Share this article on:
Living-off-the-land tactics pose new threats to businesses because they fly under the radar, but there are ways to combat them.
Ahead of the Australian Cyber Security Summit 2024, 7 Rules Cyber founder and CISO Chirag Joshi said groups like Volt Typhoon – which is believed to be a Chinese state-sponsored hacking campaign targeting American critical infrastructure – intend to remain undetected for as long as possible until they are required to spring into action in case of a conflict.
“The National Security Agency in America and other government agencies think state actors like these are low and slow, and they live off the land,” Joshi said.
“They don’t try to make a lot of noise initially.”
Joshi spoke to Cyber Daily ahead of his panel session at the summit, where he and other speakers will unpack how threat actors are targeting operation technology (OT) systems. He will detail how organisations could build customised cyber security strategies for OT and IT systems while implementing risk mitigation techniques to protect valuable hardware.
Living-off-the-land techniques are particularly dangerous because nation-state attackers and cyber criminals circumvent traditional security capabilities.
Instead, they leverage trusted, legitimate applications, scripts, and commands that are native to the target operational technology (OT) systems (rather than using custom-built malware that can be easily detected by traditional antivirus software).
The main vector for exploiting vulnerabilities include public-facing network appliances such as routers, firewalls, and other edge devices.
“This means you can’t just rely on signatures of malware or similar activity to protect yourself,” Joshi said.
“Businesses must have a very strong understanding of their system configurations and what constitutes good baseline behaviour. They need to identify what is normal behaviour for their systems and applications.”
Moreover, Chirag continued, state actors typically engage in privilege escalation to gain unauthorised, higher-level access within a security system by exploiting vulnerabilities to access a system with limited privileges.
They also engage in lateral movement to spread from an entry point to the rest of the network in a business.
“State actors might start with an IT environment compromise and move into the OT and critical infrastructure side of the house,” Joshi said.
“To combat this, businesses need to have good network segmentation so they can detect and restrict some of this movement. The last thing you want is a flat network that has very little monitoring between the IT and OT environments.
“Privileged access management and knowing where privileged credentials are leveraged are also important. In the past, organisations worried about north-south or things that came into their environment from the outside. But they didn’t give much thought to east-west, which is when someone is already within your environment. Are you monitoring it to ensure you can mitigate and address that?”
Effective network segmentation requires organisations to ensure that critical systems that are connected to their OT systems have a specific set of access permissions, with Joshi advising against exposing them to the internet to deter threat actors.
“Business leaders need to have ongoing discussions with their IT teams. Don’t work in silos,” Joshi said.
While segmenting every section of the network is impossible, Joshi told organisations to select their most valuable assets – or their crown jewels – and place them in a separate segment.
In addition, because living-off-the-land techniques rely on organisations having turned on multiple features and protocols, Joshi recommended disabling features they do not use.
“Robust configuration management could drive some of these outcomes,” he said.
Joshi concluded by urging organisations to appreciate that different strategies are required to secure an OT system compared to an IT system and understand what is entailed in robust, defensible cyber security programs that can meet the expectations of the community.
To hear more from Chirag Joshi on how businesses can protect their critical infrastructure against threat actors, come along to the Australian Cyber Security Summit 2024.
It will be held on Thursday, 20 June 2024, at the National Convention Centre, Canberra.
Click here to buy tickets and don’t miss out!
For more information, including agenda and speakers, click here.
This summit is produced by Captivate Events. If you need help planning your next event, email director Jim Hall at [email protected].