Bitdefender’s recent analysis of 700,000 security incidents sheds light on the growing trend of “Living Off the Land” (LOTL) techniques employed by cyber attackers. Martin Zugec, the Technical Solutions Director at Bitdefender, explains why understanding these tactics is so key. They have been a key partner for them in creating their cutting edge GravityZone Proactive Hardening and Attack Surface Reduction (PHASR) technology. Even more worrying, 84% of all successful attacks are leveraging LOTL binaries. This should be a wake-up call for organizations to prioritize a new approach to security.
The analysis only provides more data showing attackers still like to use common, legitimate system utilities to circumvent traditional security approaches. The LOTL approach is a crushing danger. It’s intended to remind us how desperately we need to adopt an adversary perspective as we build out our cybersecurity defenses. Written by Ralitsa A, Business Research Analyst, Bitdefender The 90-day data gathered by the GravityZone platform. Together these data paint an illuminating picture of how widely these techniques are deployed and their impacts on public sector entities globally.
Understanding LOTL Techniques
Cyber attackers are using LOTL tactics more and more to hide within the normal flow of system operations. By leveraging tools that are already part of the operating environment, they can evade detection and carry out their malicious activities with greater stealth. Martin Zugec acknowledges that the allow listing approach is very much based in the mind and methodology of the attacker.
“If we use standard utilities, we won’t be detected… We never drop tools on machines.” – gg, the BlackBasta ransomware group leader
This quote is a perfect summary of the nature of LOTL tactics, showing a key change in what attackers are looking for in their cyber-attacks. In this ever-changing landscape, attackers increasingly turn to PowerShell, netsh.exe and WMIC as their attack tools of choice. To better defend themselves, organizations need clarity and transparency about which utilities they are using and when.
Our analysis found by Bitdefender found that PowerShell activity was seen on 73% of endpoints on their telemetry data – what a great success! Though it is used legitimately by almost 96% of organizations, PowerShell has turned into a two-sided sword in cybersecurity. PowerShell adoption in the Asia-Pacific region is even lower, at only 53.3%. This difference presents an important opportunity to study the discrepancy in regional security practices and overall awareness.
Prevalence of LOTL Binaries
The findings show that LOTL binaries are dangerously prevalent in large scale cyber attacks. Command Line Analysis As Shmodee mentions in his Command Line Analysis, netsh.exe was the most commonly abused tool, showing up in a third of the notable incidents. This finding highlights the critical, immediate need for entities to assess and enhance their security around these vital public services.
WMIC continues to be a favorite among third-party applications for pulling down system information. Yet, despite this, Microsoft has been planning to take it offline. The reliance on such tools presents an ongoing challenge for cybersecurity professionals who must balance their legitimate use against potential exploitation by attackers.
Bitdefender’s PHASR technology is designed to meet these challenges in a complete and comprehensive manner. It integrates hundreds of nuanced rules, based on proven attacker playbooks and deep threat intelligence. To ensure their defense against LOTL techniques, this proactive approach attempts to strengthen the defenses possible and improve the security organizations’ overall security posture.
Implications for Cybersecurity Practices
The implications of this analysis are profound. As the cyber threat landscape changes, organizations need to pivot their security practices to respond to the increasing use of LOTL tactics. The dependence on legitimate tools requires a change in focus to how cybersecurity professionals can track and react to tools being used with ill intent.
By implementing strong detection capabilities for widely used system utilities, organizations can better detect potentially dangerous activities that a user may have initiated. Equipping employees to identify the signs of exploitation will better equip them to act. Arming themselves with this knowledge will better nurture the security culture in their organizations.
Furthermore, as Bitdefender’s findings show, seeing things from the adversary perspective really can help you build better defenses. By identifying trends based on data from actual attacks, agencies can more effectively predict where attacks may originate and reinforce their security infrastructures in response.