Using Your Own Tools Against You: The Rise of Living-Off-the-Land (LOTL) Attacks

While some cyber-attacks announce their presence like a blaring siren, others fly quietly under the radar. This presents a significant challenge for network security teams, who are already battling increasingly frequent, sophisticated, and severe attacks. One cunning technique that has gained considerable traction in recent years is Living-Off-The-Land (LOTL) attacks. Here, threat actors use an organization’s own tools and infrastructure to launch an attack, stealthily moving through the kill chain without the need for bespoke malware.

Alarmingly, these attacks are not only difficult to detect but also highly effective. For example, the Ponemon Institute found that fileless malware attacks (another term for a LOTL attack) are approximately ten times more likely to succeed than file-based attacks. As LOTL attacks continue to skyrocket in popularity, organizations need to understand how they work and take proactive measures to prevent them. That’s what we’re going to be diving into today.

What Exactly is a Living off the Land (LOTL) Attack?

In a Living off the Land (LOTL) attack, attackers use pre-installed or legitimate tools on the victim’s system, which enables them to blend in with regular user activity and bypass security software. Despite the term being coined in 2013, recent cybersecurity reports have noted a marked rise in LOTL attacks. But why have cybercriminals suddenly added LOTL attacks to their arsenal? The answer lies in how effectively these attacks bypass traditional security measures.

Instead of using new and sophisticated methods to attack a system, hackers can use tools already installed on a target system, such as PowerShell, Command Prompt, and other admin tools. Since these tools are legitimate and necessary for many everyday computer tasks, it can be difficult for security software to detect malicious activity when these tools are used in a LOTL attack. In other words, LOTL attacks don’t set off warning signals like many other attacks.

One thing that makes LOTL attacks unique is that they don’t leave any files behind. This is why they’re often called fileless malware. With no executable files or malware to detect, many cybersecurity tools simply won’t realize anything suspicious has occurred.

How Do LOTL Attacks Happen?

So, what does a LOTL attack actually look like? LOTL attacks share many of the same hallmarks as other cyberattacks; only they’re far more challenging to detect. Here is an overview of the process:

1. Initial Access: A hacker gains access to a network through another technique, such as phishing or social engineering. This gives the hacker an initial foothold in the target network.
2. Reconnaissance: Once inside the network, the hacker begins to gather information about the target systems and network architecture. The goal is to identify vulnerabilities that can be exploited to gain further access and control.
3. Lateral Movement: The hacker uses the information gathered in the reconnaissance phase to move laterally within the network. The goal is to find and compromise additional systems to establish persistence and gain greater control over the network.
4. Privilege Escalation: The hacker leverages the compromised systems to escalate privileges and gain access to sensitive data and critical systems.
5. Malicious Activities: Once the hacker has established a strong foothold in the network, they can carry out a range of malicious activities, including data exfiltration, installing backdoors, creating new tasks on remote machines, identifying configuration settings, and more.
6. Obfuscation: Throughout the attack, the hacker takes steps to obscure their activity and avoid detection. This can involve using tools like PowerShell or Command Prompt to run malicious code that is obfuscated to evade detection.

The Anatomy of LOTL Attacks

Hackers have a wide range of tools at their disposal to execute a LOTL attack. For example, attackers may use tools such as PowerShell, Windows Management Instrumentation (WMI), and Command Prompt to carry out malicious activities such as reconnaissance, data exfiltration, and lateral movement.

For example, an attacker might use the built-in Windows utility Netsh to create a reverse shell and gain access to a victim’s system. And many other techniques exist. For example, LOTL attacks can also use the Registry Console Tool (reg.exe) to maintain persistence, store settings for malware, and store executables in subkeys. Other commonly used tools in LOTL attacks include Windows Management Instrumentation (WMI), Service Control Manager Configuration Tool (sc.exe), Scheduled Tasks (AT.EXE Process), and Sysinternals such as PSExec.

Notably, LOTL attacks that leverage Remote Desktop Protocol (RDP) connections can be especially tricky for security teams to spot and stop because RDP is a critical service for system administrators. Identifying which RDP connections are legitimate and which are not is like trying to find a needle in a haystack, especially when administrative credentials are involved. That’s why “known bads” and historical attack data just don’t cut it when it comes to stopping these types of attacks. Instead, a smarter, more comprehensive approach is needed that focuses on detecting anomalous activity in real-time.

LOTL Attacks In Action

Many high-profile cyber attacks in recent years have leveraged LOTL techniques and other tactics to devastating success. Here are some real-world examples:

1. NotPetya: One of the most destructive cyberattacks in history. It spread rapidly across networks in Ukraine and worldwide, causing billions of dollars in damages. The attackers used legitimate tools like PowerShell and PsExec to execute their malicious code, making it difficult to detect.
2. Olympic Destroyer: The attackers behind the 2018 Olympic Destroyer attack used a combination of spear-phishing and LOTL techniques to gain access to the Pyeongchang Winter Olympics’ network. They used legitimate administrative tools like PowerShell to carry out their attack, which disrupted the opening ceremony and caused widespread disruption.
3. TrickBot: This banking Trojan is known for its LOTL capabilities. It uses legitimate Windows tools like PowerShell and Windows Management Instrumentation (WMI) to evade detection and remain persistent on infected machines. TrickBot has been used to steal sensitive information and initiate fraudulent transactions.
4. Emotet: This malware has been used in various attacks targeting government organizations and private companies. It leverages LOTL techniques like using PowerShell to download and execute additional modules. Once installed, Emotet can steal credentials and spread to other machines on the network.

These are just a few examples of LOTL attacks seen in the wild. As these attacks become more sophisticated, organizations need to be aware of the risks and take steps to bolster their network security. That brings us to the next section – how to safeguard your network from LOTL attacks.

How to Protect Against LOTL Attacks

LOTL attacks may be difficult to detect, but that doesn’t mean network security teams are powerless to act. Companies can adopt several techniques and best practices to protect against Living-Off-The-Land attacks. Let’s look at some of the most effective methods.

Zero Trust and Least Privilege Access

Zero trust is a security model that assumes that every user, device, and application on a network is potentially malicious, and therefore, no one should be trusted by default. It does away with traditional perimeter-based security controls like firewalls and instead focuses on securing every asset on the network.

Zero trust can help prevent LOTL attacks in several ways. For example, imagine an attacker gains access to a user’s credentials through a phishing email. With those credentials, the attacker could log in to the victim’s account and move laterally through the network, looking for valuable data to exfiltrate. However, in a zero-trust environment, the attacker would not automatically be granted access to the network’s sensitive resources. Instead, they would need to pass multiple levels of authentication and authorization before being granted access.

In this scenario, the zero trust approach would require the attacker to authenticate themselves every time they attempt to access a resource, even if they had already authenticated once before. This multi-step authentication process makes it more challenging for attackers to gain access to the network and limits their ability to move laterally. Furthermore, in a zero-trust environment, organizations can enforce granular access controls based on the principle of least privilege. This means that users and devices are only granted the minimum level of access necessary to complete their tasks. A least-privilege approach helps limit the attack surface, making it more difficult for attackers to access sensitive data or resources.

Limiting LOTL Attacks

There are several methods to employ when trying to limit the damage of an LOTL attack:

1. Self-learning AI technology: Using self-learning AI technology, like machine learning algorithms, can help companies detect and prevent LOTL attacks by continuously analyzing network traffic, identifying abnormal behavior, and automatically taking action to stop potential attacks.
2. Network segmentation: Breaking down a network into smaller, more manageable segments can limit the spread of malware and prevent attackers from moving laterally within the network.
3. Multi-factor authentication: Multi-factor authentication (MFA) adds an extra layer of security to user login credentials by requiring users to provide multiple forms of identification, such as a password and a fingerprint scan or facial recognition.
4. Regular security assessments and testing: Regular security assessments and penetration testing can help identify vulnerabilities in a company’s network and applications, enabling proactive mitigation and prevention.

Final Thoughts

With LOTL attacks rising, organizations must proactively strengthen their network security and lock cyber criminals out. This is especially important because while LOTL attacks share many similarities with other cyberattacks, they are far more challenging to detect. As such, a smarter and more comprehensive approach is needed to detect anomalous activity in real-time to prevent these attacks.