Federal government organizations must double down efforts to combat ‘living off the land’ attacks

LotL attacks represent a new frontier in cybersecurity, where adversaries use trusted system tools to carry out malicious activities.

In today’s cybersecurity landscape, a growing threat known as “Living off the Land” (LotL) attacks is increasingly targeting federal organizations. These attacks are particularly dangerous because they exploit legitimate system tools and administrative processes to execute malicious activities, blending seamlessly into the normal operations of an organization. Unlike traditional cyberattacks that deploy custom malware or exploit known software vulnerabilities, LotL attacks are stealthy, relying on trusted, native tools already present within the system.

As federal agencies continue to modernize their IT infrastructures and expand their use of hybrid cloud environments, automation frameworks and other digital transformation strategies, the attack surface for LotL techniques grows. The result is a more complex cybersecurity environment that is harder to monitor and secure.

Federal agencies are a growing target

While any organization is vulnerable to LotL attacks, federal agencies are particularly at risk. Government institutions manage highly sensitive data, control critical infrastructure and support national security initiatives. Adversaries targeting federal agencies understand that it is not practical to disable system tools that are integral to the functioning of government operations. Instead, attackers focus on exploiting these trusted tools to bypass traditional detection systems and gain unauthorized access to critical systems.

Recent examples of advanced persistent threat (APT) actors, such as the Salt Typhoon group, demonstrate how sophisticated adversaries can persist in government networks using nothing more than system-native capabilities. These attackers can operate undetected for months, mimicking the behavior of legitimate administrators and avoiding triggering security alerts. This tactic is particularly troubling because it can lead to prolonged exposure and an increased risk of data breaches, as these adversaries can exfiltrate data while blending in with normal administrative processes.

The use of LotL techniques is not confined to state-sponsored actors. Criminal organizations and other malicious groups have adopted similar tactics to achieve their goals. The increased reliance on hybrid cloud environments further exacerbates the problem, as the number of endpoints, identities and trust relationships increases, providing more opportunities for attackers to exploit.

The challenges of detecting LotL attacks

One of the most significant challenges with LotL attacks is detection. Traditional cybersecurity tools, such as intrusion detection systems (IDS), rely heavily on identifying known malware signatures or patterns of unusual network traffic. However, because LotL attacks use trusted system tools that are already a part of the network’s normal operations, they are difficult to distinguish from legitimate administrative activities. This results in an elevated risk of false positives and the potential for missed signals, particularly in environments with complex IT infrastructures.

In federal organizations, where network environments are often sprawling and include a mix of legacy systems, cloud resources and new technologies, this challenge is even more pronounced. The integration of cloud services, for instance, creates visibility gaps between on-premise and cloud-based resources, giving attackers the opportunity to exploit these gaps before defenders can react.

Moreover, the rise of artificial intelligence-driven tools and large language models further lowers the barrier for attackers. These models enable the rapid generation and modification of automation scripts, which means even less technically skilled adversaries can leverage LotL techniques. As a result, the threat landscape is expanding, and federal agencies must prepare for a broader range of actors who are capable of carrying out these stealthy attacks.

Four strategies agencies can adopt to mitigate LotL attacks

Given the sophisticated nature of LotL attacks and their reliance on legitimate administrative tools, traditional security measures alone are insufficient. Federal agencies must implement a multifaceted approach to protect their systems and networks from these persistent threats. Here are several best practices that can help mitigate the risk of LotL attacks:

  • Harden system tools without disrupting operations

The first step in defending against LotL attacks is to harden the tools that are commonly targeted by attackers. This requires careful management to avoid disrupting essential operations. One effective strategy is to tighten the controls on how and when administrative tools can be executed. This includes enforcing strict access control policies, ensuring scripts are signed and authenticated, and applying the principle of least privilege to limit unnecessary access.

Additionally, disciplined configuration management is crucial. Many successful LotL attacks take advantage of misconfigurations, so regular audits of system settings, administrative permissions, and automation workflows are essential to identifying potential vulnerabilities.

  • Implement continuous behavioral monitoring

Because LotL attacks blend in with normal system activity, continuous behavioral monitoring is vital. Agencies must focus on understanding how and why a tool is being used. For example, a PowerShell command executed by an account at an unusual time could indicate malicious activity, even if it doesn’t raise traditional red flags. Security operations teams should monitor the context of these actions, looking for patterns of behavior that suggest lateral movement, command and control communications, privilege escalation or data exfiltration.

Continuous monitoring should also extend across hybrid environments. Visibility gaps between on-premise systems and cloud resources can provide attackers with the perfect opportunity to move undetected, so consolidated telemetry across all platforms is essential.

  • Empower security operations centers (SOCs) to hunt proactively

Despite strong hardening and monitoring controls, LotL attacks often evade purely reactive defenses. To stay ahead of these attacks, federal agencies should empower their SOC teams to proactively hunt for subtle signals of malicious intent. Effective hunting involves looking for goal-oriented patterns, such as repeated use of credentials across multiple systems or the creation of access paths that facilitate future intrusions.

This proactive approach requires SOC analysts and their detection software to have a deep understanding of the organization’s operational workflows. The ability to differentiate between normal activities and abnormal behaviors is crucial for identifying potential LotL attacks early. An AI SOC or related open source project can be helpful in automating and accelerating these threat hunts, and in some cases may be able to go from a definition of tactics, techniques and procedures (TTPs) from a threat intelligence source to a set of workflows to execute the threat hunt and to present initial results to human analysts.

  • Adopt a zero trust model

In a world increasingly defined by LotL attacks, the traditional perimeter-based security model is no longer sufficient. Instead, federal agencies should adopt a zero trust approach that assumes that adversaries could already be inside the network. Zero trust focuses on verifying every request for access based on the identity, context and behavior associated with it, rather than trusting anyone or any system by default.

Zero trust should extend beyond authentication events and enforcement points to include all systems, tools and network interactions. By focusing on behavior and intent, rather than merely tools or signatures, agencies can better identify and mitigate the risks posed by LotL attacks.

Federal government organizations must stay vigilant

LotL attacks represent a new frontier in cybersecurity, where adversaries use trusted system tools to carry out malicious activities. Federal organizations, with their complex and diverse IT environments, are particularly vulnerable to these stealthy attacks. To effectively defend against LotL techniques, agencies must focus on hardening their native system tools, implementing continuous monitoring with a focus on behavior, and empowering SOC teams to proactively hunt for malicious activity. By adapting to the evolving threat landscape with a zero trust strategy, federal agencies can better protect their critical systems and data from the growing risk of LotL attacks.

In this evolving cybersecurity landscape, the threat posed by LotL attacks requires a shift in how federal agencies approach security. It is no longer enough to trust system tools simply because they are integral to operations. Agencies must continuously monitor these tools, understand their behavior, and act swiftly to address any signs of malicious intent. Only then can they hope to stay one step ahead of the adversaries who seek to exploit these trusted mechanisms.

Evan Powell is CEO of DeepTempo.

Copyright © 2026 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

Related Stories

    Telecommunication satellite providing global internet network and high speed data communication above Europe. Satellite in space, low Earth orbit. Worldwide data communication technology.

    Satellites are America’s invisible lifeline. Congress must secure them now.

    Read more
    Getty Images/iStockphoto/gorodenkoffTeam of young professionals doing code programming

    Enough is enough: Let talent dictate technology

    Read more