Skip to content

Have you had any LOL attacks?

Mick Douglas is an American information security expert who runs a boutique consultancy helping small companies protect their systems from cyberattacks. Last month he started getting call after call about stopping Russian intrusions, so he decided to post his advice on Twitter to avoid repeating himself.

His playbook is pretty good for two reasons. The first one is that it’s urgent advice that you would have to pay for if he hadn’t shared it on Twitter. The second reason to do what Douglas says is that he gives practical tips of enough technical depth to help you in case your organization is attacked. But there is a catch: you might need to learn some new terms to understand Douglas’ advice.

Instead of following weak advice because you don’t know any better, here’s a quick guide to some of the specific terms Douglas use to explain what you need to do. We broke down Douglas’ advice in three groups of things that happen during an attack: your system’s output, your system’s activity, and your organization’s response.  

Your system’s output

Douglas’ first tip is to watch your system for any indication that it is sending information out to an attacker. The first odd term is DMZ, for demilitarized zone, which in cyber security means a section of your network apart from the rest to handle traffic you don’t trust. Any information this part of your network is sending out is suspect of C2, for command and control, or unauthorized use by an attacker. See any file xfer, or transfer, there? Block everything, not just things that look Russian. “Start treating the entire internet as hostile,” Douglas says. Sir, yessir.   

Your system’s activity

The next section of advice is to know every exe, or software program, that your system is running. Having a list of all programs should not be hard, Douglas says. If you don’t have an endpoint detection and response system (EDR) to automatically scan your network for threats, you can still get your list using your system’s resources. On Windows systems, you can use the system resource usage monitor (SRUM), which saves every program running in your system in an extensible storage engine (ESE) database. On Linux systems, you can get the same list from auditd or sysmon functions.

Douglas recommends blocking every program not on your short list, setting alerts to notify you every time a program is blocked in case you caught any programs left out of the list by mistake. Why block everything? Since many organizations rely on antivirus (AV), EDR and SIEM, or Security Information and Event Management software, attackers bypass these defenses using living off the land (LOL) attacks. In these attacks, intruders already in your system use legitimate programs against you. Douglas says this is a common tactic of state-sponsored attackers.

Machine learning (ML) and artificial intelligence (AI) tools will not save you from LOL attacks. No matter how advanced the tools, attackers can still bypass them. At least, Douglas says, he was able to bypass every tool himself in his lab. If he could do it in his shop, state-sponsored hackers can sure do it too, he reasons.

Your organization’s response

Very important, says Douglas, is to have an incident response (IR) plan and drill it so you can work at speed during an attack. For example, can you quickly isolate any part of your network under attack? It’s a good idea to talk with cyber insurance provider to see how fast they will get back to you in case of an attack. Small companies will probably have to wait longer for help. Your digital forensics and incident response (DFIR) vendor needs to be ready to help you without delay even if you aren’t a large organization. To make your response easier, avoid keeping data in your system for longer that strictly necessary so you have less to worry about in case of an attack.

Douglas says it’s a tough fight, but you can win if you put in the work. If it all sounds too militaristic, remember that before last month, perhaps you could discount a Russian attack as something that would only happen to somebody else. This month Russia is at war. There might not be a lot you can do to help Ukraine, but the White House has just called on everyone in the US to prepare for cyber defense. At least you have Mike Douglas on your side. We hope this Verb Company guide to some of the information security jargon he uses will help you through bootcamp.