What Are Living-Off-The-Land Attacks and How Can You Stop Them?
Living-off-the-land (LOTL) hacking techniques aren’t exactly new, but a recent advisory from the US and its Five Eyes allies has highlighted the serious threat they pose to governments and organisations worldwide.
The primary aim of LOTL techniques is to help hackers compromise IT systems and conduct malicious cyber activity against organisations without being caught by security monitoring tools. So, with this in mind, what best practices can organisations adopt to identify and mitigate LOTL attacks?
What the Advisory Says
The recent Five Eyes advisory was issued by American government agencies, including the Cybersecurity and Infrastructure Security Agency (CISA), the NSA and the FBI, in conjunction with international partners such as the UK National Cyber Security Centre (NCSC) and Canadian Centre for Cyber Security (CCS). It warns that LOTL strategies helped Chinese state-sponsored hackers launch devastating cyber-attacks on US critical infrastructure (CNI) providers.
Chinese hacking group, Volt Typhoon, used LOTL to stay hidden inside critical IT networks in CNI sectors such as communications, energy, transport, and water and wastewater. Its motivation appears to be pre-positioning in case of a potential conflict with the US and its allies.
“The group also relies on valid accounts and leverage strong operational security, which combined, allows for long-term undiscovered persistence,” it reads. “In fact, the US authoring agencies have recently observed indications of Volt Typhoon actors maintaining access and footholds within some victim IT environments for at least five years.”
A Deep Dive into LOTL
When conducting LOTL attacks, cyber-criminals typically leverage genuine tools that are already installed on compromised computers. This allows them to conduct malicious activity against organisations without their security teams finding out and intervening.
Cyber-criminals often find this approach simpler and stealthier than downloading new tools or applications onto a breached system, according to Michael Clark, director of threat research at Sysdig.
“The tools being leveraged by attackers are also considered trusted in many cases as they may implement code signing,” he tells ISMS.online. “If the tool is commonly used in the victim’s environment, its use may blend in with all of the legitimate uses.”
Kennet Harpsoe, senior cyber analyst at Logpoint, explains to ISMS.online that cyber-criminals launching LOTL attacks are motivated by the desire to further their nefarious objectives using legitimate, built-in, and signed binaries already present on the target’s computer systems. He warns that they can do this during any stage of the cyber-kill chain, including discovery, persistence, lateral movement or command and control.
There are a number of factors that make LOTL attacks highly dangerous for organisations. First, because they use legitimate applications and tools used by organisations, Harpsoe warns that conventional antivirus and intrusion detection systems may not identify them.
“This makes them a valuable and stealthy tool for malicious actors to evade detection,” he explains.
Second, LOTL strategies allow hackers to perform malicious digital activities against their victims without leaving a trace. This method is “incredibly versatile”, giving them multiple ways to launch attacks. These include code execution and the ability to download, upload, or copy files.
Uncovering LOTL Attacks
Although it can be difficult for organisations to detect LOTL attacks, they can adopt various best practices to shore up cyber-defences.
Jake Moore, global cybersecurity advisor at ESET, recommends that businesses secure their systems by implementing stringent administration controls, regularly performing software updates and patches, and tracking network activity in real-time.
He tells ISMS.online that behaviour-based security checks can also be a helpful mitigation technique against LOTL attacks, by highlighting any irregular digital activities that may suggest when a cyber-criminal is abusing a legitimate tool like a computer’s registry.
He also encourages employers to train staff on spotting and mitigating online security threats, as LOTL attacks often begin through social engineering tactics such as phishing emails.
Sean Wright, head of application security at Featurespace, admits that mitigating LOTL attacks isn’t easy, but says patch and vulnerability management programs, monitoring solutions and anomaly alerts can provide an extra layer of cyber protection.
Logpoint’s Harpsoe points to the benefits of building a defensible, segregated network as part of a passive security strategy. Simple steps like deleting unused accounts, services or ports, implementing two-factor authentication, limiting admin rights, and network segregation can also help organisations minimise the attack surface of their IT networks and systems, he adds.
Yossi Rachman, director of security research at Semperis, says the first step in tackling LOTL attacks is establishing a process for identifying system irregularities that point to suspicious activity.
“Pay special attention to endpoint processes and drivers. Also continuously monitor process execution, especially for common LOLBin (Living off the Land Binaries) like PowerShell, WMIC, and certutil,” he tells ISMS.online. “Review the publicly available and continuously maintained LOLLabs project for a list of commonly (ab)used binaries.”
He adds that monitoring command-line activity, as well as using identity detection and response systems, network monitoring tools and behavioural analytics, can also help businesses identify suspicious behaviour that suggests a LOTL attack is happening.
Kelly Indah, a tech expert and security analyst at Increditools, stresses the importance of information sharing in tackling this global issue.
“International cooperation in documenting state adversaries’ evolving playbooks is invaluable for raising defences everywhere such groups may next turn their sights,” she tells ISMS.online. “Together, we can strengthen our shield against even the stealthiest of threats.”
LOTL hacking techniques pose a significant threat to organisations around the globe, whether used by nation states or financially motivated hacking groups. Although these attacks are deceptive by design, businesses can tackle them by improving cyber-hygiene and following industry best practices.