Living-off-the-land Attacks Are A Tough Nut To Crack, But By No Means Impossible


Across the region, cybersecurity leaders face growing complexity in their IT suites and an often understaffed and under-skilled SOC.

But these factors present such a challenge mainly because the threat actor has become more sophisticated. Among their many advances, cybercriminals have become stealthier, finding ways to remain undetected even from the most advanced security solutions and the most vigilant teams.

Among cybercriminals, simple often means effective. Living-off-the-land (LotL) attacks are the epitome of stealth and discretion. Attackers use the same tools administrators use, so when a process is initiated, there is nothing to detect, even though that process may be the opening move in a chess game, the SOC is unaware it is playing. LotL is the recon, conducted in extremely effective camouflage. Later comes the louder, more public attack — damaging, costly, crippling, and made possible by the initial LotL incursion.

LotL works by exploiting unpatched vulnerabilities in core components of a target’s infrastructure. It uses binaries that are part of the operating system (OS) or any tool used by privileged-access users. Because these tools and processes are routinely used for legitimate purposes like file transfers, downloads, and email attachments, threat actors’ activities are masked and often remain undetected until it is too late.

A hidden predator

This is a dangerous scenario for organisations. A malicious party has hopped the fence unseen and has high-end access to some of the most sensitive parts of the IT stack. Attackers can combine native binaries with fileless malware and legitimate cloud services to hide their activity from security analysts indefinitely, blending in with the crowd of regular network operations and administrative work.

Almost all of today’s commercial operating systems contain executables that can be exploited in an LotL attack. Leveraging approaches such as dual-use tools and fileless persistence, threat actors can slip under the most advanced radars and manipulate exploits, scripts, and other day-to-day admin tools, whether they have a connection to security or not. Powershell, Process Explorer and PsExec are all examples of what LotL attacks can compromise. And once an attacker has done so, they can move laterally through the environment as if they belong.

Once the attacking party has gained unfettered access, they can initiate the main mission. The notorious Sodinokibi (or REvil) ransomware strain used LoTL approaches to drop devastating payloads that encrypted data and deleted the ransom request afterwards, allowing attackers to maintain their anonymity for longer.

The easy route

It should now be apparent how dangerous LotL vectors are to environments. They are cheap to attackers, allowing them to launch campaigns without testing malware tools. There is strong support for the method within open-source frameworks such as MetaSploit, PowerSploit and Exploit Pack, which all offer tactics, threats, and processes to would-be attackers. The LotL route is made easy, so attackers are attracted to the concept of hiding in plain sight among normal digital processes while scoping out a target for a payday.

The LotL method means attackers do not have to plot their way around countermeasures. Because they are disguising their moves as legitimate processes, system administrators, security tools, and even whitelisting solutions will wave them past as if they belong. And because legitimate processes are not routinely scanned, attackers avoid most detection methods.

The result of this is a slower response from security teams. Automated tools will not act either, increasing dwell time and potential harm. In the cyber field, late responses are ineffective responses. And in another boon for the criminal, LotL reduces the ability of a forensic investigation to uncover the culprit because the path to the perpetrator is often paved by attributable malware tools, which are absent in an LotL campaign. LotL allows attackers to take their time, but it also allows them to stay as long as they want. Invading forces can camp out between the main attacks, which are designed to be noticed, waiting for the next round of vandalism.

The best defence

So what can be done? The region’s enterprises are in the midst of efficiency drives. They cannot abandon the tools that deliver that to them. But attackers can use the same tools to devastating effect. The central problem is dwell time. Security teams must be able to detect threats in a timely manner.

Everything begins with access. Two-factor authentication (2FA) is a good starting point. Likewise, virtual private networks (VPNs), remote access, and strong credential management will be critical. Strong IT governance must include strict oversight of user and machine identities, which will restrict lateral movement. And because stolen keys and login certifications may lead to unauthorised access to sensitive areas, enterprises should seek to limit such compromise.

Even the anonymity threat actors try to glean for themselves through LotL attacks is not guaranteed. Trellix’s latest Threat Labs report surveyed LotL attacks and catalogued which binaries had been leveraged by which actors. So there is hope that this most stealthy of attack vectors can be neutralised with the implementation of best practices and the deployment of security solutions that can learn and adapt to threats on the fly. This is the kind of forward planning that will bring swift identification and effective response when they are needed most.

Timely action

Threat actors will act threateningly. It has always been thus. For a future in which security analysts are not powerless against stealth tactics, it is we who must change. For vigilance to pay off, the tools must be in place for security teams to detect anomalous behaviour rather than relying on heuristic signature-matching. From there, they can spring into action in time to avert a damaging payload drop. We all know the implications of the alternative.

If you liked reading this, you might like our other stories
The Case For Risk-based Cybersecurity
Cybersecurity Myths That Are Harming Your Business