LOTL cyber attack technique growing in popularity

'Living off the land' techniques are growing in popularity, according to Tony Jarvis, Director of Enterprise Security, Darktrace, APJ, in response to this week's announcement by ACSC and its Five Eyes Advisory partners.

Living off the land (LOTL) is a fileless malware or LOLbins cyberattack technique where the cybercriminal uses native, legitimate tools within the victim's system to sustain and advance an attack.

"With today's announcement by the ACSC and its partners, the topic of living off the land techniques is once again thrust into the spotlight as a way of evading detection," Jarvis says.

Jarvis says this technique is growing in popularity for several reasons. 

"Attackers do not need to surreptitiously download malicious tools into a network in order to carry out their objectives, where the very act of doing so may reveal their presence in a victim's environment," he says.

"Leveraging the tools already available, and often necessary, on compromised endpoints means that traditional protections designed to identify known malicious applications and processes will fail to reveal attacker activity when they are now using sanctioned applications."

While threat intelligence is a valuable tool and an important part of a defender's strategy, Jarvis says it relies on details of previous attacks to pinpoint malicious activity based on indicators of compromise (IOCs) that are known to be bad. 

"These IOCs reflect a threat actor's tactics, techniques, and procedures, and must be updated each time these behaviours evolve in order for them to remain an effective method of discovering malicious activity," he explains.

"Living off the land techniques are especially problematic since the applications themselves are not the issue, but rather the harmful way that these applications are being used," Jarvis says. 

"This makes the use of rules, signatures, and threat intelligence less effective as a way of preventing such attacks from achieving their objectives. 

"This is why an understanding of anomalous behaviour surrounding otherwise legitimate tools is paramount in securing organisations against both known and unknown attacks, especially when no specific threat intelligence is available. 

"Establishing patterns of 'normal' activity for users, machines and the organisation as a whole will enable anomalous behaviours to be identified, investigated and responded to before an attacker is able to achieve their objectives. 

"While not all unusual activity may be malicious, the vast majority of malicious activity will appear unusual, giving defenders the upper hand in spotting things that traditional approaches may miss."

Jarvis says, "As organisations have come to accept that intrusions are inevitable, we must increasingly look within our environments for threats that have slipped past perimeter defences. 

"It should not be assumed that these techniques are used exclusively by highly capable nation state actors. Such attacks have been readily observed in a large portion of network-level attacks in recent history," he says. 

"The motivation for threat actors lies in the fact that if they can successfully evade perimeter defences such as firewalls and endpoint detection and response solutions, then using toolsets readily available within the network can essentially become invisible to defenders. 

"If we are to achieve true cyber resilience, we must look at methodologies that detect and prevent the unusual use of legitimate tools, or risk losing visibility over this significant attack vector."