Reduce risks for live-off-the-cloud attacks

LOL attacks have now also arrived in the cloud age. We explain how so-called LOC attacks work and how you can minimize the risk of becoming a victim of this method yourself.

So-called living-off-the-land scenarios (LOTL; better known by the highly ironic acronym LOL) refer to a cyberattack method in which the attackers pounce on any set of native tools that originate from the victim’s own environment. In other words, resources are used that the hackers find on site. In the form of living-off-the-cloud attacks (LOC for short), this method has now also arrived in the cloud.

Since neither malware nor malicious code is used, the attacks are difficult to detect as such. The malicious activities mix with regular data traffic and thus often remain undetected for months.


Approach of LOC attacks

LOC attackers gain access to the network through phishing or stolen credentials. In the subsequent actual living-off-the-cloud attack, attackers hide their malicious activities behind the victim’s software-as-a-service (SaaS) and infrastructure-as-a-service (IaaS) applications. In this way, they feign trusted cloud traffic, which is typically not scrutinized more closely and thus can conveniently pass through firewalls and other defenses. To make matters worse, cloud services often play a key role in modern enterprises, so blocking these tools can have a devastating impact on business operations.


Reduce the risk of LOC attacks

Action #1: Focus on holistic systems
Security tools are often deployed in silos and fragmented, making it more difficult to understand the context or telemetry of these controls. Alternatively, a cloud-native (i.e., delivered directly via the cloud) single-pass architecture can be used in a SASE (Secure Access Software Edge) solution. This provides real-time visibility across the entire ecosystem, allowing organizations to maintain seamless control of their IT environment at all times.

Action #2: Limit access rights
Don’t grant general access rights, but carefully consider who is requesting what and the context of that request (in terms of behavioral patterns, device identifiers, time of day, location, etc.). In addition, also configure granular controls for your applications (if possible), for example, to allow only business instances or to prevent the upload of confidential data.

Action #3: Train employees regularly
Make your employees aware of how cloud services can be abused through regular training. Show them what to look out for and when it’s better to call in the IT team – Reduce risks for live-off-the-cloud attacks.