cloud and using compromised credentials.

How does Lacework do all this?

Lacework is an innovation leader in the cloud security space, with over 200 patents and pending applications on our groundbreaking technology. In addition to our groundbreaking anomaly detection technology, we are investing heavily in generative artificial intelligence (GenAI) for cybersecurity and we provide the market-leading Lacework AI Assist GenAI assistant to empower security teams to rapidly query their environment, understand alerts, receive recommendations on remediation, and level-up their cloud security team’s knowledge and capabilities. And we are only just getting started!

Want to learn more?

If you want to learn more about how Lacework can help you meet and exceed the CISA joint guidance and also address SEC materiality reporting (U.S.) and NIS2/DORA (E.U.), please reach out to us and watch a demo. We would love to hear from you and help you better secure your cloud.

 

1 Source: Edgescan: 2023 Vulnerability Statistics Report, IBM: 2023 Cost of a Data Breach, 2023 Global Cloud Threat Report, SANS: 2022 Ethical Hacking Survey

2 CISA Joint Guide, Page 2, Summary

3 CISA Joint Guide, Page 6, Living Off the Land

4 CISA Joint Guide, Page 3, Detection Best Practices

5 CISA Joint Guide, Page 11, Best Practice Recommendations, Detection, header “1. Implement comprehensive (i.e., large coverage) and verbose (i.e., detailed) logging”

6 CISA Joint Guide, Page 12, Best Practice Recommendations, Detection, header  “2. Establish and continuously maintain a baseline of installed tools and software, account behavior, and network traffic”

7 CISA Joint Guide, Page 14, Best Practice Recommendations, Detection, header  “3. Use automation to continually review all logs and increase the efficiency of hunting activities” and “3.e Consider leveraging machine learning based anomaly detection capabilities within cloud provider security services for enhanced log analysis”

8 CISA Joint Guide, Page 15, Best Practice Recommendations, Detection, header  “4. Reduce Alert Noise”

9 CISA Joint Guide, Page 15, Best Practice Recommendations, Detection, header  “4.d Consider implementing a threat detection maturity model”

10 CISA Joint Guide, Page 15, Best Practice Recommendations, Detection, header  “5. Leverage user and entity behavior analytics (UEBA)”