Living-off-the-land attacks are rising fast. Learn why they work — and how tailored hardening helps stop them without disrupting your business.

Living-off-the-land (LotL) attacks — where adversaries exploit legitimate system tools to carry out malicious activities — are becoming increasingly prevalent and sophisticated. Bitdefender’s internal threat analysis reveals that nearly 70% of successful cyberattacks utilize LotL techniques.

What’s driving this surge? An overreliance on detection, an unnecessarily large attack surface at nearly every organization, and a failure of traditional application control and attack surface reduction rules. You might call it a living-off-the-land trifecta.

Leaked Threat Actor Chats: We Live Off the Land

When someone leaked communications from the Black Basta ransomware group, it revealed the group’s LotL strategy. One of the group’s leaders shared: “If we use standard utilities, we won’t be detected… we never drop tools on machines.”
In other words, instead of the noisy attacks of the past, they leverage your legitimate tools and applications to secretly go deeper into your environment, most often leveraging this access for ransomware and data exfiltration.
These attacks are popular for four main reasons. They leverage what’s already there, so threat actors can avoid investing in tools of their own. They also cover all stages of an attack, from initial reconnaissance to lateral movement, data exfiltration, and even data encryption. And many of these tools are flexible, so threat actors can adapt them to their needs.

And perhaps the biggest advantage of LotL attacks is the ability to blend seamlessly with normal system activity. By using legitimate tools, attackers bypass legacy security solutions that rely on detecting suspicious custom tools and behavior.

Attack Surfaces and Failed Controls

For years now, IT and security teams have tried to minimize their attack surface by using allow lists. While they reduce attack surfaces somewhat, these tools often miss key preinstalled binaries and utilities, and they impair productivity or add overhead for IT teams when deployed on any system other than fixed-function devices. Similarly to attack surface reduction rules, as modern environments evolve rapidly, keeping up with changes and exceptions becomes overwhelming for administrative teams.

This is why attackers now celebrate that they can expect to find legitimate tools to abuse and remain hidden in their victims’ environments. To avoid slowing down business, organizations have invested in improving their detection and response capabilities to be able to discover and stop attackers that attempt to blend in using trusted tools. However, even the best security operations teams struggle to differentiate between legitimate tool usage by employees and attacker activity, which can give attackers the time they need to achieve their goals.

Stay updated with SOC News for cutting-edge security innovations and expert industry insights! 

Source: https://www.darkreading.com/endpoint-security/lotl-attacks-new-defensive-strategy