CISO Sentinel

CISO Briefing: The 'Living Off the Land' Threat Is Now Standard Operating Procedure

Volt Typhoon's five-year campaign inside critical infrastructure proves that relying on malware detection is a fool's errand. Attackers are using your own tools against you.

Matrix-style code rain on dark screen, representing living-off-the-land attack techniques using legitimate system tools

David Park·Apr 12, 2026·2 min read

## Your EDR Can't Save You From Yourself.

Let's be blunt. The era of chasing malware signatures is over. The joint advisory on 'Volt Typhoon' (AA24-038A) confirmed what many of us have seen in the trenches: our most sophisticated adversaries are no longer breaking in; they're logging in.

The Chinese state-sponsored group persisted within critical infrastructure networks for at least five years. Their primary tactic? 'Living off the land' (LOTL). They used valid credentials and the native tools already present in the IT environment—PowerShell, WMI, netsh—to conduct reconnaissance, move laterally, and maintain their foothold.

This is an evolution in tradecraft that renders many traditional security controls obsolete. When an attacker is using the same tools as your system administrators, how do you tell the difference? It's not about detecting the malicious binary, because there isn't one. It's about detecting malicious behavior.

For the CISO, this means a fundamental shift in investment and strategy. The focus must move from prevention and detection of external threats to assumption of breach. It requires granular visibility into internal network traffic, rigorous identity and access management, and behavioral analytics that can spot an administrator using a legitimate tool for an illegitimate purpose at 3 AM. Volt Typhoon wasn't just a single campaign; it's the new blueprint for sophisticated attacks.