The cyberworld has witnessed and defended against several forms of attacks. Some of the most common ones known to disrupt a network include credential stealing, malware installations, worms and viruses, and insider threats. In order to execute these attacks successfully, attackers often use different tools and techniques.
For instance, in a ransomware attack, an attacker may install malicious software to encrypt all the files and folders in your network and demand a ransom to recover the files. Maze and Ryuk were notorious ransomware attacks that were executed to perfection and caused a major stir in the cybersecurity industry.
What is a LotL attack?
A living off the land (LotL) attack is a cyberattack where an attacker utilizes tools and features of the targeted system to perform a malicious action. The recent Kaseya supply chain ransomware attack is an example of a LotL attack where the attacker utilized the organization’s own technology against it. This enabled the attacker to disrupt the multi-layered network without raising alarms. LotL attacks are considered malwareless or fileless because they leave no trace behind, making them difficult to detect.
Why cyberattackers prefer LotL attacks
1. The network’s built-in tools are always powerful: Organizations often have updated or premium versions of software. This means that attackers can use a powerful tool already available within the network to disrupt it.
2. Developing a new tool can be a costly affair: For attackers, creating custom applications, tools, or techniques based on the security posture of different organizations can be a costly and time-consuming affair. By utilizing the network’s built-in tools, the attacker can execute a flawless attack without much effort.
3. They can avoid detection: Attackers can avoid being detected by using the existing tools. The security system doesn’t send alerts when a whitelisted or commonly used tool is utilized by attackers. Thus, they can fly under the radar while carrying out an attack.
Stages of a LotL attack
LotL attacks are pretty easy to execute and help an attacker gain access and move laterally across an organization’s network. They are subtle and can be as effective as any complex cyberattack. Here are short descriptions of the stages of a LotL attack:
1. Incursion: Threat actors often exploit a remote code execution vulnerability to run shellcode directly in memory. They can also send a malicious email with a script hidden inside a document or host file. Or they can use system tools by logging in with stolen credentials.
2. Persistence: The second stage of the attack may or may not involve external installations. This depends on what the attacker wants to do within the network.
3. Payload: Threat actors often look for dual-use tools, such as PowerShell, Process Explorer, PsExec, and Process Hacker, within a network to execute the attack.
Since there are no external tools or techniques involved, every environment is susceptible to a LotL attack. Surprisingly, attackers often use LotL attacks even on networks that are well-monitored or locked down. This is because the attack becomes highly effective in a secured network.
Once the attacker finds a way to utilize admin tools to their advantage, attacks can range from data exfiltration to installing ransomware. Moreover, as the attacker uses legitimate programs and processes, they will be able to blend in amongst other legitimate processes before pulling off a stealthy exploit.
Defending against a LotL attack
Security professionals need to ensure that they’re equipped to defend against all sorts of cyberattacks. Though it is difficult to detect and mitigate a LotL attack, it is not impossible. Organizations can deploy a solution that is capable of monitoring networks and providing real-time insights on user behavior. The solution should also be able to hunt down threats based on predefined attack patterns.
Cyberhygiene and cyberdiscipline are essential to protecting your network from these types of attacks. Furthermore, organizations must:
1. Have a dedicated threat hunting strategy.
2. Review rights and permissions regularly.
3. Establish a strong endpoint detection and response system.
4. Whitelist applications that are essential.
5. Monitor dual-use tools closely.
A LotL attack can be as devastating as any other form of cyberattack. It is important to monitor the network continuously, identify threats as soon as possible, and promptly take corrective actions against these attacks.