Skip to content

Introducing runZero’s new ServiceNow Service Graph integration: Get greater data accuracy for your CMDB

Big news: runZero now integrates with ServiceNow Service Graph. The runZero Service Graph integration offers a robust solution for organizations who need to get a comprehensive and up-to-date view of asset data across IT (information technology), OT (operational technology), cloud, and remote environments. This new integration will quickly and easily enrich CMDBs with high-fidelity, contextualized asset details, superseding the existing ETL integration.

The importance of data quality in CMDBs

According to Gartner, nearly one third of CMDB challenges stem from data completeness or quality concerns, which highlights the importance of prioritizing data quality in an organization’s configuration management database (CMDB). This is not just a theoretical concern: Gartner also notes that 99% of organizations using CMDB tooling who do not address configuration item data quality gaps will experience visible business disruption. This makes sense when you consider that IT infrastructure and services are critical components of most modern businesses. Without accurate information about these assets, it becomes difficult to make informed decisions related to security, compliance, risk management, and more.

To deliver better and complete visibility across your environment, the Service Graph Connector brings your runZero asset inventory into your ServiceNow CMDB. With better data quality in your CMDB, you can ensure they get managed in accordance with your organization’s policies. By leveraging runZero’s ServiceNow Service Graph integration, you can improve your CMDB accuracy and reduce the likelihood of costly disruptions caused by inaccurate data. You can be confident that you’re operating on every asset–even the ones your CMDB didn’t know about.

Eliminate data quality gaps and improve IT/IoT/OT asset visibility with runZero’s ServiceNow Service Graph integration

Many organizations are turning to Cyber Asset Management (CAM) solutions to gain better visibility into IT, IoT, and OT assets. These solutions can help proactively identify unmanaged devices and uncover security risks within networks. By using both API data sources and unauthenticated active scanning, runZero is one of the few solutions capable of discovering unmanaged IT, IoT, and OT devices. This approach is especially valuable in OT environments, where visibility may be limited.

runZero’s ServiceNow integration provides you with a powerful tool to improve your asset inventory and cyber asset management. With this integration, you can gain better visibility into IT, IoT, and OT assets, as well as identify and address data quality gaps. This can help you reduce the cost of downtime, improve labor productivity, and get more value from your CMDB investments. In addition, runZero’s active scanner is safe to use in OT environments, ensuring that you can get the most out of your cyber asset management solutions without compromising the safety of your systems. Dozens of organizations are using runZero’s combination of integrations and active discovery, including those in manufacturing, healthcare and utilities, to achieve full asset inventory.

How Capgemini helped their client get better quality data for their CMDB

Let’s take a look at the real world implications of not having a dedicated cyber asset management solution in place.

Capgemini, a global IT consulting firm, was contracted by a French manufacturer and retailer of luxury products to deploy an asset discovery solution and set up the integration with the new CMDB to store the company’s IT asset inventory. However, they were struggling to get the data they needed using MID Servers–especially for managed assets such as routers and switches. They knew they had to explore other asset discovery options.

One of the primary requirements established for the project was unauthenticated asset discovery. The IT department, part of the holding company, was having a hard time collecting credentials for service accounts for many parts of the business. Without credentials, ServiceNow was struggling to inventory most assets. As Capgemini looked into other solutions, they discovered runZero, which delivered everything their client needed: speed, accuracy, a rich API, and unauthenticated scans. runZero’s asset discovery was fast, efficient, and worked without credentials. With runZero, they found 2.5x as many devices as ServiceNow.

After seeing the results with runZero, Capgemini has other ideas for capitalizing on its capabilities. As they work with clients in future projects, runZero will give them an accurate picture of their client’s asset inventory enabling them to provide precise project plans with known scope, schedule, and cost estimates.

Ready to get better results from your CMDB investments? To get started, sign up for runZero and then get the ServiceNow Service Graph integration on the SNOW marketplace.

Be confident in your CMDB’s data quality

runZero is a cyber asset management solution that delivers full asset inventory–quickly, easily, and safely. The solution enriches CMDBs with detailed asset and network data from a purpose-built unauthenticated active scanner. Discover every asset–even the ones your CMDB didn’t know about. 

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About runZero
runZero, a network discovery and asset inventory solution, was founded in 2018 by HD Moore, the creator of Metasploit. HD envisioned a modern active discovery solution that could find and identify everything on a network–without credentials. As a security researcher and penetration tester, he often employed benign ways to get information leaks and piece them together to build device profiles. Eventually, this work led him to leverage applied research and the discovery techniques developed for security and penetration testing to create runZero.

runZero partners with Abira Security

runZero partners with Abira Security, a full service cybersecurity advisor 
and managed services provider.

runZero is excited to announce our partnership with Abira Security, a market-leading provider of comprehensive cybersecurity solutions. As part of this partnership, Abira will be offering runZero as a solution to solve the challenges of cyber asset management. runZero’s asset inventory and discovery capabilities are the key to delivering a complete security package.

At runZero, we believe network visibility and asset inventory is a foundational part of maintaining a strong security posture. Abira offers a complete portfolio of cybersecurity solutions, paired with exceptional strategy expertise and real-world experience. Partnering with Abira Security allows runZero to expand and reach more organizations that are searching for a complete security strategy that includes deep network visibility and comprehensive asset inventory.

Eric Goldstein, Director of Channel at runZero, says, “We’re thrilled to be partnering with Abira Security to deliver cyber asset management to our joint customers. A comprehensive asset inventory is essential for any security program and is often the very first step in a security assessment. Together with runZero, Abira will help customers achieve their security goals and maximize their security tech stack value.”

“Abira is a pure play cybersecurity services firm and a true VAR. Our quality, flexibility, and cost structure is hard to beat,” says Ray Harrison, Sales Director at Abira Security.

Organizations today face ever-increasing cyber threats that can compromise their sensitive data and operations. The first step in securing any network is developing a complete asset inventory that accounts for all devices: managed or unmanaged; IT, OT, or IoT; cloud, on-prem, or remote. Combining runZero’s asset inventory capabilities and Abira’s cybersecurity expertise, customers have the benefit of an end-to-end solution that helps them identify, secure, and manage all of their assets, no matter where they exist, safely and effectively.

For more information, visit https://abirasecurity.com/.

Strengthen your security posture with cyber asset management

runZero is a cyber asset management solution that delivers full cyber asset inventory–quickly, easily, and safely. The solution enriches existing IT & security infrastructure data–from vuln scanners, EDRs, and cloud service providers–with detailed asset and network data from a purpose-built unauthenticated active scanner. No credentials required. Just deploy an Explorer and start scanning.

Get runZero for free 

Partnership Will Drive Increased Adoption of Portnox’s Cutting-Edge NAC Solution Purpose-Built for Large Distributed Organizations in the Region

LONDON — Portnox, which supplies network access control (NAC), visibility and device risk management to organizations of all sizes, today announced that it has partnered with Distology for the sole distribution and resell of its cloud-delivered NAC-as-a-Service solution in the United Kingdom and Ireland.

We chose to partner with Distology because of their successful history of IT security solution distribution in the UK and Irish markets, said Portnox CEO, Ofer Amitai. Were confident this collaboration will yield tremendous growth for both parties, as Portnox has a unique value proposition and Distology has the market enablement expertise to effectively evangelize our network security offering.

We have a long-established relationship with Portnox and it speaks volumes that the team have decided to choose Distology as their sole UK&I distributor. The technology Portnox brings to the market is incredibly exciting and complements our existing vendor stack effortlessly, said Stephen Rowlands, Head of Sales for Distology. Were especially looking forward to representing and promoting Portnox Clear to our growing partner base, as this brand-new cloud-based technology has potential to completely disrupt the market and we foresee masses of growth potential in this innovative product.

Portnox introduced its cloud-delivered NAC-as-a-Service solution to the UK & Irish markets less than two years go. As the first to bring NAC to the cloud, Portnox has quickly gained a foothold in the region, particularly among large distributed enterprises in the retail, construction and utilities industries.

The adoption of our NAC-as-a-Service product in the UK has been very strong to date, said VP of Products, Tomer Shemer. This is a testament to the fact that the UK is one of the markets leading the trend of cloud security adoption. We expect to see continued growth in the coming years in this area of Europe.

Portnox is set to exhibit at this week’s RSA 2020 Conference (booth #4234) in San Francisco, February 24-28. Additionally, Portnox (booth #G108) and Distology (booth #C40) will both be exhibiting at InfoSec Europe 2020, Europes largest event for information and cyber security, in London, June 2-4.

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About Portnox
Portnox provides simple-to-deploy, operate and maintain network access control, security and visibility solutions. Portnox software can be deployed on-premises, as a cloud-delivered service, or in hybrid mode. It is agentless and vendor-agnostic, allowing organizations to maximize their existing network and cybersecurity investments. Hundreds of enterprises around the world rely on Portnox for network visibility, cybersecurity policy enforcement and regulatory compliance. The company has been recognized for its innovations by Info Security Products Guide, Cyber Security Excellence Awards, IoT Innovator Awards, Computing Security Awards, Best of Interop ITX and Cyber Defense Magazine. Portnox has offices in the U.S., Europe and Asia. For information visit http://www.portnox.com, and follow us on Twitter and LinkedIn.。

About Distology
Distology is a Market Enabler and offers true value for the distribution of disruptive IT Security solutions. The vendors we work with represent innovative and exciting technology that continues to excite and inspire their reseller network. Our ethos is based on trust, relationships, energy and drive and offers end to end support in the full sales cycle providing vendor quality technical and commercial resource.

runZero 3.7: Custom integrations and SDK

What’s new with runZero 3.7?

  • Custom integrations and Python SDK
  • ServiceNow Service Graph Connector for runZero
  • Protocol improvements
  • New and improved fingerprints

Custom integrations and Python SDK

runZero Enterprise customers can now import assets from custom sources using the runZero SDK. The new Python SDK supports runZero’s custom integration API functions for ease of automation and use for those familiar with Python. These custom integrations allow for creating and importing asset types not previously supported within runZero, along with assigning the integration a name, description, and custom icon. Once imported, you can manage these custom integration sources from the runZero UI, and remove them from assets if desired. This will allow you to build new integrations and further enrich the asset data within runZero.

ServiceNow Service Graph Connector for runZero

The runZero Service Graph connector is now available in the ServiceNow marketplace. The connector can automatically pull your runZero asset data into your CMDB, merging with your ServiceNow data to improve asset visibility and accuracy. This connector does not replace the ServiceNow IntegrationHub ETL integration; both the connector and integration are available to Enterprise customers. ServiceNow Service Graph connector for runZero

Protocol improvements

The 3.7 release includes improved support for the Checkmk host agent. Checkmk is an open source host monitoring service and is deployed as part of many solutions and network appliances. Customers with Checkmk in their environment will benefit from improved software inventory and EDR detection for these assets. The accuracy of operating system fingerprinting has also been improved using available Checkmk data. The scanner now supports the Steam In-Home Streaming Discovery Protocol, allowing for identification of devices running the Steam client from Valve Software.

New and improved fingerprints

A number of fingerprints and fingerprint capabilities have been improved in this release. These improvements include fingerprinting of TLS stacks, better coverage of Roku devices based on AirPlay responses, and improved OS fingerprinting of devices speaking the BACnet protocol. New fingerprints were added for products by Abbott, Aruba, Audioscan, Bayer, Canon, Ciena, Cisco, Crestron, FloLogic, GE HealthCare, GE MDS, Google, H3C, Huawei, IBM, Keyence, Meross, Logitech, NetApp, Panduit, Proofpoint, Roku, Quantum, Raritan, Roku, Shelly, SonicWall, Tesla, TP-Link, and VMware.

See runZero 3.7 in action

Watch the video to see a preview of some of the newest features in runZero, including the ServiceNow connector, Checkmk protocol parser, and custom integrations leveraging the Python SDK.

Release notes

The runZero 3.7 release includes a rollup of all the 3.6.x updates, which includes all of the following features, improvements, and updates.

New features

  • Customers with an enterprise license can now create custom integrations and import assets from any external asset data source using the runZero Python SDK.
  • Improved performance and reliability of metrics calculations.
  • Improved performance of the vulnerabilities inventory.
  • AWS permission errors are now more detailed to make troubleshooting easier.
  • A bug where the asset ownership tag was not able to be changed successfully has been resolved.
  • A bug where email addresses were case sensitive on sign in has been resolved.
  • A bug where the “Create Organization” button appeared disabled but was still clickable has been resolved.
  • A bug preventing the Asset Ownership goals toggle from being clickable has been resolved.
  • Upgraded npcap to version 1.73
  • Fingerprint updates.

Security fixes

  • A bug that could show cross-tenant Queries and their associated author email addresses was resolved. This issue only applied to a cloud-hosted version of the runZero platform that was live for slightly more than two hours on March 29th, 2023. Any customers affected by this issue received a detailed notice. This affected version 3.6.14.
  • A bug that could allow an organization admin to see the names of other organizations in the tenant, even without explicit access, has been resolved. This affected versions 3.6.0 to 3.6.5.
  • A bug that could expose limited information about an organization to cross-tenant users has been resolved. This issue could have allowed an attacker that guessed the v4 UUID of an organization to view the name, description, and top-level statistics (asset count, service count, task count, etc.) without appropriate authorization. This affected versions 3.6.0 to 3.6.4.

Product improvements

  • Improved quality of errors reported by the CLI Scanner.
  • Improved user experience of user management.
  • Improved user experience of organization management.
  • Packets sent/received are now visible from the tasks preview.
  • Enterprise customers can now scan all ports and up to a /8 at a time using the hosted scan engines.
  • Attribute searches and reports are now faster in large organizations.
  • It is now possible to download the task log for a failed scan.
  • Hosted scans no longer ignore responses from common firewalls.
  • Daily asset expiration now records an assets-expired event with the count.
  • The task-failed event now includes information about the associated Explorer.
  • Scans can now configure specific probes for Subnet and Host pings.
  • Asset queries can now surface overlaps in asset names, IP addresses, and MAC addresses across inventory.
  • Behavior around parent/child organizations has been improved.
  • A change to Chrome which caused web screenshots to fail has been addressed.
  • Alert rules now support software and vulnerability queries.
  • Asset ownership now supports references to runZero users and groups.
  • Vulnerability inventory now includes an Exploit status, indicating whether the vulnerability is known exploitable. The Exploit status will only be populated for vulnerabilities imported after this release.
  • Datagrids across the UI no longer use the incorrect theme.
  • Task WLAN listing functionality has been improved to enforce a timeout if the underlying utility is slow or unresponsive.
  • The maximum time to complete an SNMP walk is now configurable.
  • The default maximum time to complete an SNMP walk has been increased to 5 minutes from 1 minute.
  • The maximum results for an SNMP walk have been increased to 8k from 4k.
  • Assets owned by a runZero user will now be displayed on the user details page.
  • The Reason column in the failed tasks table will now properly persist the hidden state between page loads.
  • Saved queries can now be created for software, vulnerabilities, and screenshots.
  • Attribute reports now group unique values within a single key.
  • The View More link is now accessible for in-progress tasks.
  • Asset owner names now suggest auto-complete options.
  • Accessibility improvements.
  • Client-side timezone updates.
  • Improved performance of the organization details page.

Integration improvements

  • The AWS integration now supports the GovCloud partition for assumed roles.
  • Validation warnings for internal IPs when using LDAP and InsightVM integrations has been improved.
  • Filtering of non-unique MAC addresses has been improved to better support Cisco virtual MAC addresses.
  • Cisco virtual MAC addresses are now handled more consistently.
  • Increased timeouts for the Tenable integration.
  • Improved reliability of CrowdStrike credentials verification.
  • The API response for a PUT request to /org/sites now returns the details of the new site.
  • Improved reliability of the Tenable integration.
  • API requests to apply tags to one or more assets now complete much faster.

Bug fixes

  • A race condition that could occur during self-hosted installation has been resolved.
  • A bug that could cause the Tenable connector to fail intermittently for some customers has been resolved.
  • A bug that could cause task details not to render on the task overview screen has been resolved.
  • A bug that could prevent organization administrators from creating new projects has been resolved.
  • A bug that could prevent some CrowdStrike software from importing successfully has been resolved.
  • A bug that caused misaligned values when exporting assets to CSV has been resolved.
  • A bug that could cause the SSO page to render off screen has been resolved.
  • A bug that could prevent asset modifications triggered by alert rules has been resolved.
  • A bug that could prevent the dashboard from loading successfully has been resolved.
  • A bug that caused misaligned values when exporting assets to CSV has been resolved.
  • A bug that could cause assets to incorrectly merge has been resolved.
  • A bug that could prevent validation of hostname scan targets has been resolved.
  • A bug that could lead to inaccurate asset correlation has been resolved.
  • A bug which could result in runZero attributes being removed from Offline assets has been resolved.
  • A bug that could prevent subnet stats from being exported has been resolved.
  • A bug that could prevent analysis queries from running for directory users and groups has been resolved
  • A bug that prevented match counts from being displayed on the queries page has been resolved
  • A bug that could prevent updating assets with a large number of vulnerabilities has been resolved
  • A bug that prevented access to runZero canned Queries has been resolved.
  • A bug that could lead to the self-hosted installer not removing temporary files has been resolved.
  • A bug that led to slow SNMP scans of specific Cisco switches has been resolved.
  • Addresses bug where recurring tasks that are “Removed” were still showed in the tasks page after the associated site is deleted
  • A bug preventing asset owners from being updated has been resolved.
  • A bug that could result in inaccurate vulnerability counts for assets has been resolved.
  • A bug that could prevent a subset of vulnerabilities from being saved for multi-source assets has been resolved.
  • A bug that caused errors for Crowdstrike integrations with large amounts of applications has been resolved.

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About runZero
runZero, a network discovery and asset inventory solution, was founded in 2018 by HD Moore, the creator of Metasploit. HD envisioned a modern active discovery solution that could find and identify everything on a network–without credentials. As a security researcher and penetration tester, he often employed benign ways to get information leaks and piece them together to build device profiles. Eventually, this work led him to leverage applied research and the discovery techniques developed for security and penetration testing to create runZero.

Introducing runZero’s new ServiceNow Service Graph integration: Get greater data accuracy for your CMDB

Big news: runZero now integrates with ServiceNow Service Graph. The runZero Service Graph integration offers a robust solution for organizations who need to get a comprehensive and up-to-date view of asset data across IT (information technology), OT (operational technology), cloud, and remote environments. This new integration will quickly and easily enrich CMDBs with high-fidelity, contextualized asset details, superseding the existing ETL integration.

The importance of data quality in CMDBs

According to Gartner, nearly one third of CMDB challenges stem from data completeness or quality concerns, which highlights the importance of prioritizing data quality in an organization’s configuration management database (CMDB). This is not just a theoretical concern: Gartner also notes that 99% of organizations using CMDB tooling who do not address configuration item data quality gaps will experience visible business disruption. This makes sense when you consider that IT infrastructure and services are critical components of most modern businesses. Without accurate information about these assets, it becomes difficult to make informed decisions related to security, compliance, risk management, and more.

To deliver better and complete visibility across your environment, the Service Graph Connector brings your runZero asset inventory into your ServiceNow CMDB. With better data quality in your CMDB, you can ensure they get managed in accordance with your organization’s policies. By leveraging runZero’s ServiceNow Service Graph integration, you can improve your CMDB accuracy and reduce the likelihood of costly disruptions caused by inaccurate data. You can be confident that you’re operating on every asset–even the ones your CMDB didn’t know about.

Eliminate data quality gaps and improve IT/IoT/OT asset visibility with runZero’s ServiceNow Service Graph integration

Many organizations are turning to Cyber Asset Management (CAM) solutions to gain better visibility into IT, IoT, and OT assets. These solutions can help proactively identify unmanaged devices and uncover security risks within networks. By using both API data sources and unauthenticated active scanning, runZero is one of the few solutions capable of discovering unmanaged IT, IoT, and OT devices. This approach is especially valuable in OT environments, where visibility may be limited.

runZero’s ServiceNow integration provides you with a powerful tool to improve your asset inventory and cyber asset management. With this integration, you can gain better visibility into IT, IoT, and OT assets, as well as identify and address data quality gaps. This can help you reduce the cost of downtime, improve labor productivity, and get more value from your CMDB investments. In addition, runZero’s active scanner is safe to use in OT environments, ensuring that you can get the most out of your cyber asset management solutions without compromising the safety of your systems. Dozens of organizations are using runZero’s combination of integrations and active discovery, including those in manufacturing, healthcare and utilities, to achieve full asset inventory.

How Capgemini helped their client get better quality data for their CMDB

Let’s take a look at the real world implications of not having a dedicated cyber asset management solution in place.

Capgemini, a global IT consulting firm, was contracted by a French manufacturer and retailer of luxury products to deploy an asset discovery solution and set up the integration with the new CMDB to store the company’s IT asset inventory. However, they were struggling to get the data they needed using MID Servers–especially for managed assets such as routers and switches. They knew they had to explore other asset discovery options.

One of the primary requirements established for the project was unauthenticated asset discovery. The IT department, part of the holding company, was having a hard time collecting credentials for service accounts for many parts of the business. Without credentials, ServiceNow was struggling to inventory most assets. As Capgemini looked into other solutions, they discovered runZero, which delivered everything their client needed: speed, accuracy, a rich API, and unauthenticated scans. runZero’s asset discovery was fast, efficient, and worked without credentials. With runZero, they found 2.5x as many devices as ServiceNow.

After seeing the results with runZero, Capgemini has other ideas for capitalizing on its capabilities. As they work with clients in future projects, runZero will give them an accurate picture of their client’s asset inventory enabling them to provide precise project plans with known scope, schedule, and cost estimates.

Ready to get better results from your CMDB investments? To get started, sign up for runZero and then get the ServiceNow Service Graph integration on the SNOW marketplace.

Be confident in your CMDB’s data quality

runZero is a cyber asset management solution that delivers full asset inventory–quickly, easily, and safely. The solution enriches CMDBs with detailed asset and network data from a purpose-built unauthenticated active scanner. Discover every asset–even the ones your CMDB didn’t know about.

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About runZero
runZero, a network discovery and asset inventory solution, was founded in 2018 by HD Moore, the creator of Metasploit. HD envisioned a modern active discovery solution that could find and identify everything on a network–without credentials. As a security researcher and penetration tester, he often employed benign ways to get information leaks and piece them together to build device profiles. Eventually, this work led him to leverage applied research and the discovery techniques developed for security and penetration testing to create runZero.

Using Your Own Tools Against You: The Rise of Living-Off-the-Land (LOTL) Attacks

While some cyber-attacks announce their presence like a blaring siren, others fly quietly under the radar. This presents a significant challenge for network security teams, who are already battling increasingly frequent, sophisticated, and severe attacks.

One cunning technique that has gained considerable traction in recent years is Living-Off-The-Land (LOTL) attacks. Here, threat actors use an organization’s own tools and infrastructure to launch an attack, stealthily moving through the kill chain without the need for bespoke malware.

Alarmingly, these attacks are not only difficult to detect but also highly effective. For example, the Ponemon Institute found that fileless malware attacks (another term for a LOTL attack) are approximately ten times more likely to succeed than file-based attacks.

As LOTL attacks continue to skyrocket in popularity, organizations need to understand how they work and take proactive measures to prevent them. That’s what we’re going to be diving into today.

What Exactly is a Living off the Land (LOTL) Attack?

In a Living off the Land (LOTL) attack, attackers use pre-installed or legitimate tools on the victim’s system, which enables them to blend in with regular user activity and bypass security software.

Despite the term being coined in 2013, recent cybersecurity reports have noted a marked rise in LOTL attacks. But why have cybercriminals suddenly added LOTL attacks to their arsenal? The answer lies in how effectively these attacks bypass traditional security measures.

Instead of using new and sophisticated methods to attack a system, hackers can use tools already installed on a target system, such as PowerShell, Command Prompt, and other admin tools. Since these tools are legitimate and necessary for many everyday computer tasks, it can be difficult for security software to detect malicious activity when these tools are used in a LOTL attack. In other words, LOTL attacks don’t set off warning signals like many other attacks.

One thing that makes LOTL attacks unique is that they don’t leave any files behind. This is why they’re often called fileless malware. With no executable files or malware to detect, many cybersecurity tools simply won’t realize anything suspicious has occurred.

How Do LOTL Attacks Happen?

So, what does a LOTL attack actually look like? LOTL attacks share many of the same hallmarks as other cyberattacks; only they’re far more challenging to detect. Here is an overview of the process:

  1. Initial Access: A hacker gains access to a network through another technique, such as phishing or social engineering. This gives the hacker an initial foothold in the target network.
  2. Reconnaissance: Once inside the network, the hacker begins to gather information about the target systems and network architecture. The goal is to identify vulnerabilities that can be exploited to gain further access and control.
  3. Lateral Movement: The hacker uses the information gathered in the reconnaissance phase to move laterally within the network. The goal is to find and compromise additional systems to establish persistence and gain greater control over the network.
  4. Privilege Escalation: The hacker leverages the compromised systems to escalate privileges and gain access to sensitive data and critical systems.
  5. Malicious Activities: Once the hacker has established a strong foothold in the network, they can carry out a range of malicious activities, including data exfiltration, installing backdoors, creating new tasks on remote machines, identifying configuration settings, and more.
  6. Obfuscation: Throughout the attack, the hacker takes steps to obscure their activity and avoid detection. This can involve using tools like PowerShell or Command Prompt to run malicious code that is obfuscated to evade detection.

The Anatomy of LOTL Attacks

Hackers have a wide range of tools at their disposal to execute a LOTL attack. For example, attackers may use tools such as PowerShell, Windows Management Instrumentation (WMI), and Command Prompt to carry out malicious activities such as reconnaissance, data exfiltration, and lateral movement.

For example, an attacker might use the built-in Windows utility Netsh to create a reverse shell and gain access to a victim’s system. And many other techniques exist. For example, LOTL attacks can also use the Registry Console Tool (reg.exe) to maintain persistence, store settings for malware, and store executables in subkeys. Other commonly used tools in LOTL attacks include Windows Management Instrumentation (WMI), Service Control Manager Configuration Tool (sc.exe), Scheduled Tasks (AT.EXE Process), and Sysinternals such as PSExec.

Notably, LOTL attacks that leverage Remote Desktop Protocol (RDP) connections can be especially tricky for security teams to spot and stop because RDP is a critical service for system administrators.

Identifying which RDP connections are legitimate and which are not is like trying to find a needle in a haystack, especially when administrative credentials are involved. That’s why “known bads” and historical attack data just don’t cut it when it comes to stopping these types of attacks. Instead, a smarter, more comprehensive approach is needed that focuses on detecting anomalous activity in real-time.

LOTL Attacks In Action

Many high-profile cyber attacks in recent years have leveraged LOTL techniques and other tactics to devastating success. Here are some real-world examples:

  1. NotPetya: One of the most destructive cyberattacks in history. It spread rapidly across networks in Ukraine and worldwide, causing billions of dollars in damages. The attackers used legitimate tools like PowerShell and PsExec to execute their malicious code, making it difficult to detect.
  2. Olympic Destroyer: The attackers behind the 2018 Olympic Destroyer attack used a combination of spear-phishing and LOTL techniques to gain access to the Pyeongchang Winter Olympics’ network. They used legitimate administrative tools like PowerShell to carry out their attack, which disrupted the opening ceremony and caused widespread disruption.
  3. TrickBot: This banking Trojan is known for its LOTL capabilities. It uses legitimate Windows tools like PowerShell and Windows Management Instrumentation (WMI) to evade detection and remain persistent on infected machines. TrickBot has been used to steal sensitive information and initiate fraudulent transactions.
  4. Emotet: This malware has been used in various attacks targeting government organizations and private companies. It leverages LOTL techniques like using PowerShell to download and execute additional modules. Once installed, Emotet can steal credentials and spread to other machines on the network.

These are just a few examples of LOTL attacks seen in the wild. As these attacks become more sophisticated, organizations need to be aware of the risks and take steps to bolster their network security. That brings us to the next section – how to safeguard your network from LOTL attacks.

How to Protect Against LOTL Attacks

LOTL attacks may be difficult to detect, but that doesn’t mean network security teams are powerless to act. Companies can adopt several techniques and best practices to protect against Living-Off-The-Land attacks. Let’s look at some of the most effective methods.

Zero Trust and Least Privilege Access

Zero trust is a security model that assumes that every user, device, and application on a network is potentially malicious, and therefore, no one should be trusted by default. It does away with traditional perimeter-based security controls like firewalls and instead focuses on securing every asset on the network.

Zero trust can help prevent LOTL attacks in several ways. For example, imagine an attacker gains access to a user’s credentials through a phishing email. With those credentials, the attacker could log in to the victim’s account and move laterally through the network, looking for valuable data to exfiltrate. However, in a zero-trust environment, the attacker would not automatically be granted access to the network’s sensitive resources. Instead, they would need to pass multiple levels of authentication and authorization before being granted access.

In this scenario, the zero trust approach would require the attacker to authenticate themselves every time they attempt to access a resource, even if they had already authenticated once before. This multi-step authentication process makes it more challenging for attackers to gain access to the network and limits their ability to move laterally.

Furthermore, in a zero-trust environment, organizations can enforce granular access controls based on the principle of least privilege. This means that users and devices are only granted the minimum level of access necessary to complete their tasks. A least-privilege approach helps limit the attack surface, making it more difficult for attackers to access sensitive data or resources.

Some other effective ways of limiting LOTL attacks include:

  1. Self-learning AI technology: Using self-learning AI technology, like machine learning algorithms, can help companies detect and prevent LOTL attacks by continuously analyzing network traffic, identifying abnormal behavior, and automatically taking action to stop potential attacks.
  2. Network segmentation: Breaking down a network into smaller, more manageable segments can limit the spread of malware and prevent attackers from moving laterally within the network.
  3. Multi-factor authentication: Multi-factor authentication (MFA) adds an extra layer of security to user login credentials by requiring users to provide multiple forms of identification, such as a password and a fingerprint scan or facial recognition.
  4. Regular security assessments and testing: Regular security assessments and penetration testing can help identify vulnerabilities in a company’s network and applications, enabling proactive mitigation and prevention.

Final Thoughts

With LOTL attacks rising, organizations must proactively strengthen their network security and lock cyber criminals out. This is especially important because while LOTL attacks share many similarities with other cyberattacks, they are far more challenging to detect. As such, a smarter and more comprehensive approach is needed to detect anomalous activity in real-time to prevent these attacks.

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About Portnox
Portnox provides simple-to-deploy, operate and maintain network access control, security and visibility solutions. Portnox software can be deployed on-premises, as a cloud-delivered service, or in hybrid mode. It is agentless and vendor-agnostic, allowing organizations to maximize their existing network and cybersecurity investments. Hundreds of enterprises around the world rely on Portnox for network visibility, cybersecurity policy enforcement and regulatory compliance. The company has been recognized for its innovations by Info Security Products Guide, Cyber Security Excellence Awards, IoT Innovator Awards, Computing Security Awards, Best of Interop ITX and Cyber Defense Magazine. Portnox has offices in the U.S., Europe and Asia. For information visit http://www.portnox.com, and follow us on Twitter and LinkedIn.。

×

Hello!

Click one of our contacts below to chat on WhatsApp

Social Chat is free, download and try it now here!

×