Cyber defences can be alert to malware. It’s much harder to be alert to intruders who use the targeted system’s own resources against the owner.

In cybersecurity, such attack methods are called ‘living off the land’ (LOTL), and they’re practiced by the Chinese group APT40, the subject of a 9 July cybersecurity advisory from eight countries, including Australia.

Countermeasures to LOTL are available, but they’re not used widely enough. The main one is looking not for inserted code, since there isn’t any, but monitoring the system for signs that its own features are doing abnormal things.

The advisory mirrored one issued in February 2024 regarding the Volt Typhoon group. Although both groups use complex attack methods, their objectives are distinct: APT40 focuses on espionage, whereas Volt Typhoon appears to be targeting critical infrastructure with little to no espionage value, apparently to sabotage or to prepare to do so in case of conflict. A key similarity between these groups is their use of LOTL techniques to breach large, defended infrastructure, potentially years ago, then quietly lurk on the network.

‘Living off the land’ refers to using built-in command-line tools, programs, processes, trusted network protocols and other native functionalities within a victim’s environment to conduct malicious activities, as opposed to deploying known malware tools or noisy commercial products. LOTL operators such as APT40 and Volt Typhoon exploit tools such as PowerShell, Windows Management Instrumentation and remote desktop services to gain and maintain access to targeted systems. In many cases, tools and network communications have been whitelisted, or are used so often by trusted users that they are not locked down or audited as other tools might be.

Additionally, LOTL requires a hands-on approach, in which attackers manually breach defences and conduct their operations. It must be an approach that’s crafted specifically for the targeted system and uses what’s found within the system. By using capabilities and tools built into the target, attackers can avoid triggering security systems such as intrusion-detection systems that typically rely on matching against known signatures or known behaviours when malware is transferred or executed.

This approach presents significant challenges to defenders and detection, as it enables the attackers to mask their activities within the noise of normal operations.

As APT40’s primary mission is espionage, the group infiltrates networks to steal sensitive data. But Volt Typhoon’s focus on critical infrastructure poses a different kind of threat: by targeting water and power utilities, transportation systems and other essential services, it aims to sabotage and disrupt operations. The use of LOTL techniques in these scenarios exacerbates the challenge, as it allows attackers to lurk undetected within critical systems, possibly for years, poised to strike at any moment.

This underscores the need for advanced defensive strategies. Traditional security tools relying on signature-based detections are insufficient against LOTL-type threats. Instead, organisations should use a multifaceted approach that includes advanced anomaly-detection systems.

Those systems analyse patterns of normal behaviour and flag any deviations that may indicate malicious activity, even when traditional malware is not present. Anomaly detection can be done at multiple levels, from simple network communications, such as a new asset, to a new protocol in use. More specialised solutions can parse the network protocols, inspect them and look for anomalies in usage, such as seeing an approved protocol that’s taking a different action or different direction.

Even more granular is advanced anomaly detection, which looks at how the values, parameters and set points used within those protocols are used. It can thereby determine whether, for example, the speed of a motor is set abnormally high, or a furnace is set to an abnormally hot temperature.

When LOTL attackers bypass security defences without hauling in detectable code, anomaly detection is the next best hope for survival after an incident. In the early phase of attacks, their reconnaissance activities should set off anomaly-detection solutions, regardless of what tool the attackers use.

Second, all subsequent hacking operation activities would trigger anomalies, as the normal activity of regular users usually doesn’t include the same operations that the attackers are doing.

Finally, although it might be a last resort, knowing when the actual critical process, such as a furnace temperature or motor speed, is being tampered with is also within the realm of anomaly detection. In the past, anomaly detection was difficult to deploy in IT systems, but, leveraging artificial intelligence and focusing on industrial control systems, it’s come of age.

Further, organisations should consider enhancing their incident-response capabilities. This should include regular training for IT staff to recognise and respond to potential LOTL activities, as well as implementing robust monitoring and logging practices. By maintaining comprehensive system activities logs, trained organisations can retrospectively identify and analyse suspicious behaviour that may have gone unnoticed in real time.

Most large organisations are dealing daily with breaches, and many security operations centres are busy with daily tickets and incidents. Organisations are in a constant state of recovery. Knowing this, being prepared for a targeted attack from a highly capable nation-state threat is sure to include testing and influencing incident-response and disaster-recovery plans. Tabletop exercises can also expose some of the areas for improvement and expose incorrect assumptions, such as ‘backups are reliable’, or ‘the furnace can safely shut down’.