For years, cybersecurity has followed the familiar model of blocking malware and thwarting attacks. Now, attackers are moving on to their next attack.
Threat actors now use malware less frequently in favor of what is already present in the environment. This includes abusing trusted tools, native binaries, and legitimate administrative utilities to move laterally, escalate privileges, and continue without warning. Most organizations are unaware of this risk until damage occurs.
To visualize this challenge, consider our free internal attack surface assessment. This is a guided, low-friction way to see where your trusted tools are working.
Let’s take a look at how this risk plays out within your environment and three reasons why attackers prefer to use their own tools against you.
1. Most attacks no longer look like attacks
Threat actors prefer attacks that don’t look like attacks.
A recent analysis of more than 700,000 high-severity incidents shows a clear shift. 84% of attacks exploit legitimate tools to evade detection. This is the essence of Living off the Land (LOTL).
Instead of dropping payloads that trigger alerts, attackers use built-in tools such as PowerShell, WMIC, and Certutil. These tools are the same tools that IT teams use every day. These actions are built into normal operations, making it very difficult to distinguish between legitimate use and malicious intent.
The result is a dangerous blind spot. Security teams are no longer just looking for “bad files.” They are trying to interpret behavior, often in real time, under pressure, and without full context.
And by the time it becomes obvious that something is wrong, the attacker has already penetrated deep into the environment.
2. The attack surface is larger than you think and largely unmanaged
Attackers look for unmanaged tools they already have.
Consider a clean Windows 11 system.
It includes hundreds of ready-to-use native binaries, many of which can be exploited for LOTL attacks. These tools are trusted by default, built into the OS, and are often required for legitimate tasks and application functionality.
This poses some fundamental challenges.
You can’t just block it without interrupting the workflow. It is not easy to monitor without making noise. In most cases, you don’t know how widely accessible it is across your organization.
Analysis shows that up to 95% of accesses to dangerous tools are unnecessary. One factor is uncontrolled access to these tools. The other is to be able to perform all possible functions, including functions that are rarely used by IT departments but are often used by attackers.
Any unnecessary privileges are potential attack vectors. And if the attacker does not need to introduce anything new, the defender is already at a disadvantage.
3. Detection alone cannot keep up
Detection is so powerful that attackers are looking for alternatives.
EDR and XDR are important and highly effective at detecting malware and threats that stand out from normal activity. However, detection is increasingly dependent on interpretation as threat actors exploit legitimate tools to their advantage. Is that PowerShell command legitimate? Is that process expected to run?
Now add speed.
Modern attacks, increasingly aided by AI, are faster than teams can investigate. By the time suspicious behavior is observed, lateral movement and persistence may have already been established. Therefore, relying on detection alone is no longer sufficient.
What most teams lack: Visibility into the internal attack surface
If understanding the scope of your internal attack surface feels like something to investigate, you’re right. However, most teams lack the time or resources to map the details.
Which tools do you have access to across your organization? Where is access excessive or unnecessary? How do these access patterns translate into actual attack paths?
Even if risks are conceptually understood, they are difficult to prove and prioritize. That’s why this problem continues.
From reactive to proactive: start with insight
Bridging this gap doesn’t start with adding another tool. It starts with understanding your true risks.
Bitdefender’s free Internal Attack Surface Assessment gives you a clear, data-driven view of how exposed you are to trusted tools, so you can clearly see the extent of your internal attack surface. This guided assessment focuses on identifying unnecessary access, surfacing real risks, and providing prioritized recommendations without disrupting users or adding operational overhead.
See your environment like an attacker would
LOTL attacks are becoming the default. This means that the most significant risks are those that already exist in your environment, and the sooner you understand how attackers move through your systems using trusted tools, the sooner you can reduce those vectors and prevent successful attacks.
Source link
