Going beyond malware; the rise of 'living off the land' attacks

By Mark Goudie, Services, CrowdStrike Asia Pacific and Japan

If you’re living off the land, there are a few different methods you can use to survive, but you need to use what you find where you are. You do not have the option to bring in supplies to maintain yourself. If you are looking for someone living off the land, you must hunt as they have blended into their new environment.

The same is true of cybersecurity because there is no silver bullet that identify all types of threats at all times, especially when the adversary is using your tools they found in the environment. The ability to block advanced threats improves each year, but sophisticated adversaries are determined and creative, and their techniques evolve just as quickly.

While malware continues to be a tool often used in the initial intrusion, it is often only the precursor to an attack, not the ultimate objective. This initial intrusion is leading to more sophisticated and stealthy techniques, such as “living off the land” (LOTL) tradecraft that uses native tools already present on the system to accomplish the adversaries’ main objective.

LOTL tactics, which do not involve malware, have picked up significantly in the world of cyber espionage in recent years. In fact, malware – free attacks in general have surged in recent years, accounting for 40 percent of the total number of cyber-attacks globally last year, according to the 2019 CrowdStrike® Global Threat Report, attackers continue to shift to defence evasion methods like living off the land techniques, to remain undetected. The longer an attacker can ‘dwell’, or remain undetected, in an environment, the more opportunity they have to find, exfiltrate and destroy data or operations.

The purpose of living off the land is two-fold. By using such features and tools, attackers are hoping to blend in on the victim’s network and hide their activity in a sea of legitimate processes. Secondly, even if malicious activity involving these tools is detected, it is much harder to attribute attacks. If everyone is using similar tools, it’s more difficult to distinguish one group from another.

This raises a few questions: What do we do differently to avoid such attacks? When prevention fails, what do we have left to protect our organisations? How can we discover gaps as fast as possible?

Having techniques in play to detect and respond to ongoing attacks quickly is just as important as prevention. Here are a few options organisations can use;

Compromise Assessment

A Compromise Assessment (CA) has the briefing of answering the key question “Am I Compromised?”. This an exercise where current and historical events are examined to answer the key question. To effectively answer this question you must use tools that will identify signs of historical attacks, such as suspicious registry keys and suspicious output files, as well as identifying active threats.  Many sophisticated adversaries spend months and years in their victims’ networks without being detected and the CA historical analysis is critical to identifying if this has happened.

Managed Threat Hunting

Threat hunting is a critical discipline that more organisations are using to disrupt stealthy attacks before they become mega breaches. With managed threat hunting, you are engaging a team of expert threat hunters for a simple, but important task: to continuously sift through your enterprise security data, looking for faint signs of the most sophisticated attacks. Managed threat hunting services are tailor-made to fill this critical gap for organisations of all types.

Stopping silent failure

Regardless of how advanced your defences are, there’s a chance that attackers will do an “end run” on your security solution and slip through to gain access to your environment. Conventional defences don’t know and can’t see when this happens, resulting in “silent failure.” When silent failure occurs, it can allow attackers to dwell in your environment for days, weeks or even months without raising an alarm. Hence, more organisations are considering endpoint detection and response (EDR) solutions to address the incidents that aren't being handled adequately by their existing defences. The solution lies in continuous and comprehensive visibility into what is happening on your endpoints in real time.

Account Monitoring

Account monitoring and management controls can detect and prevent unauthorised activities by providing full visibility into work environments. It enables preventing loss of data due to such activities and violations of credentials, while allowing resource owners to control “who has access to the data” and indicating whether the access is inappropriately granted.   

Application Inventory

This proactively identifies outdated and unpatched applications and operating systems so you can securely manage all the applications in your environment. Streamlining your application inventory with an IT hygiene solution solves security and cost problems simultaneously. Visibility enabled via IT hygiene prevents exploits related to patches and system updates. It also optimises your software configuration. Real-time and historical views of application usage identify unused software that can be removed, potentially saving your organisation thousands of dollars in unnecessary licensing fees.

Asset Inventory

Asset Inventory shows you what machines are running on your network and allows you to deploy your security architecture effectively, to ensure that no rogue systems are operating behind your walls. It enables security and IT ops to differentiate between managed, unmanaged and unmanageable assets in your environment and take appropriate steps to improve overall security.