TIPS #11: How can companies detect and respond to Living Off the Land (LOL) incidents?
Shane Shook
November 30, 2023
- Blog Post
- TIPS
Issue: Attackers are Living Off the Land by using native tools within business systems- and many companies can’t detect them.
Attackers are increasingly Living Off the Land (LOL) by manipulating legitimate credentials, tools, data, and applications in business systems. LOL is more common among attackers than malware-based tactics: 71% of cyber attacks in 2022 were malware-free.
LOL techniques are popular with nation-state backed groups whose economic and bureaucratic interests often direct attacks towards critical infrastructure. For example, earlier this year the National Security Agency (NSA) issued a cybersecurity advisory on ongoing Chinese state-sponsored LOL Attacks targeting United States critical infrastructure networks.
The primary indicators of LOL incidents are unusual user behaviors around service access, network transits between endpoints, data resources usage, and IT application usage. Some of the most exploited tools in LOL incidents are VPNs and remote access software like Remote Desktop Protocol (RDP), Virtual Network Computing (VNC), and Remote Monitoring and Management (RMM) Tools including Manage Engine and SolarWinds; and task and system automation applications like Microsoft PowerShell.
Most security capabilities prioritize malware by default and many companies do not configure them to detect the malicious use of native business tools. As a result, attackers can use LOL tactics to hide in plain sight without exposing their attack methods. When attackers do use malware (often for initial entry), they tend to abandon it after breaching a company or use it as a distraction to confuse security teams.
Impact: LOL Attackers steal data, disrupt systems, install backdoors, and deploy ransomware more effectively.
LOL attackers can persist in business systems and escalate privileges, move laterally within networks, steal sensitive data, install backdoors, perpetrate ransomware attacks, and damage systems. These incidents often go unnoticed for long periods of time. This leads to greater financial, reputational, and business impacts such as system disruptions, sensitive data loss or exposure, and revenue loss.
Several notable cyber events over the past 20 years have involved LOL methods including Operation Aurora, Night Dragon, Cloud Hopper, and attacks by Russian state-backed threat actor Sandworm.
Action: Identify key business resources, understand attacker objectives, and configure security tools with policies to detect LOL behaviors.
1. Business Impact Assessments
Perform business impact assessments to understand your company’s critical data, credentials, and services (including key resources which give access to crown jewel data) and how threat actors might target and use them. Surefire Cyber’s tabletop exercises help businesses test incident response capabilities and configure security capabilities to protect business resources.
2. Fine-tune Security Tools to Identify LOL Behaviors
After identifying key business resources and attack patterns, leverage security capabilities across the active-passive security posture spectrum to defend against LOL tactics. In general, security capabilities must be configured with policies that address malicious behaviors (exceptions to defined rules).
For example, financial data may have a high value to attackers who might attempt to access and steal the data using privileged user identities. Relevant security policies need to identify which employees normally access and handle the data, clarify how they tend to do so, and define behavioral exceptions that could point to an LOL incident.
a) Prevent Network Attacks with NDR, DNS Sinkholes, and IPS rules
NDR security tools help your company observe network activities and stop Attacks. Tune these tools with security policies around network resource restrictions for maximum effect. Lumu provides continuous compromise assessment and customizable NDR capabilities to help businesses detect, analyze, and respond to network threats.
DNS Sinkholes are a simple and low-cost tool that can complement NDR by rerouting traffic away from malicious domains. In addition, if your business is using firewalls with standard IDS (passive) and IPS (active) programs you should configure IPS rules to prevent malicious network traffic.
b) Stop Breaches and Compromises with Identity, Cloud, Data, and Endpoint Security
Identity Security
Many companies rely exclusively on Identity and Access Management (IAM) to manage AD (Active Directory) access and PIM (Privileged Identity Management) resource use. This isn’t enough to stop LOL attackers who have already Breached their systems. Instead, your business should require multi-factor authentication (MFA) for all AD and PIM resource use, bolstering MFA policies with conditional access rules for additional security. 1Kosmos provides advanced biometric MFA to power passwordless enterprise authentication and secure digital identities.
Your company can complement MFA with Mobile Device Management (MDM) and Mobile Application Management (MAM), using conditional access policies to restrict device access around services and resources. In addition, Privileged Access Management (PAM) can enable just-in-time access remote management support for endpoints, preventing active LOL attackers from moving laterally.
Cloud Security
Cloud Infrastructure Entitlements Management (CIEM) tools can be customized with policies to prevent excessive data access. Uptycs’ CIEM capability helps companies secure their cloud infrastructure, implement least privilege, and quickly respond to incidents.
Data Security
Data security controls are also critical for protecting key resources. Symmetry Systems’ Data Security Posture Management (DSPM) identifies and mitigates cyber-based business risks. Concourse Labs helps businesses create, apply, and maintain security policies to secure cloud workloads and data. SPHERE identifies identity issues and data vulnerabilities to help companies strengthen their security and risk management.
Endpoint Security
Endpoint Detection and Response (EDR) capabilities can detect and respond to malicious native tool and credential use when tuned with resource restriction policies. Huntress’ managed EDR capabilities help SMBs secure endpoints and detect and eliminate persistent footholds.
c) Document Incident Evidence
Configure security tools to document LOL incidents. Well-preserved evidence helps forensic investigators analyze incidents more effectively. NDR, XDR, and EDR tools can provide logs with incident details and File Integrity Monitoring (FIM) tools can detect signs of damage, theft, or tampering with critical data.