COMMENTARY: Recent research found that 84% of all major attacks now target legitimate tools or applications that are already present in an organization’s IT environment. This use of Living-off-the-Land (LOTL) binaries has caused great headaches for businesses trying to secure their operations without sacrificing productivity or efficiency.LOTL attacks are growing more popular for three reasons: They’re convenient, versatile, and transparent.Threat actors put a high value on convenience. Just like any other business operation, they try to optimize their resources and limit the effort needed to conduct an attack. Tools that are already allowed on systems, with their ports open for administrative purposes, are also accessible to attackers.[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]
LOTL techniques are incredibly versatile and are employed throughout the entire attack lifecycle. Many legitimate tools have multiple functions from system maintenance and upkeep to streamlining tasks central to access control and monitoring; threat actors can use one tool to accomplish objectives across different phases in the attack.Take PowerShell.exe, used for various tasks, including reconnaissance, delivery, and defense evasion. A threat actor can execute PowerShell commands to conduct reconnaissance – identifying information about relevant systems and active processes.Then, the intruder uses that information to scope out other, more attractive assets to target. PowerShell commands are also used to complete delivery objectives – transferring data or specific scripts to a victim machine. Threat actors often use PowerShell obfuscation to mask the scripts and cmdlets that are referenced and evade defenses. Threat actors also evade defenses by running scripts that disable anti-virus tools.When it comes to transparency or clearly identifying the boundaries between expected and anomalous behavior, threat actors use LOTL tactics to mask the type of noise they produce. While this does not necessarily let them blend in seamlessly, it does help in lowering the level of suspicion, especially for organizations that are not cognizant of these types of attacks. They do this by applying tools and applications that already serve an essential business function, meaning they’re permitted and not blacklisted, unknown, or unverified software.Tools for administrators and developersTools used by administrators are common targets because they let threat actors behave as though they were performing normal daily functions. In other words, a threat actor with administrator privileges has the ability to modify environments unimpeded. Furthermore, administrator accounts are limited to a subset of users. This means the threat actor’s activities are far less visible to roles outside of a select few admins. Those few admins are typically locked out of their accounts once the threat actor changes the credentials.Threat actors also use trusted software development tools. It’s rare for an organization to prohibit the use of code created for business use particularly when exceptions exist that could boost the overall efficiency of work groups or broaden use cases for matters concerning creating intellectual property. These exceptions create opportunities for threat actors to use those same tools, including PowerShell ISE, Visual Studio Code, and others to load and edit script, eventually running them and altering the target ecosystem and connected resources in the process.While security professionals are now more aware of LOTL attacks, many still aren’t taking the threat seriously enough. Equipping security teams with “good enough security” without high levels of oversight and a fluent knowledge of the current cyber battlefield leaves organizations open to compromise. Also, relying on technical solutions alone while dismissing the value of other elements, such as continuously improving processes, regularly testing capabilities, and assessing security gaps that exist in a business environment leads to further risks.How to combat LOTL attacksOrganizations must strike a balance between proactive and reactive security measures to combat LOTL attacks. That includes enabling an incident response capability that prioritizes rapid response, with the support of threat intelligence and threat hunting. It also means taking action to shrink the attack surface by using a combination of dynamic hardening and behavioral analysis techniques to identify risks and evaluate patterns of adversary behavior to determine appropriate countermeasures.Organizations with large attack surfaces are at great risk. It just takes one open port, an unrevoked set of credentials, or an unaccounted web server for a breach to occur. Shrinking the attack surface reduces opportunities for adversaries to infiltrate the environment. Organizations should start by mapping its environment to understand the baselines for normal activities, from user and endpoint behavior to network traffic.Once those areas are known and visible, a security analyst helps identify the portions worth tracking and alerting on as they refine policies and detection parameters for triggering an investigation. The analyst also develops a plan to address continuous remediation activities for security weaknesses that are discovered.Today’s attackers successfully evade traditional defenses by expertly manipulating the very system utilities we trust and rely on. This stark reality demands a fundamental shift toward security strategies that move beyond blunt blocking to ones that detect malicious intent, and also work to neutralize it within these trusted tools without disrupting or slowing operations.Jade Brown, threat researcher, BitdefenderSC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
LOTL techniques are incredibly versatile and are employed throughout the entire attack lifecycle. Many legitimate tools have multiple functions from system maintenance and upkeep to streamlining tasks central to access control and monitoring; threat actors can use one tool to accomplish objectives across different phases in the attack.Take PowerShell.exe, used for various tasks, including reconnaissance, delivery, and defense evasion. A threat actor can execute PowerShell commands to conduct reconnaissance – identifying information about relevant systems and active processes.Then, the intruder uses that information to scope out other, more attractive assets to target. PowerShell commands are also used to complete delivery objectives – transferring data or specific scripts to a victim machine. Threat actors often use PowerShell obfuscation to mask the scripts and cmdlets that are referenced and evade defenses. Threat actors also evade defenses by running scripts that disable anti-virus tools.When it comes to transparency or clearly identifying the boundaries between expected and anomalous behavior, threat actors use LOTL tactics to mask the type of noise they produce. While this does not necessarily let them blend in seamlessly, it does help in lowering the level of suspicion, especially for organizations that are not cognizant of these types of attacks. They do this by applying tools and applications that already serve an essential business function, meaning they’re permitted and not blacklisted, unknown, or unverified software.Tools for administrators and developersTools used by administrators are common targets because they let threat actors behave as though they were performing normal daily functions. In other words, a threat actor with administrator privileges has the ability to modify environments unimpeded. Furthermore, administrator accounts are limited to a subset of users. This means the threat actor’s activities are far less visible to roles outside of a select few admins. Those few admins are typically locked out of their accounts once the threat actor changes the credentials.Threat actors also use trusted software development tools. It’s rare for an organization to prohibit the use of code created for business use particularly when exceptions exist that could boost the overall efficiency of work groups or broaden use cases for matters concerning creating intellectual property. These exceptions create opportunities for threat actors to use those same tools, including PowerShell ISE, Visual Studio Code, and others to load and edit script, eventually running them and altering the target ecosystem and connected resources in the process.While security professionals are now more aware of LOTL attacks, many still aren’t taking the threat seriously enough. Equipping security teams with “good enough security” without high levels of oversight and a fluent knowledge of the current cyber battlefield leaves organizations open to compromise. Also, relying on technical solutions alone while dismissing the value of other elements, such as continuously improving processes, regularly testing capabilities, and assessing security gaps that exist in a business environment leads to further risks.How to combat LOTL attacksOrganizations must strike a balance between proactive and reactive security measures to combat LOTL attacks. That includes enabling an incident response capability that prioritizes rapid response, with the support of threat intelligence and threat hunting. It also means taking action to shrink the attack surface by using a combination of dynamic hardening and behavioral analysis techniques to identify risks and evaluate patterns of adversary behavior to determine appropriate countermeasures.Organizations with large attack surfaces are at great risk. It just takes one open port, an unrevoked set of credentials, or an unaccounted web server for a breach to occur. Shrinking the attack surface reduces opportunities for adversaries to infiltrate the environment. Organizations should start by mapping its environment to understand the baselines for normal activities, from user and endpoint behavior to network traffic.Once those areas are known and visible, a security analyst helps identify the portions worth tracking and alerting on as they refine policies and detection parameters for triggering an investigation. The analyst also develops a plan to address continuous remediation activities for security weaknesses that are discovered.Today’s attackers successfully evade traditional defenses by expertly manipulating the very system utilities we trust and rely on. This stark reality demands a fundamental shift toward security strategies that move beyond blunt blocking to ones that detect malicious intent, and also work to neutralize it within these trusted tools without disrupting or slowing operations.Jade Brown, threat researcher, BitdefenderSC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
