Over the last couple of years, the massive incremental investment that businesses and other organizations have made to increase cyber defenses has paid off and stopped many types of attacks. But this dance between cyberattacks and cybersecurity is continuously evolving. As such, cybercriminals are working around the clock to advance their tools and aggression, sometimes drawing on age-old tactics to disguise their schemes.
Business owners, IT teams, and security professionals must remain vigilant to understand how threats change and stay one step ahead to prevent a breach. There is an often-used saying that “all things old are new again,” and cyberattacks are no exception. Living off the land attacks, also known as LotL attacks, have been around for over 25 years. However, they have remerged as a trend in the cybersecurity landscape.
Recognizing LotL Attacks
LoTL attacks are virtually lifeless malware attacks. They are challenging to detect and can be described as malicious code or tools gaining access and using native system tools as part of the system’s normal operating state. LotL attacks often take occur in three stages:
- A user accidentally visits a compromised website, opens a phishing email, or uses an infected external data device, like a USB drive. Alternatively, a hacker can scan a network for a vulnerable device using a backdoor or rootkit to gain access.
- The attack kit establishes a foothold in the system. It then looks to deploy itself, often hiding in or among system administrator tools like PowerShell, VB scripts, Windows Management Instrumentation (WMI), Mimikatz, and PsExec.
- With the system compromised and the attack tools well hidden, the hacker can now remotely access the system, steal data, disrupt operations, or probe for different methods to compromise.
LotL Attacks Facts
Hackers have figured out that if an organization’s cyber defence tools are too useful to bypass, another attack strategy involves using vulnerable operating systems and system administrator tools to attack devices from a different angle subtly. By avoiding detection in an apparent head-on attack, the hacker uses LotL tactics to slip into the system, hide, and exploit the design along with its resources and data over time.
A SecurityBoulevard.com article points to the growing sophistication of malware; it explains that cybercriminals “target pre-installed tools (such as PowerShell) to not only make it more difficult to detect them, but also to enable them to spread more stealthily and wreak more havoc.”
To understand LotL attacks, you can look to a few high-profile attacks:
- Seen first in 2016, Silence Group is an example of a financially motivated bad actor that uses LotL attacks to target financial institutions in Russia, Ukraine, Poland, and other neighbouring countries. Notably, this group successfully penetrated the Russian Central Bank systems, ATMs, and card processing capabilities.
- In 2018, organizations in Ukraine were hit with NotPetya ransomware, which leveraged LotL attacks. The ransomware used a software supply chain attack as its initial infection point, then used LSADump and Mikikatz to steal account credentials to copy the threat to other computers on the network.
- A cyberespionage campaign known as “Thrip” targeted telecommunications and defense companies using LotL tactics involving the Windows PsExec utility to install Catchamas info-stealer malware.
Building Your Defense
A next-generation cloud-based anti-malware software package, paired with behavioural endpoint detection and response (EDR), is currently the most advanced defence against both malware and non-malware attacks.
Non-malware attacks like LotL attacks, though difficult to detect, are defensible with the following:
- IT professionals can use application whitelisting to block attackers by preventing the execution processes from running.
- System tools can provide alerts for human investigation beyond the system’s planned maintenance windows.
- Proactive threat hunting should be deployed.
LotL Threat Mitigation
While many businesses and other organizations have made strides to defend themselves against malware, cybercriminals continue to learn and adapt, using new vectors and resurfacing attacks that have worked in the past.
Living off the land attacks are especially pernicious, given that they hide amongst other legitimate applications and utilities. While difficult to detect, they can be mitigated by whitelisting and leveraging the execution capabilities of OS and system administrator tools. Additionally, careful use of alerts and inspection can help detect LotL attacks.