https://darktrace.com/blog/living-off-the-land-how-hackers-blend-into-your-environment Self-Learning AI fights Living off the Land attacks
Living off the Land techniques have proven incredibly effective at enabling attackers to blend into organizations’ digital environments.
It is normal for millions of credentials, network tools, and processes to be logged each day across a single digital ecosystem. So how can defenders spot malicious use of legitimate tools amidst this digital noise?
As with most threats, basic network hygiene is the first step. This includes implementing the principle of least privilege, de-activating all unnecessary programs, setting up software whitelisting, and performing asset and application inventory checks. However, while these measures are a step in the right direction, with enough time a sophisticated attacker will always manage to work their way around them.
Self-Learning AI technology has become fundamental in shining a light on attackers using an organization’s own infrastructure against them. It learns any given unique digital environment from the ground up, understanding the ‘pattern of life’ for every device and user. Living off the Land attacks are therefore identified in real time from a series of subtle deviations. This might include a new credential or unusual SMB / DCE-RPC usage.
Its deep understanding of the business enables it to spot attacks that fly under the radar of other tools. With a Living off the Land attack, the AI will recognize that although usage of particular tool might be normal for an organization, the way in which that tool is used allows the AI to reveal seemingly benign behavior as unmistakably malicious.
For example, Self-Learning AI might observe the frequent usage of Powershell user-agents across multiple devices, but will only report an incident if the user agent is observed on a device at an unusual time.
Similarly, Darktrace might observe WMI commands being sent between thousands of combinations of devices each day, but will only alert on such activity if the commands are uncommon for both the source and the destination.
And even the subtle indicators of Mimikatz exploitation, like new credential usage or uncommon SMB traffic, will not be buried among the normal operations of the infrastructure.
Living off the Land techniques aren’t going away any time soon. Recognizing this, security teams are beginning to move away from ‘legacy’-based defenses that rely on historical attack data to catch the next attack, and towards AI that uses a bespoke and evolving understanding of its surroundings to detect subtle deviations indicative of a threat – even if that threat makes use of legitimate tools.
.........................
Thanks to Darktrace analysts Isabel Finn and Paul Jennings for their insights on the
I’ll try to come back and expound more later but have a lot of personal experience with platforms like darktrace (including competition of theirs that spends money on dev instead of marketing) and it’s not so much AI but more ML based and once you have good baselines it’s very easy for machine learning to detect variances
This type of tech is extraordinarily useful but it’s pricey and requires a big lift financially and in labor to implement it correctly and usage is not widespread yet and far less common in the ot/scada/process control domain as budgets for industrial cybersecurity are measly until recently and the lift for industrial is even larger than for enterprise networks