top of page

Navigating Live off the Land Attacks: Understanding, Prevention, and Defense in Today's Cyber Landscape



As the digital landscape evolves, so too will the scope of cybersecurity. New tools and technologies are being developed constantly to allow organizations to quickly and easily manage their technological environments at the click of a button, all from a single screen! While these IT management tools have drastically reduced the required overhead of administering an organization's environment, they have also opened the door for a new evolution in threat actor's methodology. With an explosive increase in efficiency of Endpoint Detection and Response (EDR) tools to catch malicious activity, classic attack methods such as developing custom malware are falling out of favor. The newest trends in threat actor's methodology are centric around avoiding detection by simply blending into the digital background through the exploitation of already deployed legitimate software, tools, and scripting language. This article will dive into these new attack methods, collectively known as Live off the Land attacks helping to better explain what a Live off the Land attack is, why attackers are using them, and how defenders can aim to stop them. 

What defines a Live off the Land attack? 

Live off the Land attacks (LoLs) utilize legitimate software or functionality to perform attacks rather than deploying custom malware or existing exploit tools.

Live off the Land attackers often seek to take advantage of the inherent trust allowed to management and remote access software to spread their reach throughout an organization after establishing a persistent foothold into a compromised system.

Many Live off the Land attack methods make use of scripting languages such as PowerShell and Java, which are typically whitelisted due to widespread legitimate use across nearly all organizations. These Live off the Land Binaries (LoL Bins) can be quickly and easily deployed by an attacker to carry out a wide range of malicious activities such as disabling endpoint defenses, changing firewall configurations, modifying compromised user accounts, or collecting sensitive information into an easily exportable bundle. 

While scripting tools are a favorite for some LoL attackers, others seek to utilize administratively enabled tools within an organization such as backup managers, remote device management tools, and even user management tools. These administrative tools typically are granted a higher level of access or have elevated permissions making them prime targets for an attacker, additionally the attacker could leverage the tools in a way that would pass unnoticed within many environments. 

Ultimately there is no single set method by which an attacker may attempt to use a Live off the Land attack against your environment. They could leverage a malicious script, compromise an existing account, exploit a legitimate tool, or any combination of the three. While the exact methods change, the single most definitive nature of a Live off the Land attack is that they are becoming increasingly popular with threat actors worldwide. 

Why are they becoming more popular? 

The modern cybersecurity environment can be viewed similarly to a bank vault, layers of monitoring and security ensure that any abnormal outside activity is discovered and reported to teams of dedicated resources who are able to take corrective action and secure an organization's assets in real time. Where these security methods struggle is in two key aspects, first of all how do you define normal, second what happens when the attack comes from within? 

With organizations trending towards cloud or hybrid environments the cyber landscape, or attack surface, tends to expand. This is especially true in industries such as healthcare and manufacturing where medical devices or operational technology exist on the network but may be out of the management scope of the host organization directly, instead relying on a vendor to maintain the connected assets. Beyond even that, IT administrators have a wide range of tools they use to carry out critical business functions such as network engineering, backup management, and device patching that many IT team members may be using different tools to perform the same tasks. 

With account/identity based initial access methods on the rise using a compromised valid account to leverage legitimate tools to carry out an attack grants threat actors near invisibility within most environments where security tools and detection methods focus on identifying malicious indicators (IOCs) such as malware file hashes. With many organizations using Endpoint Detection and Response (EDR) tools to identify and stop malware, one of the first steps an organization will take is to whitelist any used or known safe software to ensure that IT operations are not impacted by security controls. While allowing IT to perform maintenance and updates are critical to business operations this does create a security blind spot around IT tools and functions which could then be leveraged by an attacker without triggering a security investigation. 

How can organizations defend against them?

Live off the Land attacks are by nature difficult to detect, isolate, and prevent. They focus heavily on blending into the environment to avoid detection and make a security investigation as complex as possible. Thankfully preventing a Live off the Land attack can be simpler but does require significant setup and ongoing maintenance as well as adherence to standards and best practices. 

Relying on standard security controls just doesn't work with Live off the Land attacks, as such detecting a Live off the Land attack relies heavily on normalization and baselining activity within the environment. By better defining what activity is expected, defenders have an easier time identifying the unexpected. In many cases an attacker will still utilize standard attack methodology such as attempting to move laterally within the environment or escalate the privileges of a compromised user account, this activity can be easier to detect and may guide defenders towards the point of initial compromise. 

When investigating a possible Live off the Land attack don’t rely on automated tools to pick out the activity. Even once identified the nature of the Live off the Land attack results in large chunks of seemingly normal data that must be searched to identify small deviations or irregularities performed by the attacker. Creating defined change windows and approval processes can allow for easier identification of abnormal activity as well. 

Ultimately the best method an organization can use to reduce their susceptibility to Live off the Land attacks is to employ strong Attack Surface Management techniques. Rather than allowing IT admins to use a wide range of tools, set a defined list that is then managed by the company to ensure that patches and updates are applied. Increasing security measures around user accounts and implementing behavioral detections can help prevent accounts from being compromised in the first place thus helping deny the attacker access into the environment. Usage of machine learning tools and self-learning AI may be the path forward for defenders, but only time will tell.

65 views0 comments


bottom of page