As cyber defenses improve, adversaries are shifting to stealthy “living-off-the-land” attacks that use targets’ own tools against them. Here are some tips to defend your turf.
Why invest in top-shelf malware just to have it be turned away by antivirus tools again and again? Why launch a cyberattack like that when your target is already full of perfectly good attack tools, just waiting for you?
More and more threat actors are coming to that conclusion. As cyber defenses improve, adversaries are shifting to stealthy “living-off-the-land” (LotL) attacks that defy many automated security measures.
Here are some ways to begin countering the threat.
What Is LotL?
The term “living off the land” refers to fileless, malware-less attacks that turn a system’s own native tools against them. Bad actors use perfectly legitimate programs and processes to perform malicious activities, thereby blending into a network and hiding among the legitimate processes to pull off a stealthy exploit.
“Traditionally, attackers have exploited a target environment and then pushed their own tools onto target machines, including backdoors, rootkits, harvesting tools, and more,” says Ed Skoudis, a security veteran and instructor with the SANS Institute. “With living-off-the-land techniques, the attacker uses the compromised machine itself, and components of its operating system, to attack that system further and to spread to other machines in the environment. So the compromised machine’s operating system becomes, in essence, the attacker’s toolkit. The attacker uses its resources and place on the network to undermine the entire targeting environment.”
In other words, criminals have realized that the most subtle and effective way to wield control over a system is to use the exact same operating system components and methods used by system administrators, Skoudis says.
Some of the tools commonly exploited for LotL attacks include PowerShell scripts, VB scripts, WMI, Mimikatz, and PsExec. These are administrative and troubleshooting tools that are already in the environment and won’t set off alarm bells when an attacker uses them.
A well-known example of an attack that utilized LotL techniques was the 2017 to 2018 outbreak of the Petya/NotPetya ransomware, which used a software supply chain attack as the initial vector to compromise an update process in a software accounting program.
Good Defenses Make LotL Attacks Likelier
LotL attacks aren’t new. Chester Wisniewski, principal research scientist at Sophos, says they’re the result of even better defenses in security. In other words, security teams are a victim of their own success.
“These tactics have been around for decades but in recent years have become mainstream,” Wisniewski says.
In fact, in 2019 most attacks in CrowdStrike’s research and incident reporting were “malware-free” for the first time.
“Security defenses and patching have improved dramatically in the last five years,” Wisniewski says, “making it harder to run malicious code on any given system. System tools are often whitelisted and can be the only process allowed to run on a secured system, making them obvious targets for an attacker. These changes in tactics are driving security tools to focus more on behaviors and less on specific file samples.”
Adds Skoudis: “With application whitelisting, attackers often find that their own tools simply won’t run on the target operating system. But the operating system components themselves will still run, so attackers use those. It’s quite pernicious — the operating system is a treasure trove of programs and scripts the attacker can abuse.”
Every type of environment is susceptible to this kind of attack, the researchers say. But attackers are more likely to use LotL techniques in environments that are particularly locked down or well-monitored.
“If the environment is weak or badly instrumented, attackers do not have to resort to live-off-the-land attacks. But in especially secure networks, attackers have this option for being even [stealthier and more] effective,” Skoudis says.
Once they have managed to find ways to co-opt admin tools for their own purposes, Wisniewski says attacks can range widely: ransomware operators using software deployment tools to deliver the ransomware code, for example, or nation-state actors using Mac and Linux PCs as a place to hide while they handcraft attack tools using built-in scripting languages like Perl, Python, or even C++.
“We also see malware abusing the Windows operating system’s built-in features like a hostile, mutant MacGyver variant, dominating the machine using only its wits and the tools it can fashion out of local materials,” he says.
Defending Against LotL Attacks
Because LotL attacks take advantage of commonly used tools, obviously that makes them very difficult to detect. But Skoudis recommends “purple teaming” — having red teamers apply LotL tactics in an exercise to ensure that blue teamers and SOC personnel can detect and thwart these techniques. He also suggests whitelisting practices with this in mind.
“Application whitelisting does go a long way in blocking attackers, provided that it is tuned to prevent execution of various unusual programs in the operating system that are often abused in these attacks,” he says.
Skoudis directs security teams to the LotL project page on GitHub for a list of binaries, scripts, and libraries that are often abused in LotL attacks — like bash, cmdkey, shell32, rundll32, and over 100 others.
Most rank-and-file users have no need to run many of those programs, and organizations can configure their application whitelisting tools to prevent execution of the most suspicious of them, he says.
Wisniewski recommends a blend of behavioral-based detection and monitoring strategies to try and stay on top of LotL-based attacks.
“Since living-off-the-land attacks take advantage of existing system tools that are often whitelisted or overlooked by security tools that rely on static detection techniques, implementing tools that take behavior into consideration is essential,” he says.
Also important, Wisniewski says, “is raising alerts for humans to investigate when these tools are used outside of planned maintenance windows. By employing proactive security with 24/7 monitoring by both automated software and threat hunting experts, organizations can more quickly and effectively identify, investigate, and mitigate anomalous behavior. Combining the best tools with the brightest minds to neutralize active threats with speed and precision, while limiting recurrence, is the best approach for defending against these attacks.”
Joan Goodchild is a veteran journalist, editor, and writer who has been covering security for more than a decade. She has written for several publications and previously served as editor-in-chief for CSO Online. View Full Bio