Latest News

How to protect organisations from common from living-off-the-land techniques and malware attacks

Written by Dirk Schrader, Resident CISO (EMEA) and VP of Security Research at Netwrix

With cyber criminals advancing their attacks methods year-on-year, global corporations should be prepared for – and aware of – the signs of malicious activity throughout their digital environments. As digital environments are increasingly susceptible to being compromised – with attack methods by cyber criminals continuing to advance – monitoring trends within the current threat landscape must always be a top priority.

Like a digital parasite, cyber criminals can “live-off-the-land” (LOL) of their victims – allowing them to hide and steal essential data assets while inside their victim’s digital infrastructure. Once an attacker has access to a victim’s systems, they can launch various kinds of malware, steal as many valuables as possible, and later use these as blackmail to demand a ransom from their target. To mitigate the risks of such attacks, system hardening processes are one of the most successful and best cybersecurity measures a corporation can utilise. A vital starting point is to follow guidelines backed by the National Institute of Standards and Technology (NIST) that enable corporations to take charge of their own cybersecurity.

Common living-off-the-land techniques and malware attacks

When a malware threat is deployed against a victim, common LOL techniques and malware attacks follow the same five steps to many other common attack vectors. These attack processes have a generic formula – malware extortion threat actors will want to: get there, get in, get ready, get more, and get money to achieve their objective.

Cyber criminals have discovered various methods to gain access into a target’s digital infrastructure in order to “get there”. For example, an attacker can distribute targeted phishing scams via malicious ads and websites which prompts naïve victims to click on and enter their login credentials. Either through this method or others, such as stealing weak login credentials or exploiting local vulnerabilities, attackers can then “get in.” Once this is accomplished, attackers can “get ready” to bolster their LOL techniques while inside the system by escalating their privileges and avoiding detection.

To “get more” assets to later use as blackmail, the attackers will then move laterally throughout the target’s infrastructure searching for valuable information to gather and steal for extortion, or leverage against a more important target connected with the initial victim. Finally, attackers will seek to “get money” by encrypting the stolen data and demanding a ransom from the targeted organisation.

How to control the attack surface

When launching any malware attack, cyber criminals will typically manoeuvre between the target’s various cybersecurity layers in order to find and later exploit any weak points or vulnerabilities. Security gaps located within a target’s digital infrastructure, data, or identity credentials are what attackers need to successfully launch their malware. Vulnerabilities may become especially weaker when an organisation is preparing for a significant software update, changes to the internal password policies, or any other major cybersecurity event. Throughout these processes, organisations must maintain a full scope of visibility throughout their files and software before, during, and after major software changes are made.

To combat further cybersecurity risks, following system hardening guidelines are what organisations need to reinforce their digital infrastructures. System hardening is a step-by-step process to reduce the cybersecurity risks and vulnerabilities existing within an application, infrastructure, or digital system – with the overarching goal to counteract emerging attack vectors and reduce attack the surface. Only when done correctly can these measures provide organisations the best chance of successfully defending against potential malware attacks.

Following NIST guidelines

Throughout the countless resources made available online, the NIST system hardening guidelines are the most trusted and recommended online resource that is also free of cost. According to the NIST, in order to stop the path of malware attacks the first steps should be to prevent and detect emerging threats.

The first action to achieve the most effective state of system hardening is prevention. For IT security teams to achieve this, they must start by thinking like an attacker and shift their conventional approaches to cybersecurity practices. Shifting their thinking this way can help them locate new security gaps, which would otherwise be overlooked. This change of perspective can also help to improve the overall security strategy, categorise the levels of risk, and determine what the most valuable assets are to the organisation. Ultimately, this will make it more difficult for malware attackers to launch their LOL techniques, while significantly reducing the organisation’s overall attack surface.

The next step is to detect suspicious behaviour as soon as possible and before it can escalate. Although this can be challenging, it is important for IT teams to correctly identify suspicious activity from normal operations within an ever-changing environment. This can be achieved through checking for indicators of compromise (IOC). IOCs are betrayed through the spotting of configuration drifts and monitoring for any abnormal or unexpected file changes that could occur within the digital infrastructure.

Ultimately, IT security teams have a great responsibility when it comes to protecting an organisation’s digital environment – especially when they are particularly vulnerable during times of infrequent maintenance and major software events. Therefore, IT security teams need to routinely test for weaknesses and malicious behaviour, including after the system hardening process is completed. Cybersecurity guidelines similar to those of the NIST can support organisations trying to navigate their way through the already difficult system hardening journey. With the help of these trusted recommendations and by following cybersecurity best practices, organisations can ensure the protection of their critical data, the data of their customers, as well as their business operations and brand integrity.