Living-off-the-land Attacks: The Challenge and WatchGuard Advanced EPDR
In cybersecurity, "Living-off-the-land" (LotL) attacks have become increasingly difficult to detect. These attacks exploit legitimate system tools like PowerShell, WMI, or Office macros instead of relying on external malware, allowing attackers to move stealthily within a network. Traditional security measures struggle to identify these attacks, as they use trusted, digitally signed tools.
LotL attacks appeal to cybercriminals because they evade detection and reduce the risk of being traced. This low-profile approach increases the chances of a successful breach, as attackers remain hidden for longer periods.
Common Techniques in LotL Attacks
- PowerShell: Exploited to download and run malicious scripts, establish remote connections, or alter system settings without clear traces.
- WMI: Utilized to remotely execute commands, gather system data, or maintain persistence on the system.
- Remote Administration Tools: Tools like PsExec can be repurposed to execute malicious commands remotely.
- Office Macros: Malicious macros embedded in Office documents execute code upon opening, exploiting user trust.
Protecting Against LotL Attacks with WatchGuard Advanced EPDR:
- Application Control: Restrict tools like PowerShell and WMI to specific users and processes.
- Monitoring and Automated Behavior Analysis: Use behavior analytics in the Cloud to detect unusual system activities, rather than relying solely on signatures or endpoint technology.
To successfully implement these strategies, apart from the Zero-Trust Application Service that blocks untrusted applications, allowing their execution only after validating their trustability, and the Threat Hunting Service, WatchGuard Advanced EPDR offers functionalities that enable security analysts to quickly detect and respond to an attacker's presence using LotL techniques.
Analysts can prevent these attacks by denying applications like PowerShell and WMI or automatically detecting typical behaviors used in fileless malware attacks and mapping them to the MITRE ATT&CK framework.
Now, the new version of Advanced EPDR allows analysts to investigate these behaviors by accessing enriched telemetry with threat intelligence from a single console point. Additionally, WatchGuard Advanced EPDR provides valuable information for incident investigations involving malicious applications. It identifies MITRE ATT&CK techniques, the capabilities of malicious activities the program can exhibit, and the external functions it uses. These may include invoking operating system operations or other libraries by natively integrating CAPA, an open-source tool for automatically analyzing application behavior.
- Extension of Investigation and Rapid Response through Remote Shell: The new version of WatchGuard Advanced EPDR includes the ability to open a remote shell to obtain files, inspect processes, and even take direct action on the endpoint, whether it is Windows, Linux, or macOS.
- Do not allow connections if they pose a risk: Limiting communication between different network segments or endpoints using network segmentation can prevent attackers from moving laterally using LotL techniques. The new version of WatchGuard Advanced EPDR enables administrators to deny connections from noncompliant endpoints that pose a risk to protected endpoints, further enhancing organizations' security posture.
- Education and Awareness: Training employees on the risks of macros and the safe use of administrative tools can help prevent the inadvertent execution of malicious scripts.
Conclusion
Living-off-the-land attacks represent a significant challenge in modern cybersecurity. By exploiting legitimate system tools and functionalities, attackers can operate with a low profile, evading many traditional security solutions. Effective detection and prevention of these attacks require a combination of robust technical controls, constant monitoring, and strong security training for users. With the new version of WatchGuard Advanced EPDR, organizations can enhance their ability to detect, prevent, and respond to these advanced threats, ensuring a more secure and resilient environment.
