LOL Attacks Can Now Live off the Cloud: Three Strategies to Reduce LOC Risk


There’s nothing funny about LOL attacks. Living-off-the-Land is a malicious attack variant acting like a tumor, feasting on host environments. Etay Maor, senior director of security strategy for Cato Networks, explains its migration to cloud resources as LOC attacks.

A cyber-attack method increasingly being used by adversaries is known under the highly ironic acronym of LOL. In the so-called Living-off-the-Land (LOL or LOTL) scenario, attackers rely on any set of native tools they can leverage from the victim’s own environment. Hence, living off the land literally means surviving on resources harvested from the target victim.

LOL attacks can be incredibly stealthy. They don’t contain malware or malicious code, making them difficult to detect. Because attackers leverage native in-house applications and commands (such as Windows Command Shell/CMD, Powershell, Windows Management Interface, Schtasks, etc.), they can blend their wicked activities within ordinary traffic, fly under the radar residing in the victim’s environment for months and not leave any trace or artifacts behind. 

The Cloud Is at Increased Risk of LOL Attacks

Not surprisingly, cybercriminals have been increasingly shifting their attention to the cloud, bringing with them LOL techniques targeting cloud infrastructures (a.k.a. Living off the Cloud).Putting things into perspective, Microsoft’s Azure cloud platform detects nearly 1.5 million attacksOpens a new window every day. 

How Do Living Off the Cloud Attacks Work?

Just like traditional LOL attacks where attackers hide their malicious activities using legitimate tools and traffic, adversaries are increasingly leveraging the victim’s own Software-as-a-Service (SaaS) and Infrastructure-as-a-Service (IaaS) applications to make malicious activity appear like trusted cloud traffic. 

Since millions of users and organizations already trust cloud services and applications, their traffic usually goes unchecked and legitimately passes through firewalls and other defenses. This makes Living off the Cloud (LOC) attacks extremely hard or nearly impossible to detect. Furthermore, many of these tools and cloud services are table stakes for businesses — blocking these services is usually never an option as this can have a big impact on routine business productivity. 

In the current year alone, there have been many reported incidents of LOC attacks:

    • Threat actors leveraged online storage services like DropBox and Google Drive to deliver malware payloads. 
    • Attackers were reportedly retooling and abusing Atlassian’s Trello services for command and control as well as for espionage purposes.
    • Attackers took advantage of Ngrok, a cloud-based service developers use to share code without having to bother with domain hosting, to send malicious payloads to victim devices. 

See More: Cloud Security Learnings from 2022: Onto a Safer Cloud

How to Reduce the Risk of LOC Attacks

It’s not easy to probe for or detect Living off the Cloud attacks. That said, the recommendations below can help reduce its risk to a large extent:

1. Use a holistic system, not siloed tools 

LOC attacks are multi-staged: they infiltrate networks by phishing users or using stolen credentials, then they compromise systems, escalate privileges and move laterally or stay dormant till they find the right opportunity. At every stage, there is an opportunity to block the attacker from moving laterally. 

Most security tools are unfortunately siloed and fragmented, and it is difficult to understand the context or telemetry of these disparate controls. An option to consider is the cloud-native (cloud-delivered) single-pass architecture in secure access software edge or SASE (pronounced “sassy”), which can relay real-time situational awareness of the ecosystem (from endpoints to devices, to users, to clouds, to the network as well as the macro cybersecurity environment), and provides seamless control over the IT environment at any given moment in case of a sudden, unforeseen incident.

2. Limit opportunities for unauthorized access and unauthorized use of applications

Avoid giving blanket access to users, identities, or applications. Just because a user is authenticated does not mean they should be authorized to have access to all business and system resources. Implement zero-trust security, where all access requests are verified based on what is being requested, who is requesting it, and what is the context of the request (time, location, device ID, behavioral patterns or volume of data being sent to cloud services, etc.). 

Configure granular controls on applications. For instance, organizations can only allow corporate instances of Dropbox. If they see any other instance, then users are blocked. Or organizations can allow access to Dropbox openly, but they can restrict files with proprietary or sensitive data like social security numbers, PII or credit card numbers from being uploaded to a cloud entity. 

3. Train staff regularly so they don’t fall prey to phishing 

In the case of LOC attacks and others, phishing is one of the most common vectors of initial access. Train employees regularly so they do not click, visit, download, or reply to anything they’re not supposed to. Explain to them how cloud services can be abused or misused and train them to be vigilant and report anything (or any activity) that looks or appears abnormal.

Gartner says that by 2025, 95%Opens a new window of digital workloads will be deployed on cloud-native platforms, up from just 30% in 2021. If not so already, cloud technology will become mainstream, so it makes sense to pivot one’s cybersecurity architecture, policies and culture to one that is most cloud-centric — because that’s the only way organizations can proactively defend against evolving, pervasive and persistent threats that are increasingly living off the cloud. 

What steps are you taking to make your cybersecurity architecture more cloud-centric and prevent LOC attacks? Tell us on FacebookOpens a new window , TwitterOpens a new window , and LinkedInOpens a new window .