With adversaries increasingly relying on legitimate tools to hide their malicious activities, enterprise defenders have to rethink the network architecture in order to detect and defend against these attacks.
Referred to as "living off the land," these tactics refer to how adversaries uses native, legitimate tools within the victim's environment to carry out their attacks. When attackers introduce new tools in the environment by using their own malware or tools, they create some noise on the network. That raises the possibility that those tools could trigger security alarms and alert defenders that someone unauthorized is on the network and carrying out suspicious activity. Attackers using existing tools makes it harder for defenders to separate out malicious actions from legitimate activity.
To force attackers to create more noise on the network, IT security leaders must rethink the network so that moving around the network isn’t so easy.
Securing Identities, Limiting Movements
One approach is to apply strong access controls and monitoring privileged behavior analytics so the security team can analyze network traffic and access requests coming from their own tools. Zero trust with strong privileged access controls – such as the principle of least privilege – makes it harder for attackers to move around the network, says Joseph Carson, chief security scientist and Advisory CISO at Delinea.
"This forces them to use techniques that create more noise and ripples on the network," he says. "It gives IT defenders a better chance at detecting unauthorized access much earlier in the attack — before they have a chance at deploying malicious software or ransomware."
Another is to consider cloud access security broker (CASB) and secure access service edge (SASE) technologies to understand who (or what) is connecting to which resources and systems, which can highlight unexpected or suspicious network flows. CASB solutions are designed to provide security and visibility for organizations which adopt cloud services and applications. They act as intermediaries between end users and cloud service providers, offering a range of security controls, including data loss prevention (DLP), access control, encryption, and threat detection.
SASE is a security framework combining network security functions, such as secure web gateways, firewall-as-a-service, and zero-trust network access, with wide area network (WAN) capabilities like SD-WAN (software-defined wide area network).
"There should be a robust focus on managing the [living off the land] attack surface," says Gareth Lindahl-Wise, CISO at Ontinue. "Attackers succeed where built in or deployed tools and processes can be used from too many endpoints by too many identities."
These activities, by their nature, are behavioral anomalies, so understanding what is being monitored and feeding into correlation platforms is critical, Lindahl-Wise says. Teams should ensure there is coverage from end points and identities, and then over time enrich this with network connectivity information. Network traffic inspection can help uncover other techniques, even if the traffic itself is encrypted.
An Evidence-Based Approach
Organizations can and should take an evidence-based approach to prioritizing which telemetry sources they use to gain visibility into legitimate utility abuse.
"The cost of storing higher-volume log sources is a very real factor, but spend on telemetry should be optimized according to sources that give a window into the threats, including abused utilities, observed most often in the wild and deemed relevant to the organization," says Scott Small, director of threat intelligence at Tidal Cyber.
He points out multiple community efforts make this process more practical than before, including the "LOLBAS" open source project, which tracks the potentially malicious applications of hundreds of key utilities.
Meanwhile a growing catalog of resources from MITRE ATT&CK, the Center for Threat-Informed Defense, and security tool vendors allow for translating from those same adversarial behaviors directly into discrete, relevant data and log sources.
"It isn’t practical for most organizations to fully track every known log source all the time," Small notes. "Our analysis of data from the LOBAS project shows these LoL utilities can be used to carry out practically every type of malicious activity."
These range from defense evasion to privilege escalation, persistence, credential access, even exfiltration and impact.
"This also means there are dozens of discrete data sources that could give visibility into the malicious use of these tools – too much to realistically log comprehensively and for long periods of time," Small says.
However, closer analysis shows where clustering (and unique sources) exist – for example, just six of 48 data sources are relevant for more than three-quarters (82%) of LOLBAS-related techniques.
"This provides opportunities to onboard or optimize telemetry directly in line with top living-off-the-land techniques, or particular ones associated with the utilities deemed highest priority by the organization," Small says.
Practical Steps for IT Security Leaders
There are many practical and reasonable steps IT security teams can take to detect attackers living off the land as long as they have visibility into events.
"While it’s great to have network visibility, events from endpoints – both workstations and servers – are just as valuable if used well," says Randy Pargman, director of threat detection at Proofpoint.
For example, one of the living-off-the-land techniques used by many threat actors recently is to install legitimate remote monitoring and management (RMM) software.
The attackers prefer RMM tools because they are trusted, digitally signed, and won’t set off anti-virus or EDR alerts, plus they are easy to use and most RMM vendors have a fully featured free trial option.
The advantage for security teams is that all the RMM tools have very predictable behavior, including digital signatures, registry keys that are modified, domain names that are looked up, and process names to look for.
"I’ve had great success detecting intruder use of RMM tools simply by writing detection signatures for all the freely available RMM tools, and making an exception for the approved tool, if any," Pargman says.
He adds it helps if only one RMM vendor is authorized to be used, and if it is always installed in the same way--such as during system imaging or with a special script--so that it is easy to tell the difference between an authorized installation and a threat actor tricking a user into running the installation.
"There are many other detection opportunities just like this – starting with the list in LOLBAS and running threat hunting queries across all endpoint events, security teams can find the patterns of normal use in their environment, then build custom alert queries to detect abnormal patterns of use," he says.
There are also opportunities to limit the abuse of built-in tools that attackers favor, such as changing the default program used to open scripting files (file extensions .js, .jse, .vbs, .vbe, .wsh, etc.) so that they do not open in WScript.exe when double-clicked.
"That helps avoid end users being tricked into running a malicious script," Pargman says.
Reducing Reliance on Credentials
Organizations need to reduce their reliance on credentials to establish connections, according to Rob Hughes, CIO of RSA. Likewise, organizations need to raise alerts on anomalous and failed attempts and outliers in order to give security teams visibility into where encrypted visibility is in play. Understanding what "normal" and "good" look like in systems communications and identifying outliers is a way to detect living off the land attacks.
An often-overlooked area that is starting to get a lot more attention is Service Accounts, which tend to be unregulated, weakly-protected, and a prime target for living off the land attacks. "They run our workloads in the background. We tend to trust them – likely too much," Hughes says. "You want inventory, ownership, and strong authentication mechanisms on these accounts as well."
The last part can be tougher to achieve as service accounts are not interactive, so the usual multifactor authentication MFA mechanisms organizations rely on with users are not in play.
"Like any authentication, there are degrees of strength," Hughes says. "I’d recommend picking a strong mechanism and making sure security teams log and respond to any interactive logins from a service account. Those should not be happening."
Adequate Time Investment Required
Building a culture of security doesn’t have to be expensive, but you need willing leadership to support and champion the cause.
Hughes says the investment in time is sometimes the largest investment to make, and expending strong identity controls across and throughout the organization does not have to be an expensive endeavor in comparison to the reduction in risk doing so accomplishes.
"Security thrives on stability and consistency, but we can't always control that in a business environment," he says. "Make smart investments in reducing technical debt in systems that aren’t compatible or cooperative with MFA or strong identity controls."
Pargman says it's all about speed of detection and response.
"In so many cases I've investigated, the thing that made the biggest positive difference for the defenders was a quick response from an alert SecOps analyst who noticed something suspicious, investigated, and found the intrusion before the threat actor had a chance to expand their influence," he says.