Beyond Malware: ‘Living off the Land’ in Cybersecurity

The phrase “living off the land” is often used when talking about cybersecurity. When I first heard it, I figured this was similar to a bohemian ‘getting off the grid’ technique but I was very wrong.  In cyber, it means that the attacker uses the tools already available on the machine to help minimize detection.

Often one of the first you do when getting access to a system is loading software to help you. Often, the software is downloaded to the machine from somewhere else. The advantage is that you can use a tool you are familiar with that does exactly what you need.  However, the app you loaded could be out of place and, if seen, an indicator to a security team that something is going on.

The other option is using the tools already on the machine. The disadvantage is that you have to develop ways to use the system’s own tools to get what you want. However, this approach can make your activities blend in with normal system operations, making it harder for traditional security measures to detect and respond to the attack.

The problem with network defense is that operating systems are created to be versatile and it’s exceptionally difficult to create a 100% secure system that is actually usable for today’s dynamic business needs. In short, security teams need to trust systems to an extent. By using trusted tools and features, attackers can bypass a lot of security mechanisms that focus on detecting malicious software or behaviors. It is very difficult to differentiate between normal and bad.

This is not usually a technique used by the majority of cybercriminals out there. It is a low-and-slow approach and usually known as Advanced Persistent Threats.  The kind of threats that linger in the network for months or even years and are a favorite of nation state actors.  The very scary part is that these types of threats can be used to stage HUGE attacks across numerous networks at the same time. See this multi-national whitepaper about the People Republic of China doing exactly this: CSA_Living_off_the_Land.PDF (defense.gov)

To counter such threats, organizations must implement strong security practices that analyze system logs and employing behavior-based anomaly detection. These systems, likely augmented with AI components can help show patterns of abnormal behavior that would not individually raise alarms. 


Paul Bergman runs a business strategy and cybersecurity consulting company in San Diego. He writes on cybersecurity and board management for both corporate and nonprofit boards.

Verified by MonsterInsights