Rediscover the Power of Network-Based Intrusion Detection
A Superior Approach to Identifying Living-Off-The-Land Attacks like Volt Typhoon
In the realm of cybersecurity, where threats continue to evolve and become more sophisticated, organisations must arm themselves with robust defences to protect their sensitive data and systems. Living-off-the-land attacks, such as the recent Volt Typhoon attack, pose significant challenges to traditional security measures. In this blog post, we will delve into the advantages of network-based intrusion detection over endpoint detection and response (EDR) in identifying and mitigating living-off-the-land attacks.
Understanding Live Off-The-Land Attacks
A living-off-the-land attack is a stealthy and evasive technique employed by cybercriminals to carry out malicious activities using legitimate tools and processes already present on a victim’s system. Instead of relying on sophisticated malware or external tools, attackers exploit trusted applications, operating system functionalities, and network protocols to evade detection and blend in with normal user and system behaviour.
The term “living-off-the-land” refers to the attacker’s ability to utilise existing resources within the victim’s environment, making it harder for traditional security measures to detect and mitigate the attack. By leveraging trusted tools and processes, attackers can fly under the radar, bypassing security controls and appearing as legitimate users or system processes.
Living-off-the-land attacks typically involve the use of built-in scripting languages, administrative utilities, or management frameworks that are commonly found in operating systems or widely deployed software. By using these tools, attackers can execute commands, perform lateral movement, gain unauthorised access, and exfiltrate sensitive data without triggering suspicion.
The primary objective of living-off-the-land attacks is to minimise the need for attackers to introduce new or malicious code, reducing the chances of detection by antivirus software or endpoint protection solutions. Instead, they manipulate existing tools and infrastructure, making it difficult for traditional security solutions to differentiate between legitimate and malicious activities.
A Little About Volt Typhoon
Microsoft recently uncovered a stealthy attack carried out by Volt Typhoon, a state sponsored actor based in China. Although only recently made public, Volt Typhoon has been active since mid-2021 and has targeted critical infrastructure organizations in Guam and elsewhere in the United States.
Volt Typhoon puts a strong emphasis on stealth, relying almost exclusively on living-off-the-land techniques and hands-on-keyboard activity. They issue commands via the command line to initially collect data, including credentials from local and network systems, once collected, the data is put into an archive file to stage it for exfiltration, and finally, the stolen valid credentials are used to maintain persistence. In addition, Volt Typhoon tries to blend into normal network activity by routing traffic through compromised small office and home office (SOHO) network equipment, including routers, firewalls, and VPN hardware. They have also been observed using custom versions of open-source tools to establish a command and control (C2) channel over proxy to further stay under the radar.
Endpoint Detection and Response (EDR) Limitations
The effectiveness of living-off-the-land attacks lies in their ability to blend in with legitimate activity, making them challenging to detect using traditional signature-based or behaviour-based security endpoint solutions. Defending against such attacks requires a combination of network monitoring, anomaly detection, behaviour analysis, and threat intelligence to identify suspicious patterns and deviations from normal system behaviour.
EDR solutions primarily focus on monitoring and protecting individual endpoints or devices within a network. While EDR plays a crucial role in defending against various threats, it possesses inherent limitations when it comes to living-off-the-land attacks.
In specific relation to Volt Typhoon, the Joint CyberSecurity Advisory recently issued by the Five Eyes security agencies, which include The United States National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), and Federal Bureau of Investigation (FBI), as well as agencies from Australia, Canada, New Zealand and the UK, highlight the short comings or EDR for dealing with living-off-the land attacks.
‘ [Living-off-the-land attack techniques] allows the actor to evade detection by blending in with normal Windows system and network activities, avoid endpoint detection and response (EDR) products that would alert on the introduction of third-party applications to the host, and limit the amount of activity that is captured in default logging configurations.’
In addition to the fact that attacks such as Volt Typhoon appear as normal system and network activity, there are other reasons why network based intrusion detection should be considered a critical element when dealing with living-off-the-land attacks:
- Comprehensive Visibility: Network-based intrusion detection provides a broader scope of visibility as it monitors network traffic and analyses communication patterns across multiple endpoints. This enables security teams to detect malicious activities, such as lateral movement and data exfiltration, that might go unnoticed at the endpoint level.
- Proactive Threat Identification: Network-based solutions are better equipped to detect anomalies and patterns of malicious behaviour in real-time. By analysing network traffic and leveraging machine learning algorithms, suspicious activities associated with live off-the-land attacks can be identified early on, minimizing the dwell time of the attackers.
- Contextual Analysis: Network-based intrusion detection allows for a comprehensive analysis of network traffic, including the source, destination, and content of the communication. This contextual awareness provides valuable insights into the attacker’s tactics, techniques, and procedures (TTPs), facilitating proactive response and threat hunting.
- Scalability: EDR solutions require agents to be installed on every endpoint, which can be a daunting task for large-scale networks. Network-based intrusion detection, on the other hand, operates at the network level, ensuring seamless scalability without the need for individual endpoint installations.
- Attack Chain Mapping: Network-based intrusion detection offers the ability to map the entire attack chain, allowing security teams to identify and block malicious activities at various stages. By analysing network traffic patterns, anomalies, and known attack signatures, organizations can thwart live off-the-land attacks before they cause significant damage.
As cyber threats continue to evolve, organizations must adopt advanced security strategies to combat sophisticated attacks like Volt Typhoon. While EDR solutions are indispensable for endpoint protection, they possess inherent limitations when it comes to detecting living-off-the-land attacks. Network-based intrusion detection stands out as a superior approach, providing comprehensive visibility, proactive threat identification, contextual analysis, scalability, and the ability to map the attack chain. By embracing network-based intrusion detection, organizations can fortify their defences against live off-the-land attacks and enhance their overall cybersecurity posture.
Network based Intrusion Detection is an integral part of the Byte25 solution that tincludes network performance monitoring, application experience and endpoint performance and WiFi monitoring.
This keeps your customers networks performing and secure. More importantly the Byte25 solution allows you generate additional revenue streams through the implementation of network monitoing and cyber security services without having to invest in additional specialist headcount or outsource to third party MSSP’s.
Talk to Byte25 today to see how the Byte25 solution can help to develop new revenue streams for your MSP.