Defending against Living of the Land (LotL) attacks.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and its partner agencies provides comprehensive guidance on identifying and mitigating Living Off the Land (LOTL) tactics. Joint Guidance: Identifying and Mitigating Living Off the Land Techniques (cisa.gov)

Here is a summary of five key points to understand in order to defend against LOTL tactics, based on the information provided in the document:

  1. Implement Detailed Logging and Centralized Log Management: Organizations are advised to implement detailed logging of network, user, administrative, and application activities. These logs should be aggregated in a centralized, out-of-band location that is write-once, read-many (WORM) to prevent attackers from modifying or erasing logs. This practice is crucial for detecting anomalous activities that could indicate LOTL tactics.
  2. Establish and Maintain Security Baselines: Establishing and continuously updating baselines for normal network behavior is essential. This includes understanding typical user, administrative, and application activities and applying least privilege restrictions. Baselines help in distinguishing between legitimate activities and potential malicious LOTL activities.
  3. Utilize Automation and Behavioral Analytics: The use of automation, such as machine learning models, to continually review logs and compare current activities against established baselines is recommended. This approach aids in alerting on specified anomalies, enabling quicker detection of LOTL activities.
  4. Fine-Tune Alert Systems: Reducing alert noise by prioritizing alerts based on urgency and severity and continuously reviewing detection trends can help in identifying LOTL activities more effectively. This practice assists in managing the volume of alerts and focusing on the most critical issues.
  5. Leverage User and Entity Behavior Analytics (UEBA): Applying UEBA tools can enhance the detection of LOTL tactics by analyzing user behaviors and detecting deviations from the norm. UEBA can provide insights into suspicious activities that might otherwise go unnoticed.

Additionally, the guide emphasizes the importance of hardening best practices, such as applying vendor-recommended security guidelines, implementing application allowlisting, enhancing network segmentation and monitoring, and enforcing robust authentication and authorization controls. These measures, along with the detection best practices, form a multifaceted cybersecurity strategy to effectively mitigate the risk of LOTL tactics.

For organizations and defenders, understanding and implementing these key points is crucial in enhancing their cybersecurity posture against the increasingly common and sophisticated use of LOTL tactics by cyber threat actors.


Paul Bergman runs a business strategy and cybersecurity consulting company in San Diego. He writes on cybersecurity and board management for both corporate and nonprofit boards.

Paul Bergman
Follow me