In the unrelenting fight of cybersecurity, cyberattacks continue to become more elusive and sophisticated. Among these, threat actors who use Living Off the Land (LOTL) strategies have emerged as strong adversaries, exploiting legitimate system features and functionalities to stealthily compromise networks.
As defenders deal with this stealthy threat, a new study from the Cybersecurity and Infrastructure Security Agency (CISA) sheds light on the tactics, methods, and procedures (TTPs) used by attackers and provides critical insights into recognising and combating LOTL attacks.
LOTL attacks use pre-existing software and legitimate system tools to carry out malicious actions, allowing attackers to go undetected amid the chaos of network traffic.
Rather than creating proprietary malware or tools, attackers take advantage of built-in programmes such as PowerShell, which has been accessible on all Windows operating systems since November 2006.
Benefits of leveraging existing tools in cyber attacks
The appeal of employing existing technologies stems from their widespread availability and familiarity inside enterprise environments. These tools enable simple access to both local and domain-based setups, allowing attackers to automate administrative activities and execute commands with ease. By using these tools, attackers avoid the time-consuming process of developing, testing, and distributing specialised tools, saving both time and resources.
Furthermore, the intrinsic complexity of developing and distributing tooling across numerous operating systems and environments presents a significant challenge for cybercriminals. By leveraging existing tools, attackers avoid the need to address compatibility issues, dependencies, and potential detection systems. This method significantly lowers the chance of discovery because built-in tools blend smoothly into regular system activity, making it difficult for defenders to distinguish between authorised and malicious use.
Prevention tips
It is impossible to overestimate the importance of mitigating LOTL tactics in light of the latest Volt Typhoon study published by CISA. Defenders need to be proactive and alert as cyber attackers continue to hone their strategies and identify vulnerabilities in organisational defences.
Organisations can fortify their defences and mitigate the risks posed by LOTL attacks by utilising the insights in the research and implementing a defence-in-depth security strategy. Here's how organisations can successfully defend against LOTL attacks.
Visibility is critical: relying just on preventative technology is insufficient to combat attackers that use authorised tools. Visibility into all operations throughout the entire infrastructure is required to detect and mitigate such risks.
Identifying authorised users: Determine who should be utilising tools that can be used to launch LOTL attacks, such as scripting languages or administrative tools.
Enable comprehensive logging: Use granular logging to monitor LOTL tool usage. For example, enabling enhanced logging for PowerShell scripting yields useful information.