Whether you know about LOtL attacks or not, you might be asking: why should I care if some security solution solves some security problem? The answer is that these attacks are on the rise, and any proactive and risk-conscious decision maker needs to be prepared to address them.
The reasons they’re on the rise are that for the bad guys, LOtL attacks require fewer resources to execute, as they include no malware to create, buy, or deploy. They only leverage system tools like PowerShell that exist within your environment already (hence the name living off the land). They also leave fewer forensic traces within your environment, as fewer changes to a given system are required to achieve their outcome. That means it is tougher than normal to determine whether you have been attacked, and how it happened.
What are the three reasons MDR is necessary to stop these attacks?
1: Only a Threat Hunter Finds Whitelisted Behaviour
LOtL has been successful because the actions taken simply aren’t detected by traditional prevention-focused security software. That’s an issue by design – the way prevention software works is by determining whether a given action taken within a system is a threat, or normal; by comparing the activity and processes at play to established lists of what “normal” and “threats” are.
On the other hand, threat hunters are actively investigating the outcome a given action is trying to drive and determining whether it is malicious. They also look at the source that it is coming from.
2: It Takes Proper Security Hygiene to Mitigate These Risks
If the ‘land’ in the analogy refers to the system or environment, then vulnerabilities therein are what is ‘being lived off’. It is by remedying those vulnerabilities that we can make that land less “live-off-able”. Part of the MDR service IntelliGO Networks offers includes providing a comprehensive, prioritized list of vulnerabilities, enabling you to keep your hygiene high enough to prevent LOtL attacks.
3: LOtL Attacks Take More Time to Execute
LOtL depends upon determining which vulnerabilities are available and exploiting them. That process takes time, but also yields a questionable return – maybe only access to an innocuous part of your environment. The risk here is that even such a ‘low risk’ area of the network may offer a foothold for the attacker to progress further. The fortunate part is that the process is very lengthy and is still dependant upon the hygiene of your environment. By subscribing to an MDR service like ours, the risk of a LOtL attack coming to fruition is far reduced, because we enable the remediation of those vulnerabilities, and at each stage of the hackers’ exploitation of them, we have a threat hunter checking the impact and nullifying the attack. This is in stark contrast to a prevention-based approach, that would fail to identify the behaviour as a threat and continue doing so no matter how long an attack was underway.
What about logs?
It would be easy to assume that an MDR service wouldn’t be effective in detecting a LOtL attack because such attacks aren’t found in logs. While it’s true that MDR services, including ours, leverage logs, that’s not all IntelliGO threat hunters look at. Fortunately, while LOtL attacks and the potential for them aren’t present in logs, they are visible at the endpoint; which means that having a comprehensive MDR offering, that includes Endpoint Detection and Response (EDR) is critical.