Hackers nowadays are going old-school again. If you take a look at the some of the recent hacking events, techniques and strategies that were used years back have come back to the fore again. One such concept of hacking that is gaining traction among hackers is Living off the Land (LotL) Attacks.
What is Living off the Land (LotL) Attacks?
There is no silver bullet to fight different types of cyber threats at all times. There are instances when threat actors don’t need a hacking tool; rather, they use tools and applications present in the potential victim’s system to compromise. These types of attacks are called LotL attacks.
Over the past couple of years, LotL has witnessed a major adoption rate. Attackers are using tools that are already installed on the potential victim’s computers or are running simple scripts and shellcode directly in memory.
Despite the fact that LotL attacks do not involve any malware, the rate of these cyber-attacks has increased significantly. The reason is that the attackers get enough time to dwell. And the more time they get to stay anonymous, the more opportunities come to them to infiltrate and destroy data or operations.
One of the subsets of LotL attacks are Fileless malware. In this type, the attacker exploits dual-use tools and memory only tools, which helps them to stay anonymous even under the plain sight among legitimate system administration work. Also, very few or no files are created during this attack. The major reason behind going fileless is that the lesser the number of files, fewer chances of being detected by security tools.
How To Fight LotL?
Being one of the old-schools yet sophisticated ways of hacking, LotL poses a great level of challenge for corporates to identify and defend against this attack. However, there are ways that companies can adopt in order to fight LotL or fileless malware attack.
Software And Security Hygiene
This might sound really basic but most of the attacks become successful due to negligence in terms of software that the company uses. There are many organisations all across the world that don’t bother to update or patch any kind of software or tool that they use. This opens the doors for threat actors to find vulnerabilities.
Organisations should ensure they have an application inventory to identify outdated and unpatched applications and OS so you can securely manage all the applications in your environment. Further, it is also imperative for companies to have security awareness training, which shouldn’t only be about basic email phishing and other threats but also focus on how built-in Windows codes work in order to spot anomalies, malicious activity, or suspicious programs running in the background. If you have enough knowledge about Windows background activities, you are one step ahead than threat actors.
Assessment Of Events When You Were Hacked
It is important to take a look at the previous events getting hacked. Also, look at the files that played a major role. Cyber Security analysts should also focus on tools and systems and use them to gauge the historical attacks, such as suspicious registry keys and suspicious output files, as well as identifying active threats.
Once you get a hold of some those affected files or any other prints, make sure you find out where things went wrong and fix them to fight LotL in the future.
Have Right Endpoint Detection and Response (EDR)
There is something called “Silent Failure” when it comes to fighting cyber-attack. Silent failure is when your dedicated cybersecurity defence systems fail to detect to defend a cyber-attack and doesn’t even notify that it had failed. If a fileless malware manages to slip through to gain access to your environment, they might dwell and reside in your system for a quite long time and analyse the entire system for a bigger attack.
To overcome this issue, it is important to have the right Endpoint Detection and Response (EDR). This can help companies to figure out suspicious things lying at the endpoints and eliminate them.
Know About The Rights To Access and Privileges
The emphasis on this point is real. An organisation should have protocols regarding the access rights and privileges for employees. For example, if an employee clicks on a malicious link that doesn’t mean that the malware would land on that employee’s system. Rather, it would travel across the network and land on some other system (mostly it’s the richer target). Therefore, segment the network and make sure there is third-party applications and users have strict access protocols.
Have Dedicated Threat Hunting Strategy
The chances of finding threats are more when different teams work to find different kinds of threats. Therefore, it is considered to be good practice for companies to have dedicated threat hunters who would continuously go through different segments of your company’s IT infrastructure and look for faint signs of the most sophisticated attacks.
Companies can either have an in-house threat hunting team or outsource managed threat hunting services. Both works completely fine as they are tailor-made to fill this critical gap for organizations of all types.