Risk Management
Fortifying Cyber Defenses: Unmasking State-Sponsored Threats with Trend Vision One
State-sponsored attacks are nothing new. But they are becoming more aggressive and persistent. The US and its allies, including the UK, recently revealed one such campaign, which used living-off-the-land (LOTL) techniques to stay hidden.
The good news is that there are ways for you, as an organisation, to mitigate the threat. And we can help play a key role.
Living off the land
In campaign, attributed to Chinese actor Volt Typhon, attackers positioned themselves across critical infrastructure networks. The likely aim was to provide a foothold in these organisations, to launch destructive attacks in the event of a military conflict. LOTL was critical to the group’s tactics.
Another example is Lockbit, a ransomware as a service operator, who have previously attacked critical infrastructure. Very recently, this cybercrime group has been massively disrupted by law enforcements agencies, but there’s still a long way to go.
LOTL is not new as such. It has been used for years to blend in with normal system activities in order to avoid identification by monitoring tools, and to limit any activity which could be captured by logging technologies.
But as the Cybersecurity and Infrastructure Security Agency (CISA) warns, many network defenders still don’t follow best practices to detect such techniques.
LOTL best practice
New advice from the agency should help to correct this. Its seven best practice recommendations are:
- Implement logging and aggregate logs in an out-of-band, centralised location
- Establish a baseline of network, user and application activity and use automation to continually review all logs and compare activity
- Reduce alert noise
- Implement application allow listing
- Enhance network segmentation and monitoring
- Deploy authentication controls
- Implement user and entity behaviour analytics (UEBA)
- Trend Micro’s flagship Trend Vision One platform can help you follow these best practices in several ways:
- It’s the only platform of its kind to deliver on-premises as well as cloud-based XDR, delivering threat detection and response in an out-of-band scenario if required
- It offers strong network detection and response (NDR) capabilities thanks in part to integrated capabilities from Deep Discovery Inspector, Network Sensor and TippingPoint solutions. These help organisations enhance network segmentation and monitoring
- Trend Vision One has also be designed to take the pain out of XDR for stretched SecOps analysts, by correlating and prioritising alerts for rapid action. This fundamentally reduces alert noise to improve detection and response
Your organisation doesn’t have to be a target of state-sponsored attacks to encounter LOTL techniques. It’s time to gain visibility and control your IT environment.