Brian Sims
Editor
Brian Sims
Editor
THE UK and its allies have issued a fresh warning to Critical National Infrastructure (CNI) operators concerning the threat posed by cyber attackers using sophisticated techniques to camouflage their activity on victims’ networks. The National Cyber Security Centre (NCSC) and agencies in the US, Australia, Canada and New Zealand have detailed how threat actors have been exploiting native tools and processes built into computer systems to gain persistent access and avoid detection.
This kind of tradecraft, known as ‘living off the land’, allows attackers to operate discreetly. Malicious activity blends in with legitimate system and network behaviour, in turn making it difficult to differentiate, even for those organisations with more mature security postures.
The NCSC assesses it’s likely this type of activity poses a threat to UK CNI. That being so, all providers are urged to follow the recommended actions in order to help detect compromises and mitigate vulnerabilities.
The new ‘Identifying and Mitigating Living Off The Land’ guidance warns that China state-sponsored and Russia state-sponsored actors are among the attackers that have been observed ‘living off the land’ on compromised critical infrastructure networks.
Meanwhile, a separate advisory shares specific details about China state-sponsored actor Volt Typhoon, which has been observed using ‘living off the land’ techniques to compromise US critical infrastructure systems.
Building trust and resilience
Deputy Prime Minister Oliver Dowden said: “In this new dangerous and volatile world where the front line is increasingly online, we must protect and future-proof our systems. We’ve announced an independent review to look at cyber security as an enabler to build trust and resilience and unleash growth across the UK economy. By driving up the resilience of our critical infrastructure across the UK, we will defend ourselves from cyber attackers that would do us harm.”
Paul Chichester, director of operations at the NCSC, added: “It’s vital that operators of UK critical infrastructure heed this warning about cyber attackers using sophisticated techniques to hide on victims’ systems. Threat actors left to carry out their operations undetected present a persistent and potentially very serious threat to the provision of essential services.”
Chichester continued: “Organisations should apply the protections set out in the latest guidance to help hunt down and mitigate any malicious activity found on their networks.”
Update on warning
The new advisory and joint guidance provide an update to a warning issued last May about China state-sponsored activity seen against critical infrastructure networks in the US that could be used against networks worldwide.
They include the latest advice to help network defenders identify ‘living off the land’ activity and mitigate – and remediate – if a compromise is detected.
While organisations should ensure they adopt a ‘defence-in-depth- approach as part of cyber security Best Practice, the Government guidance provides priority recommendations, which include:
*implementing logging and aggregate logs in an out-of-band, centralised location
*establishing a baseline of network, user and application activity and use automation to continually review all logs and compare activity
*reducing alert noise
*implementing application allow listing
*enhancing network segmentation and monitoring
*implementing authentication controls
*leveraging user and entity behaviour analytics
