Here’s a reality check: attackers are hiding in plain sight, using your tools and systems against you. This is the unsettling world of Living off the Land (LotL) attacks, a tactic that evades detection by blending with legitimate operations. Endpoint security solutions alone often struggle to spot these hidden moves, which makes understanding and preparing for these threats essential for cyber resilience. In our latest “CheckITOut” podcast episode, cyber security experts Stephen Moore from Exabeam and The Missing Link's Thomas Naylor dive into why LotL attacks are among today’s most challenging and insidious threats.
What are Living off the Land (LotL) attacks?
Living off the Land (LotL) attacks use legitimate tools and processes within your systems to carry out malicious activities. Rather than introducing foreign malware, LotL attackers exploit authorised software already in your environment, making detection challenging as their actions often mimic standard operations.
These attackers are known for working “low and slow”—keeping a low profile while using common tools like PowerShell and VSS Admin to manipulate file systems, change permissions, and escalate privileges. Often seen as the “Swiss army knife” for attackers, these utilities are typically used by administrators to manage Windows environments. Their extensive permissions allow attackers to persist undetected, blending into regular activities and making traditional defences less effective.
This stealthy approach demands heightened awareness and proactive defences to counteract tactics that conventional detection methods often miss.
Who’s at risk? A look at targeted industries
LotL attacks don’t discriminate. Organisations across various industries have fallen victim to these tactics, from large financial firms to educational institutions. Recent cases show how LotL attacks have impacted sectors such as financial services, healthcare, education, and local government, highlighting a troubling trend: any organisation, regardless of size or industry, can be a target.
Even organisations with advanced cyber security measures aren’t immune. High-security sectors like financial services and healthcare remain vulnerable as these attacks use familiar tools to evade standard protocols and often go undetected. For high-risk sectors, aligning defences with the ASD Essential 8 framework is crucial to building cyber resilience and limiting these attacks. This diversity of victims reveals that no sector is safe from LotL tactics, stressing the need for enhanced defences across all types of organisations.
Why traditional defences fail against LotL
Standard cyber security measures, like antivirus software and signature-based detection, often fall short against LotL attacks. These attacks exploit authorised tools within your environment, allowing attackers to blend into routine activities. Traditional defences, which focus on identifying external threats or malicious code, struggle to distinguish between normal and malicious actions in these cases.
Without a suspicious file or abnormal process to alert security systems, attackers can move undetected through an organisation’s infrastructure. Credential dumping and other persistence tactics allow LotL attackers to harvest legitimate credentials, granting extended access to your network and enabling.
Solutions like Managed Detection and Response (MDR) provide advanced monitoring capabilities to detect subtle, unauthorised activities, while a Security Operations Centre offers round-the-clock surveillance to track LotL tactics in real-time. Network Security solutions add an extra layer of protection, preventing attackers from moving freely within the network.
With LotL attacks becoming more sophisticated, traditional defences alone aren’t enough. To explore how AI and machine learning are transforming detection capabilities for LotL attacks, check out part 2 of this blog series, LotL attacks: AI and Machine Learning as your best defence.
Steps you can take now to mitigate LotL attacks
Mitigating LotL attacks calls for a multi-layered approach. Here are some effective steps to reduce your organisation’s vulnerability:
1. Leverage MITRE ATT&CK principles
The MITRE ATT&CK framework maps out adversarial tactics and identifies weak spots in your defences. With our MITRE ATT&CK Coverage Assessment, you can anticipate and counteract tactics that LotL attackers may use. This framework provides a structured way to align your defences with known adversarial tactics, helping identify and address critical gaps.
2. Implement Security Awareness Training
LotL attacks often rely on human error, such as falling for phishing attempts or unknowingly activating malicious actions. Attackers use social engineering tactics that appeal to curiosity or urgency. One real-world example involved attackers sending emails with “party pics” to lure individuals into clicking, only to expose them to malicious content. Security awareness training equips your team to recognise and avoid these traps. Staying calm and vigilant—qualities that The Missing Link’s Security Awareness Training reinforces—is crucial for preventing these kinds of attacks.
3. Restrict access to system tools and enforce user access controls
Limit access to system tools and enforce strict user access controls to ensure only authorised personnel perform sensitive actions, reducing opportunities for attackers.
4. Conduct regular Penetration Testing
Penetration testing proactively uncovers vulnerabilities that LotL attackers might exploit. Our Penetration Testing service simulates real-world scenarios to strengthen your defences, helping you stay a step ahead of attackers by identifying and addressing potential entry points before they can be exploited.
5. Adopt the ASD Essential 8 Framework
The ASD Essential 8 provides baseline security controls, such as multi-factor authentication and application whitelisting, to mitigate common threats. Implementing this framework enhances cyber resilience and strengthens against LotL attacks. Our ASD Essential 8 as a Service helps you deploy these defences effectively, aligning with government-recommended standards and enhancing your organisation’s resilience.
Building a resilient defence against LotL attacks
Living off the Land (LotL) attacks pose a unique and stealthy threat, exploiting familiar tools within your environment to evade traditional defences. By adopting a proactive, multi-layered approach—leveraging frameworks like MITRE ATT&CK, implementing security awareness, restricting access to system tools, and adhering to foundational standards like the ASD Essential 8—you can build a robust defence against these hidden dangers.
Strong leadership is also critical in managing these incidents. As discussed in the podcast, handling breaches with calm and confidence, much like a pilot navigating turbulence, is key to effective crisis management. With proactive training and resilient organisational culture, your team will be better equipped to face these sophisticated threats head-on.
To gain more insights from cyber security experts Stephen Moore and Thomas Naylor on how LotL attackers operate—and the steps you can take to defend against them—listen to the full podcast episode.
