Living Off The Land (LOTL) attacks are nothing new to cybersecurity. For nearly two decades or more, cybercriminals have been using pre-installed or off-the-shelf applications like PowerShell, PsExec, and windows management instrumentation to do all sorts of bad things. Now cybercriminals are applying a similar approach to the cloud.
With Living Off the Cloud (LOTC) attacks, hackers abuse APIs of trusted cloud services (like Dropbox, Google Drive, Slack, Trello) to remotely control botnets but also to make malicious traffic appear as trusted cloud traffic. The attacks succeed because these applications are trusted by default and their traffic is never inspected, enabling attackers to hide their malicious activities under the guise of legitimate processes. A zero-trust approach to access could help. Let’s see how.
Why Do Hackers Use LOTC Tactics And How Do They Work?
To understand how attackers execute LOTC attacks, one needs to understand how malware works. Command and control (C&C) attacks are a component of a malware infrastructure. Malware infiltrates the victim’s environment using things like phishing, stolen credentials, unpatched software, etc. Malware infrastructure features three components:
- A Telemetry Channel: A communication link between the malware and the C&C server used by the malware to update hackers about the information it can find on the victim’s environment.
- A Command Channel: A communication link between the C&C server and the malware used to control the malware to execute certain tasks.
- An Exfiltration Channel: A communication channel used by the malware to upload stolen data to a remote file server.
The downside of this traditional C&C setup is that if the C&C’s IP address starts appearing in community blacklists and gets taken down, there’s no longer communication between the malware and the C&C and this leads to a failed attack.
With LOTC, hackers can have all three C&C infrastructure components living off the cloud and not on a designated or a hijacked server, thus providing the ultimate invisibility cloak to the attacker. Last year, China-linked adversaries used the Google Command and Control (GC2) service to attack organizations. Their malware is said to have received commands from Google Sheets, while all data was exfiltrated back to Google Drive.
So how do these attacks work off something like Google Drive? Simple. The malware communicates via APIs with Google Drive. It is programmed to read a folder name and fetch a command. Next, malware reads a command and updates hackers by writing its findings or telemetry on another Google Drive. Since Drive is a storage system by design, the malware performs data exfiltration and uploads data back to Google Drive folders. Since Drive traffic is trusted by default, security teams fail to detect any malicious activity. Just like this, Google Drive can be a great candidate for malware infrastructure attacks. That’s not all. Attacks can be designed to support multiple victims — a new root folder on Google Drive for each victim. Just like Google Drive, other cloud applications and their APIs can be harnessed for C&C attacks.
How Can Organizations Protect Themselves Against LOTC Attacks?
Although detecting LOTC attacks is hard, it is not impossible. Here are some recommendations to keep in mind:
Zero Trust Network Access (ZTNA): LOTC attacks happen because of the inherent trust cloud services enjoy company wide. Adopting a zero-trust strategy instead, where only the least required access is provided to users and services to perform specific tasks. In other words, deploying security policies that allow or restrict specific users, specific applications, specific actions within these applications, and the movement of data in and out of the network.
Sanctioned vs. Unsanctioned Apps: Not everyone in the company needs access to Google Drive, Dropbox or Trello. If companies have some way to control which accounts can or cannot access a specific cloud service, then this can reduce the risk of an attack. The cloud computing industry refers to this as “tenant restriction.”
Granular Cloud Activity Control: There needs to be a granular level of awareness of what cloud service is being accessed, by whom and what commands are being given. If files must be uploaded to Google Drive, ensure that only specific people, specific file types, and only up to a certain file size can be uploaded. A cloud access security broker (CASB) can help here. Organizations can also deploy API access control to allow only authorized users from accessing APIs.
Data Loss Prevention: DLP tools can help security teams create a policy that restricts cloud-based services from accessing certain types of data. It can look at uploaded files or downloaded files and inspect it to see if there is any sensitive data being exfiltrated. Most DLP systems can be configured to generate an alert and capture an audit log of data being transferred.
Cloud-native Security: Since most security controls are distinct and siloed, it is difficult to connect the dots and paint a full picture of attacker activity. A single-pass cloud security architecture like SASE which converges CASB, DLP, secure web gateway, SD-WAN, firewall as a service, and ZTNA can provide real-time visibility into attacker activity and deliver holistic control over the entire IT environment.
Change Mindset: Unfortunately, people keep blindly trusting any communication to any cloud service. Most organizations still don’t have TLS inspection on cloud services as well as no blocking of high-risk servers, domains, or ports by default. This mindset needs a reboot.
Awareness Training: LOTC attacks are multi-staged and usually the first stage (malware deployment) is a phishing attack or a compromise on account of poor passwords or poor software patching. Teach employees to follow security best practices and not respond to suspicious messages, click suspicious links or download suspicious attachments. LOTL and LOTC allow adversaries to exploit built-in and cloud-based tools to conduct malicious activities while evading detection. By taking a ZTNA approach along with the other measures listed here, organizations can gain visibility and control over their IT estate and significantly mitigate these risks.