You know that feeling when you realise someone's been using your computer while you were away? When you don't know what they've seen or had access to? Well imagine how it would feel if that person had access to every computer in your organisation, and you'll have some idea of what it's like dealing with a living off the land attack.

These increasingly sophisticated attacks have been on the rise over the past few years, and the statistics from recent cybersecurity research make for sobering reading. CrowdStrike's 2023 threat report shows that 62% of detections can now be classified as LOTL attacks, while other research suggests this figure could be as high as 84%. It's now impossible to ignore. Criminals are weaponising the legitimate tools already installed on your systems. The threat might now be coming from the inside.

In a report co-authored with the FBI and NSA, the Australian Signals Directorate (ASD) defined these attacks as the use and "abuse of native tools and processes on systems, especially living off the land binaries, often referred to as LOLBins, to blend in with normal system activities and operate discreetly with a lower likelihood of being detected".

It's like someone breaking into your workshop and using your own hammer and chisel to crack your safe - they look like they belong there because they're using tools that should be there. When your antivirus sees these processing running, it doesn't necessarily know whether it's a legitimate administrative task or someone quietly copying your customer database to a cloud storage service.

Traditional signature-based security is essentially useless because there's no malicious code to detect - the tools themselves are legitimate, and the commands might look perfectly reasonable in isolation. Attackers are able to maintain access for months using nothing but built-in Windows utilities, slowly mapping networks and exfiltrating data without triggering a single alert.

The scale of this problem becomes clear when you look at recent high-profile incidents. The MGM Resorts attack in September 2023 perfectly demonstrates how devastating these techniques can be. Here, attackers gained initial access through a simple phone call to the IT help desk, then used legitimate tools to escalate privileges and deploy ransomware, resulting in $100 million in direct losses. The entire digital infrastructure of 31 resorts went down for over a week, forcing manual operations across their entire empire.

Even more concerning is the strategic use of these techniques by nation-state actors. The Australian Cyber Security Centre has specifically warned about Chinese state-sponsored groups like Volt Typhoon, which has maintained undetected access to critical infrastructure networks for up to five years using LOTL techniques.

So just imagine what attackers can do to Australian SMEs, nearly half of whom spend less than $500 annually on cybersecurity according to the ACSC, making them particularly vulnerable to these sophisticated attack methods that were once the domain of advanced persistent threat groups.

The financial impact on Australian businesses continues climbing, and small businesses are taking the biggest hit. Beyond the average $49,600 loss per incident, there's the broader economic impact. UNSW cybersecurity expert Nigel Phair estimates cybercrime costs Australia's economy about $42 billion annually, with small businesses accounting for a significant portion of these losses.

What's particularly concerning is that the Australian Institute of Criminology found 47% of Australian computer users experienced at least one cybercrime in the 12 months prior to their 2023 survey, suggesting current defences aren't keeping pace with the threat. Many of these incidents could be prevented or quickly contained with proper monitoring and response procedures specifically designed for LOTL scenarios.

Traditional endpoint security often fails against these attacks because it's designed to spot malicious software, not malicious use of legitimate software. The ACSC specifically recommends implementing the Essential Eight mitigation strategies, with particular emphasis on application allowlisting, restricting administrative privileges, and enabling detailed event logging. But beyond these technical controls, organisations need incident response capabilities that understand how LOTL attacks unfold and can quickly identify when legitimate tools are being misused.

If you're concerned about your organisation's vulnerability to these increasingly common attacks, we're here to help. Don't want to end up as an academic case study or a statistic in another government report? Get in touch and we'll make sure your prepared to defend against these incredibly stealthy and increasingly sophisticated threats.