International coalition pushes for adoption of event logging, spearheaded by US and Australian authorities
New Guide Released to Strengthen Defenses Against Living-off-the-Land Techniques
A new guide titled "Best Practices for Event Logging and Threat Detection" has been jointly released by the FBI, the Cybersecurity and Infrastructure Security Agency (CISA), and the Australian Signals Directorate (ASD). This guide provides comprehensive recommendations on how organizations can implement robust event logging and monitoring to detect suspicious activities, particularly those indicative of living-off-the-land (LotL) techniques.
LotL techniques have been employed by sophisticated state-linked hackers such as Volt Typhoon and ransomware groups like Medusa. These methods involve attackers using legitimate tools and processes within the system to conduct malicious activities undetected.
The guide aims to help organizations defend against LotL techniques by encouraging comprehensive and detailed logging of system events. This helps identify exploitation activity and malicious use of native tools like PowerShell or Remote Desktop Protocol (RDP).
The guide also advises rigorous auditing of administrative privileges and network protocols to spot unusual behaviors tied to common LotL methods, such as credential theft, lateral movement, or system discovery commands executed through legitimate tools.
To enhance monitoring, the guide recommends the implementation of Security Information and Event Management (SIEM) and Security Orchestration, Automation, and Response (SOAR) systems. These systems collect, analyze, and correlate logs for early threat detection.
The guide also highlights the necessity to limit and strictly monitor remote access services like RDP, including enforcing multi-factor authentication and logging all login attempts. These are often exploited in LotL attacks.
By following this guide, organizations gain greater visibility into normal and suspicious system activity, making it harder for adversaries to hide malicious actions behind standard administrative tools and processes. This proactive event logging and threat detection strategy is a critical step in minimizing risks associated with LotL techniques, thereby strengthening overall cybersecurity defense.
The guide is a timely and essential resource for organizations aiming to strengthen their defenses against LotL abuse. The FBI, CISA, and international partners led by Australia have advised network defenders to adopt event logging policies.
Microsoft later changed its policy to provide more customers with free access to event logs, following widespread criticism for charging customers additional fees to access their own event logs.
A comprehensive event logging strategy can help security teams track threat activity used by sophisticated criminal groups, including Medusa, which has attacked hundreds of industrial targets in recent years.
Alex Capraro, a cyber intelligence analyst at Reliaquest, stated that the importance of robust event logging and monitoring practices when dealing with LotL abuse is paramount. Event logs are critical for organizations to defend against the use of LotL techniques designed to conceal threat activity.
Read also:
- Intelligence leaders gather under Doval's leadership to counteract terrorism
- AMD's FSR 4 expands its compatibility thanks to OptiScaler's ability to convert any contemporary upscaler into FSR 4, provided that the game isn't built upon Vulkan or contains anti-cheat software, excluding such titles.
- Benefits, Nutrition, and Applications of Matcha: A Comprehensive Overview
- Here are the abridged summaries of the week's top seven tech tales, ranging from GPT-5's rocky introduction to Sonos' imminent price increase:
