News By Wire

Malware attack architecture: how to defend against living-off-the-land techniques

While the nature of cyber threats continues to evolve and threat actors become increasingly sophisticated, it is of paramount importance that organisations prepare for malicious activities within their digital environments. This task is made more complex as the boundaries of companies online become less tangible – through cloud, hybrid, and third-party integrations – thus becoming more susceptible to malware attacks.

Similar to a parasite residing within its host, cybercriminals can “live-off-the-land” (LOL) of their enterprise victims. This allows them time to pilfer sensitive data and wreak destruction within their victim’s digital infrastructure. Once inside an organisation’s system, threat actors can launch an array of malware, swipe valuable data, and then blackmail the targeted organisation for a ransom towards the return of its data or the active working of its disabled systems. Even if there are backups in place, threat actors can blackmail organisations by threatening to publish the data.

Prevalent living-off-the-land techniques and malware threats

Once a malware attack is initiated against a victim, the LOL techniques and malware processes often share commonalities. The formula to these attacks is ubiquitous and can be defined into five simple stages: get there, get in, get ready, get more, and get money.

Threat actors constantly scrutinise ways to gain access to a target’s infrastructure in order to “get there.” This could take the form of a sophisticated phishing campaign or fraudulent ads. Another option is through the use webpages that trick company employees into giving away their login details. Through such campaigns, ranging from phishing to exploiting script vulnerabilities, attackers can then “get in”. Once a business’s system is compromised, the attackers can “get ready” through installing their LOL techniques within the infrastructure to escalate their privileges and avoid detection.

To “get more,” threat actors pilfer assets that can later be used to blackmail the victimised company. The attackers will then infiltrate throughout the target’s infrastructure, seeking valuable information to gain leverage and extort their victim. Lastly, the attackers will “get money” either through selling compromised credentials on the dark web or encrypting company data and demanding a ransom for its release.

When is the organisation is especially vulnerable?

When launching a malware campaign, threat actors will look to unpick their target’s various security layers, searching to find and exploit any weak points or vulnerabilities. These vulnerabilities are security gaps in the victim’s digital infrastructure, data, or identity credentials through which attackers can launch their malware. Security teams must be aware that their organisations are particularly vulnerable to such attacks when their company is preparing for a significant software update, changes to internal credential policies, or other cybersecurity events. Here, holistic visibility is key throughout all files and software while the business infrastructure is in a state of flux.

Putting the NIST guidelines into practice

One way to minimise the risk of malware and LOL attacks is to implement system hardening processes. The US National Institute of Standards and Technology (NIST) is one of the best guides on the way to cyber resilience. Its security framework is free of cost and provides a comprehensive framework of how organisations can protect themselves in the digital realm.

According to these guidelines, the fundamental and first stage of system hardening lies in prevention. For security teams, this means that they must think as an attacker would and use this perspective to shift from conventional approaches to cybersecurity. This change of perspective helps improve overall security strategy, categorise levels of risk, and determine the most valuable assets that are likely to be a lucrative target for theft.

Keeping the attackers’ perspective in mind, security teams must then remain alert to any suspicious behaviour in their systems before it may escalate into a full-scale attack. A challenging feature of this process is in correctly identifying suspicious activity from that of normal operations. This can be accomplished through checking for indicators of compromise (IOC). IOCs are spotlighted through the identification of configuration drifts and the monitoring for any abnormal or unexpected file changes within the digital infrastructure.

In this era of heightened cyber insecurity, IT pros have the vital remit of protecting their organisation’s digital environment. To meet this challenge, IT security teams must routinely test their systems for weaknesses and malicious behaviour, including after the system hardening process is concluded. Cybersecurity guidelines like those of the NIST can aid enterprises in navigating their way to higher cyber resilience. With the help of these tried-and-true recommendations, and by following cybersecurity best practice, organisations can help ensure the protection of their critical data, the data of their customers, as well as their business operations and integrity of their brand.

Press release information


Image File:


Area / Region:

Topics / Tags:

Media contact

Media contact name:

Netwrix UK

Media contact business / organisation:


Media contact telephone:


Media contact email:

All done!
Thank you for subscribing.

Email Subscription