On August 21st, 2024, the U.S. Cybersecurity and Infrastructure Security Agency (CISA), in collaboration with the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) and a coalition of international cybersecurity authorities, issued a Cybersecurity Advisory (CSA) detailing best practices for event logging and threat detection. The advisory aims to enhance organizational cyber resilience by establishing a standardized baseline for event logging. It emphasizes the role of increased testing in strengthening cybersecurity posture, particularly in complex and diverse environments such as those involving cloud services and operational technology (OT).

The CSA underscores the necessity of logging events related to the increasingly prevalent Living-off-the-Land (LOTL) techniques, including the use of LOLBins, to improve an organization’s capacity to detect malicious activities that might otherwise evade notice. To support security teams in this endeavor, the AttackIQ Security Optimization Platform offers a comprehensive library of scenarios and assessment templates, specifically focused on LOLBins, enabling the safe testing of existing logging policies and the evaluation of detection response efficacy in production environments.

Given the pivotal role of behavioral analytics in detecting LOTL activities, CISA’s analysis of the campaign conducted by the Chinese state-sponsored actor Volt Typhoon reveals the subtle and sophisticated methods adversaries employ to wreak havoc while seemingly lurking in the shadows. AttackIQ is well-acquainted to Volt Typhoon’s exploits, providing assessment templates that emulate these techniques and facilitating the evaluation of security postures against adversaries who predominantly leverage native Windows utilities to achieve their objectives.

The theme of detecting anomalous activity continues with CISA’s citation of behaviors such as clearing of event of logs, configuration changes – including those related to Windows Defender, and unusually high volumes of access attempts. Moreover, the advisory urges that loggings include Linux, Windows, and cloud-based environments, specifically mentioning commands such as curl, netsh, cmd.exe, PowerShell, mshta.exe, rundll2, regsvr32. AttackIQ’s scenarios, aligned with the MITRE ATT&CK framework, are designed to effectively test these commands and irregular behaviors.

CISA’s advisory serves as a critical reminder of the significance of robust event logging and threat detection practices in safeguarding organizational networks. AttackIQ remains committed to helping organizations not only meet these guidelines but exceed them by enabling continuous validation against real-world adversary TTPs. By leveraging AttackIQ’s comprehensive assessment templates and scenarios, security teams can confidently test and refine their logging mechanisms and detection capabilities, ensuring they are thoroughly equipped to identify and respond to the sophisticated threats highlighted by CISA and its international partners.