Living off the land attacks: Sophisticated threats, made simple

Christiaan Beek at Trellix Threat Labs explores a deceptively simple cyber security attack

 

When it comes to cyber crime, it’s common to assume that most attacks involve complex, expansive, and multi-layered vectors. However, this is not always the case. Often the simplest attacks have the most disastrous consequences. One example is Living off the Land (LotL) attacks.

 

Rather than being dramatic, these attacks are centred around stealth and discretion. Threat actors utilise LotL techniques to gain access to a system undetected, before undertaking large scale and overt attacks.

 

We’ve observed an increase in these types of attacks which fundamentally exploit core vulnerabilities within a victim’s system before they are patched. It’s critical for security teams to be aware of them to minimise any potential damage to their organisation.

 

What are Living off the Land attacks? 

It’s best to start with a discussion of what these attacks are. The concept was developed and termed by Christopher Campbell and Mat Graeber in 2013 and is defined by attacker behaviour using any binary supplied by the Operating System (OS) or the user.

 

Typically, the tools and processes exploited are used for legitimate purposes, such as file transfers, downloads, attachments, or windows tools; allowing malicious actors to remain undetected by system administrators and security tools in an organisation’s network.

 

Attacks utilise and exploit these legitimate OS binaries to gain access to a victim system. Binaries can be combined with fileless malware and legitimate cloud services, blending malicious activity in with regular network activity and administrative tasks to enable threat actors to remain hidden between overt attack phases.

 

It’s important to note that almost all conventional operating systems contain executables that can be taken advantage of – Windows, for example, has over 100 system tools that are vulnerable to exploitation.

 

Typically, attackers utilise different approaches to gain access to systems, such as dual use tools and fileless persistence. They manipulate exploits, scrips, and legitimate tools with both normal and security functions – for example, Powershell, Process Explorer and PsExec – to compromise systems, elevate privileges and spread laterally across a network.

 

The Sodinokibi ransomware attack (also known as REvil) is a recent example of where LotL approaches were used in an extremely invasive way. Once attackers had gained access to a victim’s system, REvil was able to encrypt the data to be ransomed and delete the ransom request post-infection, maintaining anonymity for a short period of time.

 

Why are Living off the Land attacks dangerous?

The danger of these attacks lies in how exceptionally accessible they are. By manipulating existing tools on the OS, attackers don’t need to build and test their own. Tactics, threats, and processes are available within open-source frameworks such as MetaSploit, PowerSploit and exploit pack.

 

This ease-of-use factor is the primary reason why LotL attackers are able to blend in with normal operating functions and hide within legitimate programs and processes to carry out an attack.

 

Legitimate processes are less likely to raise suspicions from system administrators and security tools, and are often whitelisted from scanning altogether, meaning attackers can avoid most detection methods. This allows them to delay the use of malware until much later in the attack chain to limit response time and effectiveness.

 

Furthermore, applications of LotL attacks in wider campaigns reduce capability to attribute attacks to specific groups or individuals – custom malware tools, on the other hand, are traceable and attributable to specific groups who have developed them.

 

Fileless attacks are highly effective, especially when compared to file-based campaigns. The ability to navigate detection systems efficiently optimises threat activity, increasing the reliance on fileless attacks as a method to deliver an initial payload. Historically, observations showed that LotL techniques were utilised post compromise to further exploit victim systems once access had been gained.

 

How do we defend against them?

Essentially, organisations are falling victim to a double-edged sword – the same tools that improves efficiency can also be used by malicious attackers. Organisations need to detect threats earlier and implement an adaptable shield to defend against attacks.

 

There are multiple avenues to achieving this:

• Limiting illicit access to a network through tools such as two-factor authentication (2FA) and effective credential management, and utilising and protecting Virtual Private Networks and remote access systems.
• Fundamental 360-degree oversight of user and machine identity and processes to narrow attack vectors – this helps to restrict lateral movement
• Limiting compromised keys and certificates – stolen keys and login certifications may allow access to encrypted and private areas and files
• Analysing, monitoring and identifying bad actors to understand their activity. For example, in Trellix’s latest Threat Labs report, the team were able to see which binaries had been abused and the associated actors,including the administrative tools used.

It’s clear that defending against these attacks will require innovative solutions. Businesses must deploy security technology which can learn and adapt defences based on the threat, allowing security teams to better identify, respond to, and report detected threats.

 

Real-time defences for an ever-evolving threat landscape

Depending on the motivation, cyber criminals will continue to use methods which ensure they fly under the radar of even the most vigilant security teams. In short, the longer they remain undetected, the more damage can be inflicted.

 

As these types of attacks increase as the threat landscape changes, businesses must rely on technology that moves as quickly as cyber-attackers do and can learn and adapt in real time to stay one step ahead.

 

Failing to take this approach will leave businesses vulnerable to attack, putting their valuable data, reputation and financial position at risk.

 

---

 

Christiaan Beek is Senior Director Threat & Vulnerability Research at Trellix Threat Labs

 

Main image courtesy of iStockPhoto.com