Living-off-the-land attacks (LOTL) are among the most dangerous cybersecurity threats facing your business. They are widespread, difficult to detect, and can wreak havoc in your system by leveraging legitimate tools and applications.
According to Crowdstrike’s 2023 Global Threat Report, 71% of all threat detections involved malware-free LOTL activity, including widespread use of valid credentials to gain access to the network environment. These attacks are especially sinister because they do not require traditional code, scripts, or malware files. Instead, attackers gain access to valid user accounts and construct the attack using tools already present in the network. Known as “fileless malware,” living-off-the-land attacks can bypass traditional security measures that are searching for known malware or unauthorized files.
As LOTL threats become more sophisticated and harder to detect, organizations will need to take an integrated, multi-pronged approach to prevent unauthorized access and keep their systems secure.
What You Need to Know About Living-Off-the-Land Attacks
LOTL attacks are notoriously difficult to detect because they use native tools rather than spyware or malicious code. This makes it significantly more difficult to distinguish them from regular system activity. Attackers modify the tools to serve their purpose. They may be free to roam around inside the network for weeks or even months before they are detected. During this time, the attacker can set up complex, sophisticated attacks that exploit tools like PowerShell, Window Management Instrumentation (WMI) or built-in scripting languages like Python or Ruby. They may also use scheduled tasks to automatically execute malicious actions.
The key to a successful LOTL attack is gaining access to the system. Once inside, the attacker can masquerade as a legitimate user to exploit code, hijack tools, or launch ransomware attacks. To prevent this, you’ll need to start by understanding how they access your environment in the first place:
- Poor Password Hygiene – Failure to follow password best practices can and will leave your system vulnerable. These practices include requiring users to regularly change passwords, educating your team about strong password requirements, preventing manual password sharing, and implementing tools to store and share passwords securely.
- Stolen Credentials – Attackers often use sophisticated tools to “guess” a password using a brute force attack. They may also make educated guesses based on a user’s past activity, other passwords, and password changes over time.
- Access Brokers – Crowdstrike’s threat report found that access broker activity increased by 112% in 2022. Access brokers make it their business to acquire passwords and login info, and then sell them to attackers.
- Phishing Emails – Users may unwittingly give a threat actor access to the system by clicking on a link in a phishing email. The link launches code that exploits vulnerabilities in the system to give attackers control.
6 Ways to Prevent LOTL Attacks
There’s an old proverb often attributed to Benjamin Franklin that states: “An ounce of prevention is worth a pound of cure.” Mr. Franklin may never have used a computer, but his advice is strikingly relevant for today’s cybersecurity strategies. Nowhere is that more evident than when dealing with living-off-the-land attacks.
Because LOTL attacks are so difficult to detect once they are inside your system, preventing access is a high-stakes strategy that should be prioritized. Here are 6 ways to do that:
- Implement CIS Controls – CIS controls are a set of best practices recommended by the Center for Internet Security. They cover foundational strategies to craft a comprehensive cybersecurity program, such as account management, access control management, asset inventory and control, and much more. In particular, CIS Control #5 addresses several of the keys to preventing LOTL attacks, including:
- Unique passwords
- Administrator privilege restrictions
- Account inventory
- Centralized account management
- Use Least Privilege Access Management – Least privilege access management restricts user access to only the specific data and tools they need to do their jobs. If an attacker gains access to the system, they still won’t be able to do much because capabilities are limited.
The most effective way to implement least privilege is to use a privileged access management (PAM) solution. PAM solutions remove local admin rights and automate privileged access requests based on defined rules. This effectively neutralizes a threat actor’s ability to make changes within the system, since all accounts operate as standard user accounts without admin rights. - Use a Secure Password Manager – Poor password practices lay out a welcome mat for cyber attackers. With a secure password manager, you can enforce organizational password policies, monitor for stolen credentials, and securely share encrypted passwords without risk of compromising data.
- Use Multi-Factor Authentication – Multi-factor authentication (MFA) goes hand-in-hand with your password security strategy to prevent credential theft. It does not replace PAM solutions or password managers, but it does provide an additional barrier to unauthorized access. This is done by requiring a second unique identifier such as a code or biometric. Most cyber insurance providers now require MFA to qualify for coverage.
- Know How Tools Normally Operate In Your Environment – In addition to the security practices we’ve mentioned, it’s also important to understand how various tools normally operate so that you can detect anomalous activity quickly. What scripts should be running? What scheduled tasks do you use? What applications are regularly used, and what are they doing? This information will help you establish a security baseline for threat identification.
- Monitor Systems and Applications for Unusual Activity – Implement a multi-pronged monitoring approach that includes monitoring tools, machine learning tools, and AI tools that look for unusual activity. Because these measures may not always identify fileless malware attacks, you should also review user logs for activity that may indicate an undetected threat.
Prevent LOTL Attacks with Reliable Cybersecurity Tools
Once an attacker has accessed your system and launched an LOTL attack, detecting that attack can be exceptionally difficult. That’s why preventing access in the first place is critical. At CyberFOX, we offer simple, reliable privileged access management (PAM) and password management solutions that lock down your system and keep hackers out. Contact us today to learn more!