Identifying and Mitigating Living Off the Land Techniques
This Joint Guidance, Identifying and Mitigating Living Off the Land Techniques, was co-authored by CISA, the National Security Agency (NSA), the Federal Bureau of Investigation (FBI), and the following agencies:
- U.S. Department of Energy (DOE)
- U.S. Environmental Protection Agency (EPA)
- U.S. Transportation Security Administration (TSA)
- Australian Signals Directorate’s (ASD’s) Australian Cyber Security Centre (ACSC)
- Canadian Centre for Cyber Security (CCCS) a part of the Communications Security Establishment (CSE)
- United Kingdom National Cyber Security Centre (NCSC-UK)
- New Zealand National Cyber Security Centre (NCSC-NZ)
Identifying and Mitigating Living Off the Land Techniques provides threat detection information and mitigations applicable to LOTL activity, regardless of threat actor. Many organizations do not implement security best practice capabilities that support detection of living off the land (LOTL), so this technique continues to be effective with little to no investment in tooling by malicious cyber actors. This guidance provides several observed network defense weaknesses that make it difficult for IT administrators to distinguish malicious activity from legitimate behavior, even for those organizations with more mature cyber postures.
This guidance is based on previously published products, red team assessments, and/or observations from incident response activities at critical infrastructure organizations, including those compromised by the PRC state-sponsored cyber group known as Volt Typhoon. For more on Volt Typhoon specifically, refer to our Joint Cybersecurity Advisory PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure.
CISA and its partners strongly urge critical infrastructure organizations and technology manufacturers to read the joint advisory and guidance to defend against this threat.