An increasingly prevalent tactic known as "living off the land" is changing how we see cyberattacks and, in turn, how we approach cyber defense. Often cheaper and easier than writing bespoke malware for every campaign, living off the land allows attackers to exploit tools that are regularly used in day-to-day activity to gain remote access, move through the network, and achieve their ultimate goals – usually some combination of data exfiltration and extortion.
Conventional security tools typically rely on the hallmarks of historical attacks: building up deny lists for particular file hashes, domains, and other traces of threat encountered in previous threats. But when an attacker is using your own infrastructure against you, how do you interrupt the attack without disrupting normal business operations?
How Attackers Live Off Your Land
Living-off-the-land techniques take place after an initial infection, which can take the form of a phishing email, system and software, or any number of attack vectors. They assist the attacker in achieving network reconnaissance, lateral movement, and persistence in preparation for the ultimate goal: data exfiltration or encryption and extortion.
Once a device is infected, attackers can wield hundreds of system tools. Living-off-the-land trends constantly change, and so a "standard" living-off-the-land attack is difficult to determine. However, Darktrace has observed broad trends in attack activity across over 5,000 customers.
Microsoft Binaries and Scripts
There are currently over 100 system tools that are vulnerable to misuse and exploitation if they fall into the wrong hands. Included in this list are tools that allow hackers to create new user accounts, compress or exfiltrate data, accumulate system information, launch processes on a target device, or even disable security tools. Microsoft’s own documentation of vulnerable preinstalled utilities is a nonexhaustive and growing list, as attackers continue to find new ways to use these tools to meet their ends, while blending in and avoiding detection from traditional defenses.
WMI and Powershell
When it comes to delivering malicious payloads to their target, the command-line tools WMI and PowerShell are used most frequently by attackers. These command-line utilities are used during the configuration of security settings and system properties, providing attackers with sensitive network or device status updates and access to the transfer and execution of files between devices.
As these tools form a fundamental component of typical digital infrastructure, exploitation of these tools for malicious purposes often gets lost as background noise.
The Infamous Mimikatz
Mimikatz is an open source utility that is leveraged by attackers for the dumping of passwords, hashes, PINs, and Kerberos tickets.
The traditional security approaches used to detect the download, installation, and use of Mimikatz are particularly insufficient. Attackers benefit from a wide range of verified and well-documented techniques for obfuscating tooling like Mimikatz, meaning even an unsophisticated attacker can subvert basic string or hash-based detections.
Stopping Attackers From Living off the Land With AI
You can expect hundreds, thousands, or even millions of credentials, network tools, and processes to be logged each day across a single organization. So how can defenders catch attackers who are blending into this noise using legitimate tools?
Artificial intelligence (AI) technology is critical to identifying and stopping attackers who are trying to live off the land. Rather than looking for known signs of attack, AI can learn its unique digital environment from the ground up, understanding the "patterns of life" of every device and user. This learned sense of "self" enables it to spot subtle deviations in behavior that are indicative of an emerging attack.
In the case of living-off-the-land attacks, AI is able to recognize that although a particular tool might be commonly used, the way in which an attacker is using it reveals the seemingly benign activity to be unmistakably malicious. Making this clever distinction is the sweet spot for AI and its unique understanding of the organization.
As more data points are added, the AI’s understanding of an organization becomes more thorough. AI thrives in the same complexity that enables attackers to live off the land.
In the example covered above, the AI might observe the frequent usage of PowerShell user-agents across multiple devices, but it will only report an incident if the user agent is observed on a device at an unusual time. Activities indicating Mimikatz exploitation, like new credential usage or uncommon SMB traffic, can be subtle, but they would not be buried among the normal operations of the infrastructure.
Living-off-the-land techniques aren’t going away. In response to this growing threat, security teams are moving away from legacy-based defenses that rely on historical attack data to catch the next attack, and toward AI that relies on an evolving understanding of its surroundings to detect subtle deviations indicative of a threat – even if that threat is using legitimate tools.