How to protect your business from living off the land attacks

Cyber attacks are typically associated with data theft and extortion, but another threat can cause just as much damage. As geopolitical tensions rise across the globe, state-sponsored adversaries are preferring to hide in systems, going unnoticed for months or years after the initial compromise.

To perform these so-called living off the land (LotL) attacks, attackers are weaponizing legitimate software and infrastructure to lie in wait. This trend is seeing tactics shift away from data breaches to more sophisticated espionage and disruptive operations, according to a new report from Cloudflare.

Why are LotL attacks growing right now, and how should firms respond to this threat?

Living off the land attacks: long-term campaigns

Cyber attacks usually take advantage of security weaknesses. However, living off the land attacks are different: They are growing in response to organizations strengthening their overall cybersecurity posture, Tony Fergusson, CISO in residence at Zscaler tells ITPro. “Organizations have made significant progress in their ability to detect threats and patch systems more effectively. Consequently, adversaries are being forced to be more stealthy to exploit data, and they’re doing this by leveraging legitimate tools and processes.”

Latest Videos From

With living off the land attacks, attackers deliberately avoid drawing attention to themselves by using existing and trusted tools and websites, rather than exploiting a zero-day flaw or introducing malware, says Fergusson. “They stay under the radar, blending in seamlessly with legitimate user activity, and mimic everyday operations so their presence goes unnoticed.”

Cloudflare’s 2026 threat report describes a shift away from brute force entry towards high-trust exploitation, with adversaries actively targeting legitimate SaaS, IaaS, and PaaS tools such as Google Calendar, Dropbox and GitHub to camouflage malicious actions within normal enterprise activity.

This isn’t surprising, says Razvan Ionescu, head of offensive security services at Pentest-Tools.com. He describes how his team “consistently finds that organizations have invested heavily in signature-based detection and perimeter controls”. Yet the monitoring of legitimate administrative tooling, endpoint management platforms, cloud management consoles and scripting environments “remains thin”.

State-sponsored and highly-targeted

Living off the land attacks suit a certain type of adversary. The technique is especially attractive to “state-sponsored and highly-targeted threat actors”, according to Dana Simberkoff, chief risk privacy and information security officer at AvePoint.

Rather than seeking immediate financial gain, attackers are aiming for espionage, strategic positioning and in some cases, preparation for future disruption. “Living off the land tactics allow these adversaries to maintain access over long periods without drawing attention,” Simberkoff explains.

Living off the land attacks allow nation states to collect strategic intelligence across diplomatic, military, economic, or technological targets, says Tracey Hannan-Jones, consulting director for information security at UBDS Digital. “By using pre-positioning, attackers gain access to critical systems, so disruption can be triggered during geopolitical tensions.”

Supply chain attacks, seeing adversaries compromising vendors to reach downstream targets, are “easy leverage”, warns Hannan-Jones.

Cloudflare’s report tracked four primary nation state adversaries over the past year: Russia, China, North Korea, and Iran. Each group approaches living off the land attacks differently based on its operational goals, Ionescu tells ITPro.

For example, China appears to have shifted from bulk data theft towards targeting legitimate cloud infrastructure for longer-term pre-positioning, with groups such as FrumpyToad using Google Calendar for command-and-control communication.

“The goal is to create a resilient architecture that remains nearly invisible to standard perimeter defences,” says Ionescu. “Rather than trying to exfiltrate data today, these attackers are establishing persistent footholds now to use during a future geopolitical event.”

Living off the land attacks: businesses most at risk

Certain businesses are more at risk from living off the land attacks than others – especially in critical sectors and those holding data valuable to nation state adversaries.

Organizations with complex digital environments are particularly exposed, says Simberkoff. “Cloud-first enterprises, regulated industries, critical infrastructure providers and companies embedded in large supply chains are at risk.”

The more identities, integrations and third party connections an organization has, the more opportunity attackers have to hide, warns Simberkoff. “Risk also increases for organizations that are strategically interesting to nation state actors, whether because of the data they hold or the role they play in a broader ecosystem.”

Government and defense are prime targets for living off the land attacks. “State actors look at pursuing intelligence and influence, accessing and stealing sensitive data, policy insight and information of geopolitical value, so they can use it against them,” says Hannan-Jones.

Stealthy with technology

Rapidly developing technology such as AI is adding to the risk, allowing attackers to perform increasingly stealthy attacks.

The current shift is subtle. AI is making attacks “more refined”, says Simberkoff. “Instead of fully autonomous attacks, we’re seeing AI used to support reconnaissance, targeting and decision making. This helps attackers understand environments faster and choose techniques that look the most legitimate.”

The result is activity that increasingly resembles normal administrative behavior, which makes detection much more difficult, she warns.

Attackers can use AI to rapidly analyze public information such as organization charts, job postings, technical blogs, vendor documentation and leaked credentials and infer likely tech stacks and access paths, according to Hannan-Jones. “This improves the precision of initial access attempts and reduces the need for noisy trial-and-error.”

How to protect your business from living off the land attacks

Living off the land attacks are a concern, but there are some steps firms can take to boost their security.

Rather than trying to prevent compromise entirely, Simberkoff recommends focusing on “detecting misuse and limiting impact”. She advocates strong identity governance, least privilege access and “detailed logging of administrative activity”.

Ionescu underscores the importance of “understanding your own blast radius”. “Before asking what you’d detect, ask what an attacker with compromised admin credentials to your endpoint management platform, your identity provider or your cloud management console could do,” Ionescu advises. Most organizations haven’t mapped that explicitly.”

The second priority is closing the gap between “what your monitoring covers” and “where attackers actually operate”, says Ionescu. “Effective reconnaissance from an attacker’s perspective focuses on maintaining OPSEC and blending into normal traffic patterns and avoiding detection at the earliest stages of the kill chain. Your detection logic needs to match that: Anomaly detection on administrative actions, not just signature matching on known bad payloads.”

Robust incident response is also key. Protecting your firm from living off the land attacks requires building operational playbooks for “quiet compromise”, says Hannan-Jones. “Many organizations will have playbooks for ransomware, but very few are prepared for stealthy pre-positioning. Define what ‘suspicious admin activity’ looks like in your environment and create response runbooks for identity compromise, token theft and privileged account misuse.”