Hackers are reportedly using little or no actual malware to infiltrate their victims' networks, yet much of traditional enterprise security software relies on detecting malicious code. What security controls should enterprises use to detect and defend against these "living off the land" malware-free attacks?
"Living off the land" is when an attacker uses the tools and credentials that exist on a system breach the network instead using malware, hence the term "malware-free" attack. It's important that the credentials or tools used to infiltrate an environment are already in existence on the system; installing new tools or creating new root and administrator accounts could bring attention from security administrators and prompt an investigation, thus putting the attack at higher risk of being detected. The attacker will use legitimate system management tools either built into the operating system or the existing third-party system management tool to access the systems. One of the other security controls attackers frequently bypass is single-factor username/password authentication. The attacker either captures the credential or uses a hash of the credential to then access other systems.
Dell SecureWorks issued a media alert about more attackers "living off the land," to bring more attention to how enterprises need to protect themselves. Detecting and defending against these types of malware-free attacks requires more than just using traditional antimalware tools and firewalls. The company's recommendations are basic cybersecurity hygiene, but on a large scale can still be difficult to perform. Potentially the easiest security control to adopt is Dell SecureWorks' first recommendation: implementing two-factor authentication. This can drastically reduce an attacker's capability to compromise credentials for use in the malware-free attack. A harder security control that can also detect these and many other types of attacks is monitoring the endpoint on the network and host-based activities. Monitoring the endpoint devices will help security teams detect any suspicious behavior, such as spike in file downloads, that may indicate a user's credentials have been comprised.
Find out how hackers are using fileless malware to attack enterprises
Learn why account credentials are a weak spot for cloud services
Read about how embedded documents pose security risks