NCSC Warns Of ‘Living Off The Land’ Attacks Against Critical Infrastructure

Tom Jowitt,
Linkedin
Computer code on a screen with a skull representing a computer virus / malware attack.

“Living off the land” attacks, where hackers are camouflaged within internal networks, pose national security risk for critical infrastructure

The UK’s National Cyber Security Centre (NCSC), part of GCHQ, has alongside its partner agencies in the ‘Five Eyes’ alliance, warned of the national security risk to critical infrastructure from a new attack vector.

The NCSC and its partners issued the fresh warning that state-sponsored cyber attackers are exploiting ‘living off the land’ techniques in order to hide on critical infrastructure networks. They also offered advice on how to detect and mitigate this malicious activity.

‘Living off the land’ is a kind of cyber tradecraft that allows hackers to operate discreetly, with malicious activity, by blending in with legitimate system and network behaviour, thus making it difficult to differentiate – even by organisations with robust security postures.

The NCSC's headquarters in Victoria. NCSC, security
The NCSC’s headquarters in Victoria. NCSC

Critical infrastructure

Essentially, the hackers are utilising sophisticated techniques to camouflage their activity on victims’ networks, by taking advantage of a victims own internal tools and processes built into computer systems, so as to gain persistent access and avoid detection.

The NCSC said that it assesses it is likely this type of activity poses a threat to UK critical national infrastructure – NCSC has repeatedly warned about the threat to the UK’s critical infrastructure.

The agency urged all infrastructure providers to follow the recommended actions to help detect compromises and mitigate vulnerabilities.

The new ‘Identifying and Mitigating Living Off The Land’ guidance on the CISA website, stated that state-sponsored and state-sponsored actors from Russia and China are among the attackers that have been observed living off the land on compromised critical infrastructure networks, the UK cyber guardian has warned.

Meanwhile, a separate advisory shares specific details about China state-sponsored actor Volt Typhoon which has been observed using living off the land techniques to compromise US critical infrastructure systems.

Last month it emerged the US government had launched an operation late last year to fight a Chinese state-sponsored hacking botnet (Volt Typhoon) aimed at disrupting US military communications.

“In this new dangerous and volatile world where the frontline is increasingly online, we must protect and future proof our systems,” said the Deputy Prime Minister Oliver Dowden about the latest NCSC warning.

“Earlier this week, I announced an independent review to look at cyber security as an enabler to build trust, resilience and unleash growth across the UK economy,” said Dowden. “By driving up the resilience of our critical infrastructure across the UK we will defend ourselves from cyber attackers that would do us harm.”

Operator warning

The NCSC Director of Operations, Paul Chichester, had a blunt message for operators of critical infrastructure in the UK to heed this warning.

“It is vital that operators of UK critical infrastructure heed this warning about cyber attackers using sophisticated techniques to hide on victims’ systems,” said Chichester. “Threat actors left to carry out their operations undetected present a persistent and potentially very serious threat to the provision of essential services.

“Organisations should apply the protections set out in the latest guidance to help hunt down and mitigate any malicious activity found on their networks,” said Chichester.

The ‘Identifying and Mitigating Living Off The Land’ guidance provides priority recommendations, which include:

  • Implementing logging and aggregate logs in an out-of-band, centralised location
  • Establishing a baseline of network, user and application activity and use automation to continually review all logs and compare activity
  • Reducing alert noise
  • Implementing application allow listing
  • Enhancing network segmentation and monitoring
  • Implementing authentication controls
  • Leveraging user and entity behaviour analytics (UEBA)

White whale status

Mark Jow, EMEA technical evangelist at cyber security specialist Gigamon, warned that to state-sponsored hackers, critical infrastructure operators are a top tier status target.

“In general, nation-critical organisations have an almost ‘white whale’ status within the cybercriminal community: not only do hostile actors benefit directly from a breach, they also succeed in undermining the security posture of the United Kingdom as a whole,” said Gigamon’s Jow.

“Organisations with this greater risk potential should therefore have the processes and tools in place to identify any suspicious activity,” said Jow. “The longer a bad actor can hide in any organisation’s networks, the more damage they can do, but maintaining visibility over complex networks – especially those with legacy technologies – is an ongoing challenge.”

“As organisations migrate more and more workloads to the cloud, the security stack is struggling to keep up,” said Jow. “In today’s climate, organisations must shift towards a more proactive security mindset, informed by real-time, network-level intelligence that can track normal and suspicious activity, even in encrypted traffic.”

“The ability to identify behavioural anomalies in an organisation’s data is vital to spotting potential breaches and ensuring threat actors can’t go months or years inside an IT environment without anyone noticing,” Jow concluded.