Modern attackers understand that the most effective way to avoid detection is to act like everyone else. Once they’ve slipped past the front door using a valid credential or hijacked session, they don’t deploy malware or launch loud exploits. They use the tools already available to them—and they use them well.
This tactic, known as "living off the land," has become the hallmark of identity-based attacks. It's how adversaries quietly explore, escalate, and exfiltrate without setting off alarms. And in most environments, it works and is extremely hard to detect.
Once authenticated, an attacker typically follows a playbook that includes:
In this mode, the attacker doesn’t look like a threat. They look like a user. A trusted employee. A service account doing its job. That’s a big problem.
EDR excels at catching known indicators of compromise: malicious binaries, code injections, lateral movement using unknown tools. But when everything an attacker does looks legitimate, the signal gets lost in the noise.
An attacker using RDP or accessing cloud storage with a valid token won’t always trigger alerts. Even when anomalies are flagged, they may be deprioritized or ignored without the context of how access was initially gained.
Worse, if the attacker never deploys malware, there's little for traditional detection systems to analyze.
The longer the attacker is in the environment, the more damage they can do:
All of this can happen under the radar, especially if identity systems are blind post-login and endpoint tools are siloed, overburdened, or inducing alert fatigue on security teams.
This is why the gap between identity and endpoint becomes a critical security risk. Identity systems don’t see what’s happening after login. EDR systems don’t always know whether the identity they’re monitoring is legitimate. And unfortunately, cybercriminals have realized this and now prioritize identity-based attacks.
Without shared context, both systems are working with partial information. And attackers thrive in that blind spot.
In the next article, we’ll explore how EDR vendors are adapting by moving up the stack into identity territory. We’ll look at the rise of ITDR (Identity Threat Detection and Response) and why the endpoint market is increasingly incorporating identity context into its detection strategy.
------------
This the 2nd article in a 5-part series.