LoTL attacks: how to detect and protect yourself

[Father]

The number of distributed attackers is constantly growing, as are libraries of security tools that must resist various kinds of viruses. The first and most widespread means of protection is an antivirus. But what if the antivirus itself or any other legitimate software becomes a tool for a cyber attack?

This is the basis for LoTL attacks, which are designed to use legitimate software that already exists inside the infrastructure in order to achieve their goals, increase privileges in the system, or steal user data.

In this article, we will analyze the main features of LoTL attacks, how to calculate and detect them, how to protect against this type of attack, and what preventive measures can help with LotL attacks.

How LotL attacks work​

Living off the Land literally translates as "feeding on pasture". The essence of the attack is the use of "white" software, its powers and functions on the user's PC or inside the infrastructure.

This makes it possible to significantly reduce the risk that an attack will be detected, since most of the most common information security systems are focused on tracking malicious activity and its signs. Programs that are in the "white" list, however, fall out of the field of view of security mechanisms.

Anton Kuznetsov
R-Vision Senior Information Security Engineer

The use of tools and legitimate programs pre-installed in the OS by attackers is found in almost all reports devoted to the investigation of computer incidents involving APT and Ransomware as a Service (ransomware as a service).

The most commonly used tools for attacks on Windows are PowerShell and WMI, as well as utilities rundll32.exe, sc.exe, reg.exe, psexec.exe, wmic. On Linux, this is a well-known netcat utility.cron jobs, rc.local & rc. common, systemd ,etc. are often used for pinning.

Indeed, LoTL attacks are widespread, as this approach allows attackers to bypass security features and remain undetected for a long time. The implementation of attacks using legitimate utilities and pre-installed tools slightly increases the time of their implementation, since hackers have to perform some processes manually. However, this is not a stop factor for them.

Using legitimate software to solve malicious tasks is not the easiest process. Only the most advanced hacker groups, whose attacks are systematic and professional in nature, can have such a tool in their arsenal.

Also, it is important to understand that LotL is only one of the elements of the attack chain, which must begin in some way (overcoming the external contour) and end in some way (implementing an invalid event).

However, LotL attacks are not an ultimatum solution and not "an invention of today" – they have been known for quite a long time. Therefore, there are a number of solutions both for proactively combating this type of attack, and for preventing the likelihood of a LotL attack.

How to protect yourself from attacks through legitimate software​

Dmitry Ovchinnikov
Chief Specialist of the Integrated Information Security Systems Department of Gazinformservis

Since such attacks are carried out through the use of legitimate software on the network, they can only be detected by abnormal user or workstation behavior. At this stage, there is an invisible battle between the minds of security professionals and cybercriminals. And this happens in a step-by-step mode. The first move is always up to information security specialists. If security specialists and administrators have set up the work environment well and correctly, then the probability of detecting abnormal behavior will be higher after the actions of an attacker.

Then special software of the EDR class comes into play, which is just engaged in analyzing activity on servers and workstations. If the criminal is very careful and experienced, then the method of modeling or searching for threats in their infrastructure comes to the aid of information security specialists.

As you know, there is no absolute protection, and any company, sooner or later, faces the fact that an attacker operates inside its infrastructure. In this context, the main task of information security is to create conditions under which the attack chain will be as long as possible, and at each step of the attacker, the risks of "getting caught" will increase.

Since the main sign of a LotL attack is an atypical user behavior when working with the program or using software functions in an "unusual" format, tools and solutions aimed at behavioral analysis and detection of anomalies are often used to detect them.

Nikolay Peretyagin
NGR Softlab Product Manager

One of the most informative tools for detecting such attacks is UEBA-class solutions. ML algorithms, if used in this tool, can detect deviations in the actions of controlled software. For example, accessing external resources using atypical data transfer protocols or at an atypical time, or establishing communication with atypical IP addresses, etc. Of course, you can implement PO mechanisms, but in such conditions, the efficiency of solving business problems will be extremely low.

However, a very small number of attacks can be implemented using legitimate programs alone. As a rule, hackers use a comprehensive approach, using LotL to move in the infrastructure, which can be either horizontal or vertical.

Accordingly, an attacker is most vulnerable to detection when the "entry point" to the infrastructure is found, since the external contour is, in most cases, one of the most secure elements of the company. Accordingly, you can also identify it and start protecting yourself with traditional "first-order" tools, which often include firewalls, sandboxes, and antivirus programs.

Pavel Pugach
Serchinform System Analyst

Any external threat protection tools are available for detecting attacks. For example, an attacker can use a phishing email to gain access to the target system. In this case, the mail protection system will help. If the email contains a script, the antivirus will detect it. The script can be used to access an external IP address from the blacklist – you already need a firewall here. And to be able to link such small events into one incident and identify a real attack, you need a SIEM system.

But in my opinion, behavioral analysis tools are the least effective. Since, unlike DDoS or Bruteforce attacks, the implementation of LoTL can consist of some individual, rather than mass actions. For example, when sending one email or sending one request to a suspicious IP address, these actions are often not statistically noticeable against the background of standard user behavior.

But the most powerful tool in the company's arsenal that allows you to ensure a high level of security is order. If the infrastructure has clear rules for the interaction of all elements, rules of behavior and systems for detecting deviations from the main patterns, it will be much more difficult for an attacker to remain unnoticed.

Preventive methods to combat LotL attacks​

As you know, the best protection against the disease, including in cyberspace, is prevention. As applied to information security, it can include a whole range of activities, from training employees to attracting specialized specialists to analyze security.

In the LotL contest, one of the most effective practices is Occam's razor, which restricts access to the systems of employees and devices for which these systems are not targeted.

Sergey Belov
CEO, AtreIdea

To prevent LoTL attacks and minimize risks, the company can adopt the following practices::

1. Restrict access to command-line utilities and scripts on the required basis, and disable script support on the required computers.
2. Restrict access rights to important system resources, files, and folders. Use privileged accounts only when necessary.
3. Install software for monitoring and detecting incidents. This will help you detect unusual activity and attacks.
4. Apply the code execution restriction policy on client computers, prohibiting running executable files in temporary directories.
5. Install and configure a firewall on your computers and network to restrict access to outgoing and incoming traffic.
6. Use antivirus software that detects not only malware, but also other unusual types of activity.
7. Perform regular updates and patches for the operating system and installed software in order to eliminate vulnerabilities in a timely manner and keep the system up to date.
8. Train employees in proper information security and warn them about the dangers of using legitimate tools for illegal purposes.
9. Keep an eye out for new methods and tools of intruders and regularly analyze logs and events in the system for unusual activity.
These practices can help prevent and detect LoTL attacks and minimize risks for the company.

Among other things, this greatly simplifies the life of the information security department, since it reduces the number of detected false positive positives. Saving human resources is especially important when the number of information security specialists in a company rarely corresponds to the optimal number for the tasks assigned to the information security service.