Time to Pivot: Shrinking the attack surface in the age of trusted tool abuse

Threat actors are constantly modifying attack techniques to breach organizations while flying under the radar. Today, cybercriminals have shifted away from malware-based attacks to a method that leverages legitimate tools, binaries, and applications already present in the environment to blend with “normal” activities. This is called Living Off the Land (LOTL) and is extremely hard to detect.

These facts from experience are driving a rapid evolution of cybersecurity. If we want to stay ahead of cybercriminals, the industry needs a rapid paradigm shift in how it approaches the attack surface.

Then: When attacks were easier to spot

A few years ago, most cyberattacks relied on malware and purpose-built tools introduced into the environment, these methods were easier to detect. These approaches stood out because they behaved differently from normal activity, triggering alerts in traditional endpoint detection and response (EDR) and extended detection and response (XDR) platforms.

As artificial intelligence (AI) and machine learning (ML) advanced, detection rates improved significantly, delivering strong outcomes for organisations and creating real value for partners offering these technologies. At the time, it was a major leap forward in cyber defence - but attackers evolved.

Now: Modern cyberattacks leveraging legitimate tools

More than 70% of modern cyberattacks now leverage legitimate tools and binaries to blend in with daily activities, according to statistics from Bitdefender and industry research. Leveraging legitimate tools can make it possible for attackers to spend considerable time (weeks or months) in a breached network and remain completely undetected. Often, organizations only discover this has happened after the final stage of the attack has been executed. This tactic is very successful.

The UK Government announced recently in “The Cyber Security Breaches Survey 2025” that approximately 612,000 UK businesses identified a cyber breach or attack in the past year.

So what tools are attackers using today?

Increasingly, cybercriminals are exploiting legitimate administrative tools that are already present in most environments, such as PowerShell. These tools often go unused by the average employee but remain accessible across endpoints and servers.

This creates two key problems: an unnecessarily broad attack surface and a lack of visibility in areas where IT and DevOps teams have grown overly reliant on these tools for automation or management. The result? Attackers can move through environments undetected by blending in with routine activity.

Current approaches are challenged

Regardless of which legitimate tools attackers abuse, the fact that threat actors are doing this so often serves as evidence that current approaches to the problem are being seriously challenged.

For example, “allow” and “block” listings have long been used as an attack surface limiting approach. But in today’s complex environments, it’s an incredible drain of time, and nearly impossible to do well as roles, tools, and employees constantly change.

And while application control tools showed promise for taming the attack surface, that hope has faded. Most of these controls utilize static, blanket policies. The result can be unmanageable: Restrict too much, and you frustrate users while reducing productivity. Restrict too little, and you leave the door open for LOTL attacks that abuse common tools.

There is a silver lining to all of this, however. There is an opportunity to shift the cybersecurity paradigm to meet the moment.

Focus forward: The attack surface and AI

With threat actors moving away from attacks that are more easily detected by traditional EDR/XDR solutions and toward attacks that abuse the more than 200 legitimate binaries that exist in most environments, a new imperative requires shrinking the attack surface in a new way. This approach is no longer a “nice to have,” it’s a “must do” to help the organizations we serve.

We recently launched GravityZone Proactive Hardening and Attack Surface Reduction (PHASR), the industry’s first endpoint security solution to dynamically tailor hardening for each user. This technology ensures that security configurations align precisely with user-intended privileges and behaviors and continuously adapt to shrink attack surfaces.

Vendors and their partners who embrace this focus will stand out for their ability to greatly reduce LOTL attacks and shrink the possibilities for threat actors who have pivoted in that direction. PHASR restricts access to Living-Off-the-Land-Binaries (LOLBins) before exploitation, reducing data breach risks, alert fatigue, and security costs.

5 Pivots to make for security’s future

Here are five things to consider around a paradigm shift in security.

It’s time to admit that a “one size fits most” approach to managing the attack surface of any organization leaves gaps that are unacceptably large, or it can disrupt productivity and innovation. By correlating user behaviors with active threat vectors and attacks, PHASR determines the optimal attack surface configuration, unique to each user, enabling organizations to minimize the attack surface without compromising operational efficiency.

We must put AI to work in a new way for defenders, focusing on the creation of tools that proactively harden the security posture of each organization, down to the level of the individual user. AI can help us baseline what’s normal and what’s not when it comes to the actions of legitimate tools. PHASR is built on years of advanced machine learning (ML) applied to users, groups, applications, and endpoints within GravityZone Extended Detection and Response.

We need hardening and security configurations that evolve in real-time. AI should help them adapt to the specific risk profile of each infrastructure component, each workload, and each business unit. They need to self-adjust and understand how threat actors are pivoting while also understanding how the business is using tools. AI should help us achieve this.

It’s time to challenge threat actors, not just by detecting them, but also by reducing the opportunities they have inside each network and limiting exploitation of trusted tools. PHASR tailors defenses to each system, making it harder for attackers to reuse the same techniques across environments.

Vendors and partners that work together in this area have the opportunity, through PHASR, to shift the cybersecurity paradigm and help solve the long-standing cybersecurity problem of an unmanageable attack surface.

Are you ready to pivot to what’s next?

Threat actors regularly pivot, and so do cybersecurity vendors and partners. Let’s pivot again, this time focused squarely on identifying, analyzing, and automatically hardening or removing risky applications and reducing the overall attack surface of those we collectively serve.

Read more about GravityZone PHASR and how it redefines endpoint security here.