LOTL attacks dominate the cyber threat landscape
Something fundamental has changed in cybersecurity, and most companies haven’t caught on yet. The threat no longer walks in using a flashy virus or some custom-built Trojan. It logs in. It uses tools already trusted by your IT teams, operations staff, and environments. This is what’s known as a Living-off-the-Land (LOTL) attack, and right now, it’s driving the majority of real-world intrusions.
LOTL isn’t theoretical anymore. This method is now how modern attackers operate across sectors, especially in finance, where control, uptime, and confidentiality are critical. The game plan is simple: use what’s already inside the system to stay invisible, persist, and exfiltrate data without triggering alarms. These aren’t emergency situations with a red blinking light. These are slow, deliberate actions hidden under the normal operation of your technology stack.
Bitdefender’s research shows that 84% of successful attacks today use LOTL techniques. According to CrowdStrike’s 2025 Global Threat Report, 79% of detections in 2024 were malware-free. That’s almost double from just five years ago. These threat actors don’t waste time on malware when they can do more with basic tools that every enterprise already runs, PowerShell, Remote Desktop Protocol, Windows Management Instrumentation, and others. Used properly, they’re harmless. Used strategically, they’re almost invisible weapons.
IBM’s X-Force report reinforces why this is urgent. Advanced Persistent Threats (APTs)—the ones run by national-level actors and specialized cyber groups, don’t crash in and trigger alerts. They hang around for weeks or even months, observing, learning, extracting what matters. Once they disappear, your data is already gone.
Smart leadership doesn’t wait for detection. Smart security assumes compromise. If your systems run standard tools, you’re exposed. Not because your tech is broken. Because it works, and attackers know that.
Critical reliance on trusted tools creates new vulnerabilities
Here’s the part most organizations miss: You can’t turn off the tools attackers use because your business depends on them. PowerShell, RDP, PsExec, your admins use them every day. Your applications rely on them. Disabling these tools would grind your operations to a halt. That’s what makes this threat so effective. It doesn’t come from outside, it comes from what you trust the most.
The reality is companies have built their processes around these tools. Security teams have accepted routine usage without tracking how, where, or when they’re used. So when attackers come in using those same tools, they look like standard activity. Every move they make blends into the system like yesterday’s admin log.
This is the issue Martin Zugec, Technical Solutions Director at Bitdefender, pointed out at RSAC-2025. He said: “You cannot disable them because you will impact the business.” And he’s right. These aren’t exotic utilities; they’re core parts of the daily workflow. Attackers know this. That’s why they keep winning.
Gartner’s research agrees. Their analysis shows attackers increasingly use « bring your own vulnerable driver » (BYOVD) approaches combined with trusted system utilities to kill security agents and slip through detection systems. These are smart moves, made in real time, against organizations not set up to respond.
CrowdStrike also found that 31% of ransomware cases begin with the misuse of legitimate remote access tools. These tools are designed to give your teams access and insight. Naturally, they give attackers the same thing.
Here’s the effect: The IT tools you trust, the ones your teams use daily, are now your attack surface. That doesn’t mean getting rid of them. It means understanding them intimately. Know where they run, how they’re used, and who’s using them.
Today, security isn’t about locking doors. It’s about watching what’s happening inside the building.
Evolution to malware-free, credential-based intrusions challenging traditional defenses
Cyberattacks aren’t loud anymore. They’re deliberately quiet. Legacy methods for detecting threats relied heavily on identifying malicious code patterns, signatures of known attacks. But those days are mostly gone. The fastest-growing threat vector seen today doesn’t use malware. It uses valid credentials and acts like a user with full access. That makes it more dangerous and exponentially harder to detect.
When attackers gain access through credential theft, they don’t need to build exploits. They don’t need to download malicious files. Instead, they operate with legitimate access, using legitimate tools. They’re able to navigate freely, execute commands, disable your monitoring agents, and move laterally, all without raising a single alert.
CrowdStrike’s 2025 Global Threat Report puts this into clear terms: 79% of observed detections last year were malware-free, a huge jump from 40% in 2019. It gets worse, once attackers get inside, the average breakout time, or the window between initial access and movement across the network, is just 48 minutes. In some cases, it’s as fast as 51 seconds. That speed undermines slow, reactive security postures. By the time someone reviews logs or investigates an anomaly, the damage might already be done.
This method of intrusion, credential-based access, native tool usage, and rapid breakout, renders most traditional detection systems ineffective. Most environments still lean on signature- or behavior-triggered alerts. Attackers know how to bypass those by simply behaving like internal IT.
For business leadership, the key realization here is about visibility. You can’t defend what you don’t see. These attackers aren’t invisible with advanced cloaking; they just appear legitimate. They log in, not break in. They run internal tools, not foreign software. That requires a shift in thinking. You need detection capabilities that go beyond alert systems and focus on context, who’s accessing what and why, and whether it makes sense in that moment.
Necessity for a unified, zero-trust security framework
Disjointed or reactive security no longer holds up. Today’s security architectures must be unified, adaptive, and context-aware, not built around assumptions of static perimeters. Attackers already move inside your environment using trusted access. The most effective response isn’t more layers of alerting, it’s full environment awareness guided by zero trust principles.
Zero trust is about not assuming anything. It forces verification at every point, user identity, device health, access permissions, and behavior. NIST’s Zero Trust Architecture framework (SP 800-207) lays out clear principles: limit privileges aggressively, continuously authenticate users, and segment network zones to control spread if something breaks.
Microsegmentation becomes critical here. If attackers gain access, they shouldn’t be able to move across your organization with ease. Isolating systems, applications, and environments into secure zones limits what an intruder can touch. This dramatically reduces the scale of damage possible, especially in time-sensitive contexts like financial transactions or R&D environments.
Security tools must also interact. Behavioral analytics platforms should communicate with endpoint detection systems (EDR/XDR). Centralized logging should be integrated with access controls, anomaly detection, and real-time response mechanisms. When done right, this setup flags and validates intent, not just activity.
The cost of missing this is high. CrowdStrike estimates the average cost of ransomware-related downtime is $1.7 million per incident for private companies, and $2.5 million in the public sector. Security isn’t a sunk cost, it’s direct risk offset, measurable in capital and continuity.
This has to be cultural. Everyone in the organization must operate with security embedded into how they work. That means training admins, strengthening user access protocols, and wiping out old or unused accounts. This isn’t a one-time reset. It’s continuous iteration based on visibility, accountability, and data-driven policy. Executives who build with this mindset don’t just avoid attacks, they make their environments harder targets by design.
Shifting from reactive to proactive cyber defense
Security teams still spend too much time chasing alerts. Most of these alerts don’t matter. Some are false positives. Others are minor anomalies triggered by automated behavior. Very few pinpoint actual attacks. That’s a problem, because while defenders are chasing what looks unusual, real intrusions are happening through normal processes, using legitimate tools.
Attackers using living-off-the-land (LOTL) techniques hide inside daily operations. They don’t give you obvious indicators. And if you’re relying on outdated models, signature detection, isolated threat intelligence, uncoordinated controls, you’re reacting too late. The faster you can move your security posture from reactive to proactive, the less likely it is you’ll end up reading a postmortem of your own failure.
Proactive defense starts with one thing: knowing what “normal” looks like in your environment. That means understanding which systems talk to each other, what tasks your admins perform routinely, and what traffic patterns actually support business operations. Once that baseline is in place, small deviations become a signal, not just noise.
Martin Zugec, Technical Solutions Director at Bitdefender, put it plainly: “Instead of just chasing something else, figure out how we can take all these capabilities that we have, all these technologies, and make them work together.” His point? Security tools you already have, EDR, SIEM, behavioral analytics, identity management, can become far more effective when integrated and aligned. When they share context, they generate better insight. When they act together, they reduce risk in real time.
Behaviors are more telling than code. Unexplained script executions, remote access at unusual hours, internal tools launched by non-admins, these are the real warning signs. Threat actors aren’t hiding in your firewalls. They’re using endpoints, identity, and native tools to move. You need systems that detect intent through behavior, not just anomalies through thresholds.
This also means getting aggressive about testing assumptions. Red team exercises expose blind spots and demonstrate how attackers misuse what you trust. Security isn’t theory, it’s what works under pressure. Proactive teams learn from threat actor playbooks and adapt accordingly.
For executives, the message is simple. Proactive security isn’t about buying more tools. It’s about using the right tools to build an environment where malicious activity is easier to spot, harder to execute, and faster to shut down. That takes leadership alignment, good telemetry, and continuous discipline at every layer of operations. That’s where security becomes a competitive advantage.
Key takeaways for decision-makers
- LOTL attacks dominate modern intrusions: These attacks now account for the majority of breaches, leveraging trusted tools like PowerShell and RDP to silently bypass detection. Leaders should invest in visibility and behavior-based detection to address threats that don’t rely on malware.
- Trusted tools are becoming attack vectors: Core IT utilities used daily by admins are also being exploited by attackers, making traditional blocking approaches unfeasible. Executives should enforce granular controls and logging on these tools without disrupting operations.
- Credential-based threats outpace legacy defenses: With 79% of attacks now malware-free and using valid credentials, signature-based detection is largely ineffective. Security teams must pivot to identity monitoring, real-time behavior analysis, and rapid containment strategies.
- Zero trust and microsegmentation are foundational: Isolated security measures are not enough, integrated, zero-trust architectures reduce exposure and limit attacker movement. Leaders should prioritize least-privilege access, access verification, and secure network zoning.
- Security must be proactive and context-driven: Legacy alert fatigue hides real threats that mimic routine activity. Decision-makers should mandate full environment baselining, tool integration, and frequent red team testing to promote a preventive security posture.
