Check out our companion blog!

What Is a Living Off the Land Attack — And Why You'll Never See It Coming

A living off the land attack uses YOUR tools against you — and your security software won't even flinch. Dr. Mike Saylor explains all.
In this episode, my co-author Dr. Mike Saylor joins Prasanna and me to break down one of the sneakiest techniques attackers use today: the living off the land attack. I'll be honest — I'd heard the term before, but I didn't fully get it until Mike explained it. And once you understand it, you'll never look at PowerShell or WMI the same way again.

The concept is simple and terrifying. Instead of bringing their own malware into your network — which might trigger your antivirus or get stripped by your spam filter — attackers just use what's already there. Your admin tools. Your scripting environments. Your remote access protocols. To your security systems, it looks like a normal Tuesday. That's exactly why it's so hard to catch.

Mike walks us through how a living off the land attack actually plays out — from the quiet recon phase (which can run 30 to 90 days before anything loud happens) all the way to the moment attackers flip the switch and go fast. We also dig into what organizations can realistically do to defend themselves: removing local admin rights, system hardening, golden images, application whitelisting, and free network scanning tools like Nmap and Wireshark.

There's also a real-world story from Mike about a match.com security engineer who implemented geo IP blocking — and came home to find a wooden casket on their front porch. That's not a metaphor. That actually happened.

If you're responsible for your organization's security, backup, or recovery, this episode is going to give you a lot to think about — and a few concrete things to go do Monday morning.

📖 Our book: Learning Ransomware Response & Recovery (O'Reilly) — order it on Amazon and leave us a review!
🔗 Full show notes and blog post: https://www.backupwrapup.com/living-off-the-land-attack

Chapters:
0:00 - Intro
1:21 - Welcome and Book Announcement
3:28 - What Is a Living Off the Land Attack?
5:38 - Real-World Example: Conti Ransomware and WMI
8:12 - Why Attackers Use Your Tools Instead of Their Own
13:05 - Admin Privileges: Best Practice vs. Reality
17:31 - The Louvre Heist Analogy
20:08 - Recon Phase: Low and Slow
24:16 - What Defenders Can Do
25:55 - RDP and Remote Access
29:48 - The Recon Timeline: 30 to 90 Days
30:48 - PowerShell and System Hardening
34:10 - Network Discovery Tools: Nmap and Wireshark
37:37 - Application Whitelisting and Geo IP Blocking
42:08 - Action Items and Wrap-Up