Defend Your IT Environment from Living-Off-the-Land (LOL) Techniques
As cyberattacks increase in frequency and sophistication, it is vital for organizations to defend their environments and be prepared for malicious actors inside their networks. Indeed, much as a parasite feeds off its host, cybercriminals have learned how to stealthily ‘live off the land’ of their victims’ environments, gaining time to unleash malware, steal or encrypt data and generally wreak havoc. Understanding LOL techniques and implementing best practices to spot them is critical to avoiding costly downtime, data loss, customer churn and more.
How Attacks Unfold
Cyberattacks follow a similar formula: Get there, get in, get ready, get more, get money. For most of these steps, LOL techniques are used to escalate the privileges while avoiding detection. Let us dive deeper into how an attack is executed, using the Emotet malware as an example.
To get there using Emotet, the adversary sends an email to a company employee with a malicious .LNK file attached. (Choosing this file type maximizes the likelihood the attachment will be opened since awareness training tends to focus on .DOC and .XLS files.) Once the Emotet dropper is executed (get in stage), it runs a CMD command to select a Visual Basic script in WScript, which in turn runs a command to download and register a malicious DLL using regsvr32 (get ready phase), loading further Emotet elements. In another variant, the .LNK file runs PowerShell commands to get the malicious DLL registered using regsrv32. These scripts are executed using built-in tools available in any standard Windows installation. Most users are unfamiliar with these tools and will be unable to detect any suspicious activity.
Emotet is known for the additional use of PowerShell scripts to enumerate user credentials (get more) and file shares. In addition, various types of malware often use built-in tools to enumerate and kill running processes of defensive solutions like antivirus (AV) tools. Ultimately, Emotet tries to establish a working connection with the command&control server (C2) to run further attack patterns.
One of those can be the enumeration of the environment using the user’s privileges. The attacker will look for any additional identities and service accounts stored on the infected device using the PowerShell version of Mimikatz. If there are any, the additional privileges gained will be used to explore the network to which the device is attached, using PowerShell scripts downloaded via the C2 channel.
The final step of the attack is trying to get money. One way is to sell the compromised credentials on the dark web to the highest bidder. Another option is to encrypt the data and demand a ransom for its release (and perhaps threaten to make the data public if the ransom is not paid).
Security Vulnerabilities to Watch For
When launching a malware campaign or other cyberattack in an environment, threat actors will investigate their target’s various security layers, searching for any weak point or vulnerability they can exploit. These vulnerabilities are often security gaps in the victim’s digital infrastructure or identity credentials. Common infrastructure weaknesses are open ports (think of RDP), unpatched operating systems and applications that are not securely configured (think of log4shell).
Another risk is overprovisioned user accounts. In particular, the shift to remote work during the pandemic forced many companies to delegate software update tasks to users. Therefore, they granted those users standing privileges to download, install and execute software — which enables any attacker who compromises the user account to deploy malware.
Getting back to the example of Emotet, let’s assume the user clicked on the .LNK file attached to the email. An attacker will also exploit the elevated privileges to make configuration changes like the mentioned disabling of AV tools, all with the aim to establish a solid, persistent footprint that is likely to go undetected for a long time.
How to Increase Resilience in Your Environment
The first step is to think like an attacker. Security teams should identify the assets that are the most lucrative targets for adversaries, categorize the levels of risk to those assets and take steps to improve their security posture. The ultimate goal is to make it hard for an attacker to walk the attack path described above.
Keeping the attackers’ perspective in mind, security teams must then remain alert to any suspicious behavior in their systems before it escalates into a full-scale attack on their environment. This can be challenging because hackers have become skilled at blending in their suspicious activity with normal operations. One way to mitigate this difficulty is by checking for indicators of compromise (IOCs), such as configuration drift and abnormal or unexpected file changes.
In addition, if malicious activity occurs while the organization is undergoing a significant software update or another cybersecurity event, it might escape the IT team’s attention, since they are expecting a bunch of changes to occur. Accordingly, it is especially important to maintain holistic visibility into all file uploads and software modifications while the infrastructure is in a state of flux.
Another significant step is to proactively keep user and administrator privileges at the minimum required level. For example, if RDP needs to be enabled, enforce limits on who can reach the port and use the RDP service; ideally, allow RDP use only when needed, for only as long as needed.
Another vital element of cyber resilience is the prompt discovery of suspicious activity. For example, monitor all activity from a network and device perspective when RDP is in use, and use of CMD or PowerShell.
Elevating Your Cyberdefenses
Since IT environments are constantly changing and cyberthreats continue to evolve, IT professionals have to remain vigilant. It is crucial to routinely test systems for weaknesses after the initial system hardening process is concluded, and to continuously monitor IT systems for suspicious activity.
Cybersecurity guidelines, like those in the NIST framework, can help organizations achieve higher cyber resilience. By following cybersecurity best practices, organizations can protect their critical data, their business operations and the integrity of their brand, even when the organization is most vulnerable.
