Imagine this. Stranded in a jungle without any of the familiar conveniences of the modern world, all you have to survive are the sticks, stones, ponds and amenities found in the current natural environment. You are off grid. What will you do? You would have to Live off the Land!
In cyber security Living off the Land (LotL) also refers to the use of tools and executable files already present on the target operating system environment. This article will present an example flow of a LotL attack and how a similar concept can be used in security to protect assets.
Living off the Land Attacks
This concept is often primarily used to launch malicious activity which in most cases go largely undetected for months. Activity which may include the use of legitimate system shells to download malicious payloads or stage 2 droppers in the case of multi-stage attack chain. Then hiding data exfiltration activity together with legitimate network traffic. Network traffic often allowed through perimeter controls. The ability to hide in plain sight and use lateral movement is a key advantage that has led to the thriving use of LotL attacks.
Most modern operating systems come with a whole host of tools and executables which although originally meant for legitimate use could be and are indeed frequently used by threat actors for malicious use. These include shells such as Bash found natively in many Linux distributions and PowerShell in Windows.
A typical type of living off the land attack is what has become known as fileless malware. First detected and attributed to possible nation state actors, in recent times it has become a mainstay for all types of threat actors.
For example such an attack could start with a phishing email with a link or a Microsoft Office email attachment with a macro. Once opened, the attack begins with the execution of the Microsoft Office macro. Part of the phishing tactic in the document will likely be to lure the user to enable the running of macros in that particular document. As a security feature, macros are usually disabled by default in new versions of Microsoft Office files. The macro runs and then spawns a native shell program like PowerShell on the victim system.
The spawned shell then continues the rest of the attack by downloading the malicious script and running it directly in memory. Since the rest of the attack occurs in memory, it makes it difficult to detect and stop especially by antivirus scans as no real malicious files are downloaded to the hard disk.
Running attacks in memory is possible because interestingly memory (RAM) can also be used like a hard disk to store files. This is what makes it possible for example to test run many distributions of Linux directly from a CD/DVD or removable storage as Live CDs or Live USBs without installing any operating system files on the Hard disk. The main distinction of RAM from hard disks being that it is not persistent after a reboot.
Lateral Movement - Living off the Land Attacks
One tactic that is almost always prevalent after an initial entry point of an attack is for attackers to then find a foothold on one of the systems as a pivot point and enabling them to subsequently move through the rest of network (on premise or in the cloud) to locate the important systems - Lateral Movement. These important systems could be Database Servers or systems which hold customer data - Crown Jewel Systems.
Lateral Movement is facilitated heavily by Living off the Land (LotL) using such native OS capabilities and tools as SSH on Linux and Unix systems or Remote Desktop Protocol in Windows as well as other remote services tools capable of discovering and executing code remotely. Once these systems have been discovered and compromised the stealing of data out of the network is started - Data Exfiltration.
Data Exfiltration - Living off the Land Attacks
The final stages once the attack has been successful and lateral movement used to locate the important data will be to steal and send the data back to the attacker. Malicious call back communication with the attacker's command and control can also be tunneled through common communication ports like DNS using for example DNS Text records or ICMP packets.
The figure above shows an example of a DNS tunneling tool used to hide data exfiltration. Since protocols like DNS, ICMP and HTTPS are common protocols used on a vast majority of networks, malicious activity that leverage them are normally difficult to detect even more so when obfuscation techniques are employed.
For even more stealth, malicious commands can be encoded from natural language into alphanumeric to obfuscate and avoid easy detection even when using lateral movement to travel through the network. For example base64 encoding may be used to achieve this which is especially true for encoded streams of data where network security devices perform inspection. Using encrypted channels over common ports like HTTPS TCP 443 is also a popular way to hide activity.
The figure shows an example of base64 encoding:
Computers can interpret base64 encoded commands and execute them just as well as normal language syntax commands.
In the case of fileless malware, a reboot of the affected machine clears the memory and terminates the attack but in reality however, most targeted systems are servers which tend to be rarely rebooted.
That not withstanding, to further maintain a long term foothold, threat actors may employ persistence capability that survives a reboot of the system. This also makes it possible for attackers to hide in the network for long periods of time undetected while continuing to carry out malicious activity and utilise lateral movement.
Common techniques used can include Windows task scheduler (at / schtasks) or startup scripts on Linux / Unix systems to guarantee that the malware is run after a reboot of the infected system.
Advantages of Living off the Land (LotL)
LotL offers some important advantages for the attacker. In the case of fileless malware, first and foremost being that the attack is lightweight and does not stand out in terms of normal operating system resources. Also, it makes it harder to detect with disk scans as no malware files are actually run on disk only in memory.
The main advantages can be summarised as follows:
- No custom Kernel Modules
- Use of native OS tools
- Efficient use of system resources on the target host
- No need for large pieces of malware code
- Difficult to detect based on traffic flows
- Attestation of the attack is hard to do
These advantages are primarily why LotL is widely preferred and in most cases widely used at various points during a multi-stage cyber attack.
Living off the Land Security (LotLS) - Zero Trust
Similar to the case of LotL for attacks, the right security tools can also leverage some of the native security protections built into the most popular data center and cloud operating systems as well as even container orchestration platforms like Kubernetes or Open Shift. This is an often simple yet effective leverage in a zero trust architecture.
Windows for example has the Windows Filtering Platform (WFP) and Linux and Unix have IPTables. IPFilters for AIX and Solaris also exist. These stateful firewalls can be orchestrated from a central management system (cloud or on-premise) to control communication to or from workloads directly on the workloads themselves. Then using natural language asset labelling to group them into their relevant locations, environment, applications and roles categories.
The same information can then be used to write, model and test security policy before enforcing any ring fencing or microsegmentation policy irrespective of the network architecture or where the workloads are located. This heavily facilitates zero trust and limits lateral movement.
Some of these operating systems also have builtin IPSec capability which can be used to secure communications between workloads especially for legacy applications that my have no innate data encryption.
Any useful implementation of what is referred to here as Living off the Land Security (LotLS) which facilitates zero trust must first have these basic capabilities:
- Context driven information (metadata and telemetry)
- Mapping and Visualisation capabilities
- Native support for OS security (Stateful Firewalls and IPSec)
- Orchestration of native OS security at scale
Zero Trust with LotLS
All this must also be possible without introducing any additional custom kernel modules into the system. Using the similar LotL techniques as the attackers offers security defenders similar important advantages without reinventing the wheel so to speak. Such as high performance and ability to scale greatly into the hundreds of thousands while still allowing security to follow the protected host or server without requiring changes to the network.
In conclusion, the capabilities described makes it possible to allow for the zero trust micro-segmentation of different environments and application workloads which is of course a crucial tactic to breaking an important part of even the most clandestine attack cycles - preventing lateral movement and thwarting data exfiltration.
Any useful implementation of what I refer to here as Living off the Land Security (LotLS) must first have context driven information, visualisation capabilities and then native support for OS security. [ Michael Adjei ]