During the current pandemic while the majority of us are forced to work from homes, we in the cybersecurity profession are quite busy trying to safeguard all critical infrastructure from bad actors who are making use of this situation to achieve their sinister objectives.
In the past few months we have seen an increase in “Living Off The Land” (LOTL) attacks. Before going deeper let us understand what is LOTL attack? In lay-man terms living off the land means sustaining oneself from whatever available on a given tract of land. In this kind of attack the attacker makes use of all tools that are already available in a target environment. In other words, the attacker will use our own system tools against us. Mind you, the attackers are not installing any malware in the target systems, they just get into the target system and use the tools that we have installed in our systems for our use against us. Some of the tools used in the LOTL are Mimikatz, Microsoft PsTools, Windows Management Instrumentation (WMI), Windows Secure Copy, PowerShell scripts, VB scripts, and more.
You may ask, what is the connection between WFH and LOTL attacks? I will answer that in the next few sentences. As a Cybersecurity professional I have been receiving calls from businesses that they are experiencing a spate of ransomware attacks. They are facing these attacks despite deep defenses and investigations lead nowhere in finding the perpetrator. And this is where I link WFH to LOTL and increase in ransomware attacks. In my analysis, the bad actor first gets into the remote workstation from where the remote worker logs into the corporate network. As most businesses were forced into remote working in an ad hoc manner in this pandemic a significant portion of their employees is using their own devices or workstations (that are vulnerable) to access the corporate network.
As most businesses were forced into remote working in an ad hoc manner in this pandemic a significant portion of their employees is using their own devices or workstations (that are vulnerable) to access the corporate network. A VPN connectivity added on to this will only augment the problem, as a firewall will allow access to authorized connections without any hint of who may be piggybacking with them. The LOTL attack takes place at the client workstation, for getting access into the remote workstation the bad actor may use social engineering, phishing, or other such methods. Once inside the client system the attacker can use any of the system tools to release the ransomware payload into the corporate network. During our investigations we may not find any traces in the client workstation as this attack is file-less.
Now with this idea about the attack let us see the ways to mitigate or thwart it. Just like any other bad actor-led sophisticated attack, this attack also involves reconnaissance and scanning. So, the best way forward is to conduct periodic pen-testing and purple team exercises to identify assets that are vulnerable to LOTL attacks and prepare an action plan to mitigate the risk. Other than this we may include the following best practices:
- Be disciplined while logging-in /out, which includes the use of strong passwords and wherever possible enable advanced account security features, like 2FA and login notification, and always log out of your session when done.
- System admins to monitor the usage of dual-use tools inside your network and use application whitelisting where applicable.
- Everyone must exercise caution when receiving unsolicited, unexpected, or suspicious emails. Especially be wary of Microsoft Office attachments that prompts you to enable macros.
- Keep security software and operating systems up to date
- Utilize tools like Microsoft AppLocker to thwart the attacker from hijacking user accounts to execute commands using system tools.
- Do not hesitate to call for professional assistance.
About the author
Sudhakar S Narayan is a Certified Information Systems Security Professional (CISSP), Certified Information Systems Auditor (CISA), and Certified lead auditor in ISO Information Security Management System (ISMS) and ISO Business Continuity Management System (BCMS). He has more than two decades of experience in Information Security, Information Systems Audit, data protection, data privacy, and business continuity and disaster recovery.