Is your endpoint security stopping attacks, or are threat actors simply working around it?
Recent analysis of transnational threat actor patterns suggests a shift in the landscape. Sophisticated groups like Qilin no longer focus on ‘breaking’ security software. Instead, they exploit structural gaps in how that software is managed and monitored.
Emerging data from public sector intrusion trends shows that the primary vulnerability is a lack of custom tuning. Attackers now seek out environments where security is outsourced to third parties. They bet that ‘standard’ configurations will fail to flag legitimate tools used for malicious ends.
By weaponizing the software your IT team uses daily, these actors move across valid user sessions without triggering an alert.
Quick Facts: The Evolved Attack Landscape
|
Let’s look at this landscape in more detail.
The Security Dilemma: Why do attackers target networks where EDR is managed by a third party?
Engaging professional management of cyberdefence is often the best choice for smaller organizations. However, contracting out to a third party can come with risks. Some service providers lack the resources to tune telemetry for the unique behavior of every client. This creates a predictable landscape where attackers operate in known blind spots.
Recent analysis of transnational threat actor patterns shows that groups like Qilin leverage this lack of customization to blend in with legitimate traffic. If security rules are not regularly updated with current telemetry to detect EDR-defeat tools (specialized software or scripts designed to blind, disable, or bypass endpoint security agents), the defense becomes a roadmap for the adversary.
A well-tuned EDR acts as a custom sensor, using specific rules to flag anomalies like quiet process hollowing or benign-looking implants that standard settings ignore. Without this tuning, EDR alerts may be routed through third parties that fail to notify the victim, allowing the intrusion to continue unnoticed. This deficit increases the risk of ‘quiet’ post-exploitation, where attackers maintain a presence without triggering an alarm.
Dwell Time: Why do attackers stay in public sector networks longer than corporate ones?
Recent data from public sector intrusion trends shows a shift toward Dwell and Extract strategies. In corporate environments, the goal is often immediate encryption for a payout. In the public sector, the data itself (such as sensitive PII or strategic communications) is the primary prize.
Attackers maintain a low profile for months to map networks and identify strategic assets. This patience allows them to establish redundant access points and access secure backups before they are detected.
Data from the public sector highlights instances where actors remained hidden for over sixty days, waiting for a specific window, such as a large bill coming due, to commit million-dollar frauds.
Living off the Land: How do threat actors remain undetected while moving through a network?
Threat actors have shifted away from custom malware toward a standardized method of using legitimate administrative tools. This Living off the Land (LotL) approach allows them to blend in with your IT team’s daily operations. By using authorized software, attackers avoid triggering traditional signature-based alerts.
For high-impact groups, this methodology has become a core, repeatable business process rather than a series of one-off tricks. More than a dozen ransomware groups have now incorporated kernel-level EDR defeat tools in their malware packages to blind security agents from the inside.
Recent analysis of transnational threat actor patterns reveals that attackers frequently deploy legitimate remote management software, such as AnyDesk and ScreenConnect, to bypass EDR security.
Groups like Qilin harvest credentials and tokens to move between valid user sessions, even bypassing Multi-Factor Authentication (MFA) through token replay attacks.
These actors also leverage the Bring Your Own Vulnerable Driver (BYOVD) technique to disable defense mechanisms at the kernel level. By relying on weak internal security hygiene, such as default admin credentials, they maintain persistence without introducing a single piece of custom malware.
How can organizations defend against an adversary that mimics their own IT team?
The industrialization of stealth means that simply having security tools is no longer enough. Threat actors have adapted to defeat standard EDR by exploiting management gaps and weaponizing trusted credentials.
Relying on your perimeter defences provides a false sense of security. True resilience comes from deep visibility into your network to distinguish between legitimate admin activity and quiet post-exploitation.
In a landscape where evasion is a commodity, the best defense is an environment that is too well-tuned to hide in.
See how Lumu can help you gain complete visibility into your network 24/7: register for a live demo today.