Why 'living off the land' has become a preferred method of cybercrime

Dive Brief:

"Living off the land" (LotL) style of attacks has made the malicious use of PowerShell a "staple" for cybercrimes, showcased by a 1,000% uptick of blocked malicious PowerShell scripts on the endpoint in 2018, according to Symantec's Internet Security Threat Report.
Nearly half of malicious email attachments are Microsoft Office files. Hacker groups like Mealybug and Necurs leverage macros in Office files to "propagate malicious payloads" and experiment with XML files, according to the report.
Supply chain attacks, where attackers can compromise a company through its use of third-party services, increased nearly 80% in 2018. Attackers exploit developers by hacking third-party libraries "that are integrated into larger software projects," according to Symantec.

Dive Insight:

LotL and supply chain attacks take advantage of trusted applications and partner ecosystems. Preventing these types of attacks demands more sophisticated detection tools.

Pursuing script-based attacks are easier to make and "trivial to modify," Kevin Haley, director at Symantec Security Response, told CIO Dive in an email.

LotL, or using tools already available on computers to carry out attacks, helps bad actors avoid detection because "the execution of a script or system tool looks a lot more innocent than malware being launched," said Haley.

Unlike malware, where attribution is easier to find, LotL attacks are difficult to credit. It's also the method said to have launched Atlanta deep into the throws of its ransomware attack.

SamSam, the group experts attribute to Atlanta's cyberattack, works in a hierarchy of hackers where every tier has a different responsibility.

Hackers on the lowest tier of hierarchy are typically those tasked with scanning random IP ranges on the internet to find potential vulnerabilities. Discovered vulnerabilities are then passed to the next tier, which sifts through them to determine if a vulnerability is worth pursuing.

The process continues until the remaining vulnerabilities are passed to a more mature group where they'll go in, live off the land, exploit the vulnerability and do recon on the afflicted system.

Hijacking software updates through supply chain-style attacks are a preferred method for hackers because they're easier to execute than finding zero-day vulnerabilities to exploit, according to Haley. Compromised software updates are even more effective for hackers when the process is automated.

Keeping software up-to-date "is the best security practice," which makes defending these type of attacks all the more difficult; "in essence, [companies] come to the attackers," said Haley.

Having an air of skepticism and an eye for detail, like noticing a slight modification in software, could help avoid LotL and supply chain attacks. "CISOs need to consider testing updates from suppliers they have concerns about," said Haley, and "behavior-based detection capability in security products [is] essential."