As adversaries increasingly rely on legitimate tools to hide their malicious activities, enterprise defenders must rethink network architecture to detect and defend against these attacks.
Known as “living off the land” (LotL), these tactics refer to how adversaries use native, legitimate tools within the victim’s environment to launch their attacks. When attackers introduce new tools into the environment using their own malware or tools, they create noise in the network. This raises the possibility that such tools could trigger security alerts and alert defenders that someone unauthorized is on the network carrying out suspicious activity. Attackers using existing tools make it more difficult for defenders to distinguish malicious actions from legitimate activities.
To force attackers to create more noise on the network, IT security leaders need to rethink the network so that moving around the network isn’t as easy.
Protect identities, limit movements
One approach is to enforce strong access controls and monitor privileged behavior analytics so your security team can analyze network traffic and access requests coming from their tools. Zero Trust with strong privileged access controls – such as the principle of least privilege – makes it harder for attackers to move around the network, says Joseph Carson, chief security scientist and CISO consultant at Delinea.
“This forces them to use techniques that create more noise and ripples on the network,” he says. “It gives IT defenders a better chance of detecting unauthorized access much earlier in the attack, before they have the chance to deploy malicious software or ransomware.”
Another is to consider CASB (Cloud Access Security Broker) and SASE (Secure Access Service Edge) technologies to understand who (or what) is connecting to which resources and systems, which can highlight unexpected or suspicious network flows. CASB solutions are designed to provide security and visibility to organizations adopting cloud services and applications. They act as intermediaries between end users and cloud service providers, offering a range of security controls, including data loss prevention (DLP), access control, encryption and threat detection.
SASE is a security framework that combines network security features, such as secure web gateways, firewall-as-a-service, and zero-trust network access, with wide area network (WAN) capabilities such as SD-WAN (defined wide area network from the software) ).
“There should be a strong focus on management of [LotL] attack surface,” says Gareth Lindahl-Wise, CISO at Ontinue. “Attackers succeed where integrated or distributed tools and processes may be used by too many endpoints by too many identities.”
These activities, by their nature, are behavioral anomalies, so understanding what is being tracked and feeding it into correlation platforms is critical, says Lindahl-Wise. Teams should ensure coverage across endpoints and identities and then, over time, enrich it with network connectivity information. Inspecting network traffic can help uncover other techniques, even if the traffic itself is encrypted.
An evidence-based approach
Organizations can and should take an evidence-based approach to prioritizing which telemetry sources to use to gain visibility into legitimate abuses of public services.
“The cost of storing higher volume log sources is a very real factor, but telemetry spending should be optimized based on sources that provide a window into threats, including abused utilities, seen more often in the wild and deemed relevant to the organization,” says Scott Small, director of threat intelligence at Tidal Cyber.
Numerous community efforts make this process more practical than before, including the open source project “LOLBAS,” which tracks potentially malicious applications of hundreds of key utilities, he points out.
Meanwhile, a growing catalog of resources provided by MITER ATT&CK, the Center for Threat-Informed Defense, and security tool vendors, allows you to translate the same adversarial behaviors directly into discrete, relevant data and log sources.
“It is impractical for most organizations to constantly track every known log source,” Small notes. “Our analysis of data from the LOBAS project shows that these LotL utilities can be used to carry out virtually any type of malicious activity.”
These range from defense evasion to privilege escalation, persistence, credential access, and even exfiltration and impact.
“This also means that there are dozens of discrete data sources that could provide visibility into the malicious use of these tools – too many to realistically record comprehensively and over long periods of time,” Small says.
However, deeper analysis shows where clusters (and unique sources) exist: for example, only six of the 48 data sources are relevant for more than three-quarters (82%) of the LOLBAS-related techniques.
“This provides the opportunity to integrate or optimize telemetry directly in line with best-in-class above-ground living techniques or particular ones associated with services deemed to be the highest priority by the organization,” says Small.
Practical steps for IT security leaders
IT security teams can take many practical and reasonable steps to detect attackers living in camps, as long as they have visibility into events.
“While it’s great to have visibility into your network, events from endpoints, whether workstations or servers, are just as valuable if used well,” says Randy Pargman, director of threat detection at Proofpoint.
For example, one of the LotL techniques used by many threat actors recently is to install legitimate remote monitoring and management (RMM) software.
Attackers prefer RMM tools because they are reliable, digitally signed, and do not trigger antivirus or endpoint detection and response (EDR) alerts, plus they are easy to use and most RMM vendors have a comprehensive free trial option of all features.
The benefit for security teams is that all RMM tools have very predictable behavior, including digital signatures, modified registry keys, domain names searched, and process names to search.
“I have had great success in detecting intruder use of RMM tools by simply writing detection signatures for all freely available RMM tools and making an exception for the approved tool, if any,” says Pargman.
It is useful if only one RMM vendor is authorized to use it and if it is always installed in the same way, for example during system imaging or with a special script, so that it is easy to distinguish between an authorized installation and an actor one of threats that trick a user into installing, he adds.
“There are many other discovery opportunities just like this, starting with the list in DOLLS“, says Pargman. “By running threat hunting queries on all endpoint events, security teams can find normal usage patterns in their environments, then create custom alert queries to detect anomalous usage patterns.”
There are also opportunities to limit abuse of attackers’ favorite built-in tools, such as changing the default program used to open scripting files (file extensions .js, .jse, .vbs, .vbe, .wsh, etc.) so they don’t open in WScript.exe when double-clicked.
“This helps prevent end users from being tricked into running a malicious script,” Pargman says.
Reduce dependency on credentials
According to Rob Hughes, CIO at RSA, organizations need to reduce their reliance on credentials to establish connections. Likewise, organizations need to generate alerts on anomalous and failed attempts and outliers to give security teams visibility into where encrypted visibility is in play. Understanding what “normal” and “good” look like in system communications and identifying outliers is one way to detect LotL attacks.
An often overlooked area that is starting to receive much more attention is utility accounts, which tend to be unregulated, poorly protected, and a prime target for surviving land-based attacks.
“They run our workloads in the background. We tend to trust them, probably too much,” says Hughes. “You want inventory, ownership, and strong authentication mechanisms on these accounts as well.”
That last part can be harder to accomplish because service accounts aren’t interactive, so the usual multi-factor authentication (MFA) mechanisms that organizations rely on with users aren’t in play.
“Like any authentication, there are degrees of strength,” says Hughes. “I would recommend choosing a strong mechanism and ensuring that security teams log in and respond to any interactive logins from a service account. This should not happen.”
An adequate investment of time is required
Building a culture of safety doesn’t have to be expensive, but it requires leadership that is willing to support and champion the cause.
The investment in time is sometimes the biggest investment you can make, says Hughes. But implementing strong identity controls within and across your organization doesn’t have to be an expensive undertaking compared to the risk reduction you achieve by doing so.
“Security is about stability and consistency, but we can’t always control that in an enterprise environment,” he says. “Make smart investments to reduce technical debt in systems that are not compatible or cooperative with MFA or strong identity controls.”
It’s all about speed of detection and response, Pargman says.
“In so many cases I’ve investigated, the thing that made the biggest difference for defenders was the quick response from an alert SecOps analyst who noticed something suspicious, investigated, and discovered the intrusion before it the threat actor had the opportunity to expand their influence,” he says.