Recently, you may have noticed several cybersecurity news sites citing Microsoft’s article on Flax Typhoon’s (threat actors) stealthiness while performing their cyber intrusions. While reading through the article, it contains a lot of valuable information, so we encourage you to check it out. However, we still wanted to share a few things with our readers.
First, let’s look into this Living off the Land technique and why it is an effective intrusion method. Secondly, we will examine how you can defend yourself against such techniques.
What is the Living off the Land technique?
Without googling and citing the various interpretations (as it is keen in the cyber world), let’s simplify it and say: Living off the Land is a technique that threat actors use where they abuse legitimate (native) tools (often) already installed on the target system. The goal of using such a technique is to remain stealthy, unnoticed, as long as possible in the targeted environment.
So, why does Living off the Land enable stealthiness?
We will stay brief here as much as possible. First off, there are probably, from a high-level perspective, three cases that we need to differentiate:
The customer has Endpoint Protection only (aka Anti-Virus, Firewall, etc.), but no visibility and capabilities of detected threats that cannot simply be ‘blocked’/’prevented.’
The customer has Endpoint Protection and visibility into logs and events generated on the endpoint, which are not necessarily ‘prevented’ and/or ‘blocked (aka EDRs, NGFW, etc.).
The customer has no endpoint visibility or protection.
OK, the third case we can skip as any technique would work in such a case without any visibility or protection enabled.
In the first case, it is very easy to remain stealthy, especially by using the Living off the Land technique. We will focus on the second case and explain why it (mostly) works in such cases.
Security monitoring consists of running security tool(s) on a machine capable of monitoring different processes and/or events being run on the machine. While logging these events, good solutions have correlation capabilities where different processes and/or modifications of different properties (files, registries, etc.) stitched together create a suspicious event, which is reported to the front-end user interface off the tool used. This is where security analysts or IT team would look and investigate such reports (or alarms / events / cases, whatever terminology is used by the vendor).
Now, the thing is that a lot of processes/modifications/executions that can be malicious are also completely legitimate. For example, PowerShell is a completely legitimate tool, often used by SW Developers, System Administrators, IT Team, etc. But we all know that it very well can be abused with malicious intent. Such events cannot be reported as potentially malicious, as they would trigger a lot of false positive cases (especially in a company that heavily uses PowerShell for legitimate purposes), which would fatigue the person investigating these. Moreover, there are other native tools that adversaries use to try and remain undetected (the Microsoft article mentioned for example, SCM, WMIC, Sticky Keys, etc.).
Because security products do not trigger alarms or prevent the execution of such native tools to limit false positive cases, using these tools for malicious intent enables such stealthiness.
Where is this technique most often used?
From our experience, to remain undetected is practically the goal of every threat actor – no matter their end goal. However, we do notice that only more skilled and advanced threat actor groups are capable of using such techniques. This is not simply running a ransomware malicious software that does all the tasks. This technique requires adaptiveness on-the-go, which is extremely difficult. Once they successfully penetrate the first line of defense, let’s say by exploiting a public-facing web server, they need to perform at least some basic recon to understand the environment they landed in. And based on the obtained intelligence, craft their next steps to remain undetected – what tools do they have on disposable / installed? What user privileges have they obtained? What persistence method is best applied to remain undetected even after reboots? All of this is very dynamic and often time-pressured, thus requiring skilled hackers.
Since ransomware extortions have been proven to be the best ‘money-grabbing’ technique, and most of the non-APT groups prime motive is indeed to earn money out of their attacks, these groups will probably not use such techniques as often, as it is not even truly required – with ransomware you want to move fast: get in, exfil, encrypt, and get out. The nation-state-sponsored threat actors are most likely to be leveraging such techniques. One of the motives of nation-states is to obtain intelligence about their target via espionage. To do so, their goal is to remain in the environment for a very long time, to keep obtaining the intelligence that requires them to use techniques such as Living off the Land.
How to defend your organization against such a technique
First, let’s start with preventive countermeasures. If we all challenge ourselves a bit here and think of how we could prevent the abuse of legitimate, native tooling from being abused by adversaries. One common answer would be disabling such tooling that can be abused maliciously. And that answer is, in all honesty, completely fair. Unfortunately, it cannot apply to all organizations, as some rely on those tools for their business. But the answer does lie somewhere in between, and we refer to it as ApplicationWhitelisting.
Application whitelisting is the approach of restricting the usage of any tools or applications only to those that are already vetted and approved. You can take it a step further by doing it on a role or user basis because some users may need to use an application while others do not. One obvious downside is the requirement of managing such lists, as they tend to change. Still, application whitelisting is one of the strongest countermeasures against such threats, but also plenty of others, and we encourage organizations to adapt it.
Still, you have some users that have some applications whitelisted, which can be abused in a cyber intrusion. What is left for you now is to focus on detection capabilities.
The key differentiator in detecting these threats could be:
The endpoint security product that is capable of reporting anomalous behavior. Anomaly detection can prove helpful in cases where some legitimate tools are being abused for malicious intent, but the user has never used that tool. This would trigger an anomaly event, and an investigation can take place. This is, of course, not foolproof and can also cause a lot of false positives–depending on the maturity of the organizations that use it.
The analysts investigating the case are probably the best key persons who can detect the abuse of legitimate tooling due to the insights they can gather by correlating all the events that triggered on the targeted system and also applying historical data combined with the intelligence of the company structure (whether it is expected that this machine would do ‘this’).
Targeted Threat Hunting is one method that should be used as part of any Security Program, which could, in this very specific case, focus on detecting persistency commonly abused by Living off the Land techniques.
As you can see, only the first option relies more on tooling – in this case, let’s even say ‘AI-powered’ tooling. However, the robust detection capabilities lie in employing security monitoring capabilities combined with experienced analysts investigating such cases.
To conclude: By combining preventive capabilities such as application whitelisting and detection capabilities, organizations have a much higher chance to detect and prevent intrusion attempts that rely on the Living off the Land technique.