How to prevent living-off-the-land attacks

What are living-off-the-land attacks?

Living-off-the-land (LOTL) attacks aren't new; they have been around since modern computing systems have existed. They are the digital version of homesteading or living off-grid in everyday life. To that end, LOTL attacks use legitimate tools, software and built-in OSes to gain entry. Instead of using more intrusive and direct malware deployments, attackers rely on existing fileless malware and trusted applications to exploit their victims. As a result, these strategic attacks often blend in without detection.

LOTL attackers gain network access through the use of exploit kits, stolen credentials and vulnerabilities. These can be gathered from dark web marketplaces where they are sold by other attackers or initial access brokers. Attackers also conduct social engineering and phishing campaigns to trick users into providing data that enables them to gain unauthorized access to the environment.

Once inside the network, intruders launch malicious attacks by using native programs, such as Windows Management Instrumentation, CLI tools or PowerShell, to prevent being discovered. To avoid being traced on hard drives, attackers run malicious scripts or commands directly into memory. Additional LOTL techniques include memory-only malware and fileless ransomware deployment that bypass security defenses.

The goal of these attacks is to exfiltrate data by tricking trusted tools into executing system commands. Threat actors lurk in the background while they evade detection and security defenses. By escalating privilege and access levels, LOTL attackers can inflict even more damage.

Examples of living-off-the-land attacks

LOTL attacks are effective because they enable malicious actors -- unnoticed -- to move laterally and penetrate deeper into a system's infrastructure. Unlike traditional malware or ransomware attacks, these intrusions, because they use native tools, are not immediately discoverable by antivirus and antimalware tools.

Two of the most notable LOTL incidents involve NotPetya and Volt Typhoon.

• NotPetya. The 2017 NotPetya attack that targeted Ukraine caused widespread damage to the country's digital infrastructure. After the malware was deployed, it encrypted critical files and controlled boot records, leaving critical systems inoperable. More than 300 Ukrainian companies were affected, among them healthcare facilities, utility companies, airports and government organizations. The attack also affected global companies such as FedEx and Merck, causing disruptions and widespread outages.
• Volt Typhoon. Volt Typhoon is a Chinese nation-state-sponsored hacker group that has consistently used LOTL attacks to target U.S.-based critical infrastructures since 2021. The group typically surveils its target's systems using native commands on trusted systems, such as Active Directory, or network configurations. Its attackers don't rely on specialized malware as seen with some other LOTL attacks. Instead, they employ legitimate network protocols and utilities to exfiltrate sensitive information. This approach reduces the likelihood of detection.

How to detect and prevent LOTL attacks

Because they target a system's existing environment and trusted tools, LOTL attacks can be difficult to detect and prevent. Yet there are steps enterprises can take to safeguard their networks against these attacks.

• Conduct ongoing monitoring and behavior analysis. LOTL attackers are difficult to detect because they use only trusted tools to avoid discovery. Deploying ongoing monitoring and behavioral analysis, such as endpoint detection and response, can help combat these damaging attacks. EDR tools monitor endpoints for suspicious activity and use behavioral analytics to identify patterns of misuse.
• Establish more detailed event logging. Centralizing and collecting event logs is critical to detecting living-off-the-land attacks. A centralized repository enables security teams to use other measures, among them retroactive searches and targeted threat hunting, to detect unusual activity logged. Event logging also provides a digital marker that can be used to help an organization plan its incident response strategy as it navigates through a compromise or attack.
• Adopt proactive threat hunting measures. An organization's weakest points of possible attack require greater proactive defenses to counteract them. Teams should conduct ongoing threat hunting to search for signs of compromises with the system and networks. This approach not only provides security teams with more advanced metrics that can pinpoint subtle abnormal patterns, but it also lets teams fine-tune their defenses based on emerging cyberthreat trends and methods.
• Implement stronger access and authentication controls. Restrict user privileges through stronger access controls to help prevent lateral movement and privilege escalation. Implement access controls that specifically protect the user's role. This helps prevent additional access in the event of a compromised account. Security controls that require additional authentication, such as MFA, help protect accounts that might have been compromised as well. Adopting a zero-trust framework and the principle of least privilege also help prevent unauthorized access.
• Maintain ongoing system updates and patching. Regular system updating and patching help fix vulnerabilities that can expose systems to attack and are a cornerstone in preventing LOTL attacks. Organizations that use legacy technologies that cannot be regularly updated must employ other security measures to help guard against compromise.
• Enable network segmentation and monitoring for internal traffic. Segmentation -- which, among other attributes, lets organizations isolate network segments containing threats -- is particularly useful in organizations with legacy systems, where updates and patches might not be available. Network detection and response tools enable teams to track network activity and identify unusual movement within the network.

Amanda Scheldt is a security content writer and former security research practitioner.