It’s no stretch to say that most businesses likely feel confident about their cloud strategy today. They have invested heavily in modern platforms, deployed advanced security tools and strengthened identity control.

The environment should look secure, scalable and resilient.

I have seen firsthand where cloud adoption is treated as a modernization milestone and risk reduction strategy. Dashboards turn green, compliance boxes are checked and leadership gets an assurance that the organization is secured since moving to the cloud.

As we move to newer and more modern platforms, the question remains, “How quickly and confidently can your business recover from a cyberattack?”

Cyber recovery in today’s threat landscape determines survival.  The stakes are no longer theoretical. According to IBM’s Cost of Data Breach Report, the global average cost of a data breach is $4.4M globally, and over $10M in the US.

Ransomware has evolved from an IT disruption to a business shutdown event. Industry reports indicate that ransomware is involved in nearly half of the major breaches. According to Sophos’ State of Ransomware report, the average recovery cost now exceeds $2.7 million per incident, excluding reputational damage and lost revenue.

The illusion of a “secure cloud”

Cloud transformation has become synonymous with modernization. Organizations move to the cloud to gain scalability, agility and perceived improvement in security.

Cloud providers invest billions into securing their data infrastructure with capabilities that far exceed what most organizations could build on premises. But here’s where the illusion begins.

Many organizations equate cloud adoption with risk reduction, if migrating workloads inherently makes them more secure. Cloud does not eliminate the cyber risk. It changes its shape and shifts its ownership.

In a cloud environment, many of the risks move up the stack:

• From infrastructure to identity
• From perimeter defense to identity access
• From static system to dynamic API driven architecture

One of the leading causes of cloud breaches is simple misconfiguration. Publicly exposed storage and overly permissive roles continue to create entry points for attackers. These are the failures of implementation and governance.

In a traditional environment, attackers target networks. In the cloud, they target identities. Compromised credentials, privilege escalations and weak access control allow attackers to move laterally across systems.

Once inside, they strategically target backups and recovery systems, ensuring that restorations become difficult or impossible.

The most dangerous aspect of this illusion is the belief that resilience is built in. Cloud platform provides high availability. A system can be highly available but still can have corrupted restore, fail to meet business recovery timelines and reintroduce vulnerabilities during recovery.

Recovery as the KPI

For years, cybersecurity has been built around a single objective, which is prevention. Organizations have invested heavily in firewalls, endpoint protection, identity controls and zero-trust architecture. While these investments remain essential, they are no longer sufficient. The reality is that no organization can prevent every attack.

It’s a fundamental change in thinking:

• From: Can we stop every attack?
• To: How quickly and safely can we recover when an attack succeeds?

When the cyberattack occurs, the initial breach is only the beginning. The real impact unfolds in the hours and days that follow. The system goes offline, operations stall, customers are affected and revenue streams are disrupted. The question is how well the organization is prepared and how quickly they respond when such a scenario occurs.

Speed of recovery is the new competitive advantage. An organization that recovers faster can restore operations with minimal downtime, maintain customer trust and limit financial and reputational damage. Those that don’t face prolonged outages, risk regulator exposures and experience long-term brand erosion. Recovery should be the board-level priority. Traditional technical metrics must be reframed in business terms.

RTO and RPO

Metrics like recovery time objective (RTO) and recovery point objective (RPO) have existed for decades, but at times have been buried in infrastructure discussions. This needs to be changed.

RTO defines how quickly the systems must be restored.

RPO defines how much data loss is acceptable.

Recovery must also be trusted, not just fast

Speed alone is not enough. One of the most overlooked challenges is data integrity. After an attack, organizations must ensure that restored systems are not only operational but clean and uncompromised.

This leads to the question. Can it be restored quickly and safely?

In many incidents, organizations discover that the backups are infected, data was silently corrupted and the recovery process reintroduces vulnerabilities. Data from Veeam shows that when backups were compromised, recovery time increases substantially, often accompanied by higher data loss and extended business outage.

Here is a key insight on attackers increasingly dwelling in the system for weeks and compromising the backup process before triggering ransomware. This leads to backups already containing malicious artifacts and delayed detection and unsafe recovery attempts.

What a modern cyber recovery strategy must include

Building a cyber recovery capability establishes a resilience layer across the organization. At a minimum, this includes:

• Isolated recovery environment: This must be protected from the primary network to prevent lateral movement during an attack. Logical or physical isolation ensures that recovery assets remain intact even when the production system is compromised
• Immutable backups: Data must be protected against deletion or encryption. This ensures that backups cannot be altered, even by privileged users or attackers.
• Clean data validation: Not all backups are safe to restore. Organizations need the ability to scan and validate data before recovery to ensure it is free from malware or corruption
• Orchestrated recovery workflow: The manual recovery process is too slow and error-prone during a crisis. Automated workflow enables faster and more reliable restoration.
• Regular testing and simulation: A recovery plan that hasn’t been tested is a risk. Simulating a cyberattack scenario helps an organization measure readiness, identify gaps and improve response time.

Five questions the business should ask

As cyber threats continue to evolve, businesses should challenge themselves with a new set of questions:

1. Can we recover our most critical systems within a business-defined timeframe after a cyberattack?
2. Do we have an isolated environment to ensure a clean recovery?
3. How do we validate that recovered data is not compromised?
4. When was the last time we tested a full cyber recovery scenario?
5. Who owns cyber recovery as a capability across the organization?

Resilience defines leadership in the cloud era

Cloud has transformed how organizations build, scale and operate technology. It has delivered agility, speed and a new level of architectural resilience. But it has also introduced a more complex and unforgiving risk landscape, where cyber threats are not only inevitable, but increasingly designed to disrupt recovery itself.

Cyber recovery must be treated as a strategic capability, not an operational afterthought.  An organization should not only have a cloud strategy but also a cyber recovery plan.

This article is published as part of the Foundry Expert Contributor Network.
Want to join?

Living off the Land attacks have become one of the most persistent and difficult threats facing enterprise security teams. Unlike traditional intrusions that rely on custom malware or obvious exploits, these attacks weaponize the tools organizations already trust and depend on every day. PowerShell, Windows Management Instrumentation, PsExec, scheduled tasks, bash scripts and other native utilities become part of the attack surface. These attacks succeed not because defenders lack tools, but because defenders still assume that legitimate activity is inherently safe. 

This approach allows adversaries to blend seamlessly into normal operations. Instead of triggering alerts tied to malicious binaries or known signatures, Living off the Land techniques exploit legitimate administrative functionality to move laterally, escalate privileges and quietly exfiltrate data. From the attacker’s perspective, the goal is simple: operate within the environment’s rules rather than break them.

As enterprises expand their use of cloud services, automation frameworks and hybrid architectures, the reliance on native system tools continues to grow. The same capabilities that enable scale, resilience and efficiency also create ideal conditions for stealthy intrusions. Recent threat intelligence reports show that a majority of modern attacks now incorporate Living off the Land techniques, underscoring how quickly this tradecraft has become the norm rather than the exception.

For CIOs, the concern is not just that these attacks are hard to detect. It is that they exploit the very mechanisms used to keep systems running. Whether managing critical communications infrastructure at a federal agency (which one of us did as CIO of the FCC for 4 years) or overseeing enterprise IT operations, the tension remains constant: Administrative tools are simultaneously essential for operations and attractive targets for adversaries. Blocking these tools outright is rarely an option without disrupting critical business functions. The result is increased dwell time, higher remediation costs, reduced visibility into attacker intent and a steady erosion of trust in traditional security controls.

High-profile Advanced Persistent Threat (APT) actors such as Salt Typhoon illustrate how sophisticated adversaries can conduct long-running operations using little more than system native capabilities. With sufficient knowledge of enterprise environments, attackers can persist for months while appearing indistinguishable from legitimate administrators.

Evan recently observed a Living off the Land incident at a major telecommunications provider that highlights this challenge. Security rules initially blocked a set of IP addresses believed to be malicious. Those addresses turned out to be valid customer premise equipment. Disabling them degraded customer performance and created operational risk, while the attacker activity continued elsewhere using legitimate tooling. This kind of misalignment between security signals and business reality is increasingly common because of Living off the Land scenarios.

Organizations most at risk from Living off the Land attacks

Every enterprise is vulnerable to Living off the Land attacks because the techniques rely on standard operating system functionality rather than specialized software. That said, organizations that operate complex, distributed or mission-critical environments face disproportionately higher risk.

Critical infrastructure providers such as utilities, telecommunications networks and transportation systems are especially exposed. These environments often include devices that haven’t been patched or updated in years and can lack even basic controls that we take for granted today. They depend heavily on high-privilege administrative tools to manage uptime, safety and regulatory compliance. The geopolitical implications are significant: Adversaries targeting critical infrastructure increasingly use Living off the Land techniques precisely because they understand that defenders cannot simply disable the tools that keep essential services running. Financial institutions face similar exposure across trading platforms, payments infrastructure and identity systems where automation and remote management are deeply embedded.

Hybrid environments further expand the attack surface by increasing the number of endpoints, identities and trust relationships attackers can exploit. The more administrative paths that exist between systems, the easier it becomes for adversaries to mimic expected behavior while advancing their objectives. The growing use of general-purpose GenAI and jailbroken (WormGPT) large language models by attackers compounds the problem. Automation scripts that once required deep technical expertise can now be generated, modified and adapted quickly. This lowers the barrier to entry and accelerates the spread of Living off the Land techniques across a broader range of threat actors.

Ultimately, any organization that relies heavily on PowerShell, WMI or similar orchestration frameworks must assume that these tools will be targeted. The question is no longer whether Living off the Land techniques will be used, but whether the organization can identify malicious intent before meaningful damage occurs.

Best practices for combatting Living off the Land attacks

Hardening native system tools without breaking operations

The first step in addressing Living off the Land risk is hardening the system tools most commonly abused by attackers. This requires a careful balance. These tools are essential for IT operations, so controls must reduce abuse without undermining legitimate use.

Effective hardening begins with tightening how and when administrative tools can be executed. Constraining scripting environments, enforcing signed scripts, reducing unnecessary functionality and applying least privilege access principles all limit the opportunities available to attackers. Many organizations discover that privileges have accumulated over time in ways that no longer align with current operational needs. Hardening also includes disciplined configuration management. Attackers frequently exploit misconfigurations rather than software vulnerabilities. Regular audits of system settings, administrative permissions and automation workflows can eliminate gaps that quietly expand the attack surface.

However, CIOs should be clear-eyed about the limits of hardening. These measures reduce exposure but do not prove intent. A well-configured PowerShell environment can still be misused by a compromised credential or a malicious insider. Hardening raises the bar for accessing systems. But if a bad actor cracks a login, having advanced controls in place doesn’t really do much to reduce the havoc they can wreak. 

Continuous monitoring that understands behavior

Continuous monitoring is essential for fighting Living off the Land activity. Uncovering context is huge here. What matters in Living off the Land scenarios is understanding how and why a tool is being used. A PowerShell command executed by the right account at the wrong time or in the wrong sequence may be far more significant than an obviously unusual event that lacks context.

SOC teams need consolidated visibility across administrative tools, identities, systems and timing. Is a script being executed outside normal maintenance windows? Is a privileged account accessing systems it rarely touches? Are administrative actions chaining together in ways that suggest lateral movement rather than routine management? Context transforms noise into signal. Without it, security teams are flooded with alerts that reflect operational complexity rather than attacker intent. This leads to alert fatigue and missed opportunities to identify early-stage intrusions.

Continuous monitoring must also account for the reality of hybrid environments. Visibility gaps between cloud services and on-premises systems create blind spots attackers are quick to exploit. Unified telemetry that spans these domains is critical to understanding how activity in one area influences risk in another.

Giving SOC teams the time and mandate to hunt proactively

Even with strong hardening and continuous monitoring, Living off the Land attacks often evade purely reactive defenses. Their subtlety requires proactive hunting by skilled analysts who understand attacker tradecraft and business context. SOC teams are frequently overwhelmed by routine operational alerts, compliance reporting and administrative overhead. When every hour is consumed by triage, there is little capacity left to search for the faint signals that indicate an emerging Living off the Land intrusion.

Effective hunting focuses on intent rather than anomalies. Analysts look for patterns that suggest goal-oriented behavior, such as repeated credential use across systems, subtle privilege escalation or administrative actions that create future access rather than immediate impact. This work requires deep familiarity with how the business actually operates. Analysts must understand which workflows are normal, which are rare and which should never occur. That knowledge cannot be encoded entirely in rules or automated systems.

Overall, the most resilient organizations are those that empower SOC teams to think like adversaries while staying grounded in operational reality. This changes detection from a reactive effort into a form of continuous validation that systems are behaving as intended.

Adapting security strategy to a Living off the Land world

Living off the Land attacks represent a long-term evolution in how adversaries operate. As defenses improve, attackers increasingly choose the path of least resistance by abusing trusted tools rather than introducing foreign code. This shift demands a corresponding evolution in security strategy. Perimeter-centric models are no longer sufficient on their own. Enterprises must assume that some level of compromise is inevitable and focus on reducing dwell time and limiting impact.

Adapting to this reality requires shifting focus from tools to behavior and from individual events to intent over time. Hardening reduces exposure, but it does not explain why actions are occurring or how they connect. What matters is the sequence of events, their timing and the context across identities and environments.

In a Living off the Land world, zero trust must be extended beyond authentication events and enforcement points. The path forward is not chasing every new tool or threat, but understanding how attackers operate, how systems are actually used and how security can align with real business operations. As environments grow more complex, no human analyst can reason about every possible behavior in isolation. Security strategies must evolve to recognize intent at scale, or risk falling behind attacks designed to hide in plain sight.

This article is published as part of the Foundry Expert Contributor Network.
Want to join?

코헤시티는 4월 14일 서울에서 기자간담회를 열고, AI 확산에 따른 데이터 증가와 사이버 위협 대응 전략, 향후 사업 방향을 공개했다. 이날 행사에는 산제이 푸넨(Sanjay Poonen) CEO가 직접 방한해 글로벌 전략과 한국 시장에 대한 비전을 설명했다.

환영사에 나선 이상훈 코헤시티 코리아 지사장은 “최근 한국에서는 통신사, 병원 등 다양한 산업에서 데이터 유출과 랜섬웨어 공격이 증가하고 있고, 과징금 규모도 1,300억원이 넘는 사례가 나올 만큼 과거와 비교할 수 없을 정도로 커지고 있다”며 “이제 데이터 보호는 단순 백업이 아니라 기업 생존과 직결된 문제”라고 강조했다.

이어 “코헤시티는 단순히 데이터를 백업하는 데 그치지 않고, 평상시에도 데이터를 분석하고 활용해 기업 생산성을 높일 수 있도록 지원하는 것이 차별점”이라고 설명했다.

“AI는 기회이자 리스크…핵심은 데이터 보호”

산제이 푸넨 CEO는 AI 시대의 양면성을 강조했다. 그는 “AI는 혁신을 가져오는 동시에 사이버 공격과 데이터 유출 위험도 키운다”며 “불과 같아서 유용하지만 잘못 사용하면 큰 피해를 줄 수 있다”고 비유했다.

코헤시티는 이러한 환경에서 기업이 갖춰야 할 핵심 역량으로 ‘사이버 레질리언스(Cyber Resilience)’를 제시했다. 이는 공격을 막는 것뿐 아니라, 사고 이후에도 빠르게 복구할 수 있는 능력을 의미한다. 푸넨 CEO는 이를 “넘어졌다가 다시 일어나는 힘”이라고 표현했다.

이를 위해 코헤시티는 ▲모든 워크로드 보호 ▲에어갭 기반 데이터 보관 ▲클린룸 복구 ▲데이터 및 AI 보안 관리 등으로 구성된 5단계 프레임워크를 제시했다. 특히 네트워크와 완전히 분리된 ‘데이터 볼트’의 중요성을 강조했다.

이상훈 지사장은 기존 백업 전략의 한계를 짚으며 새로운 관점의 대처 전략이 필요하다고 강조했다. 특히 금융권 등에서 권고하는 ‘3중 백업’도 네트워크에 연결돼 있다면 공격에 취약할 수 있다는 점을 사례로 들었다.

이에 따라 코헤시티는 네트워크에서 완전히 분리된 ‘에어갭(air-gap)’ 기반 백업, 즉 ‘데이터 볼트’ 구조를 강조하고 있다. 평상시에는 접근을 차단하고, 백업 시점에만 연결해 사이버 공격 상황에서도 복구 가능성을 확보하는 방식이다.

이상훈 지사장은 “백업 데이터가 네트워크에 연결돼 있으면 해커 접근을 막기 어렵다”며 “완전히 분리된 환경에 데이터를 보관해야 진정한 레질리언스를 확보할 수 있다”고 말했다

구체적인 솔루션 관점에서 코헤시티 전략은 데이터 보호를 넘어 데이터 활용까지 확장하는 방향에 초점을 두고 있다. 푸넨 CEO는 “우리는 데이터를 보호하고 보안하는 것을 넘어, 궁극적으로 AI를 통해 인사이트를 제공하는 것을 목표로 한다”고 말했다.

이를 위해 코헤시티는 ‘코헤시티 데이터 클라우드(Cohesity Data Cloud)’를 중심으로 데이터 관리 체계를 구축하고, 그 위에 AI 기반 분석 기능을 제공하고 있다. 엔비디아와 협력해 RAG(Retrieval-Augmented Generation) 기반의 데이터 검색·요약·분석 기능도 구현했다.

이 플랫폼 상단에는 ‘가이아(Gaia)’라는 AI 도구가 탑재된다. 가이아는 기업이 보유한 비정형 데이터(PDF, 문서, 이미지 등)를 기반으로 검색, 요약, 분석 기능을 제공한다. 예를 들어 수년간 축적된 계약서를 분석해 주요 조건을 자동으로 정리하는 등, 실질적인 비즈니스 인사이트 도출이 가능하다.

에이전트 레질리언스, 새로운 보안 과제로

SAP, VM웨어, 인포(Infor) 등에서 30년 넘게 업계 경험을 쌓은 푸넨은 최근 AI로 빠르게 변화하는 고객 환경과 이에 대응하기 위한 내부 기술 방향성에 대해 공유했다.

먼저 아시아 시장 전반에 대해서도 긍정적인 전망을 내놨다. 그는 “글로벌 매출의 50% 이상이 미국 외 지역에서 발생하고 있으며, 일본, 한국, 호주·뉴질랜드, 홍콩, 싱가포르, 인도, 중동 등에서 미국과 유사한 성장 궤적을 보이고 있다”라며 “한국을 포함한 아시아 국가들은 AI와 사이버보안 투자에 적극적”이라고 말했다.

코헤시티는 특히 금융권을 중심으로 확보한 레퍼런스를 기반으로 산업 확산을 노리고 있다. 공공, 헬스케어, 제조 등으로 적용 범위를 넓혀간다는 전략이다. 푸넨 CEO는 “코헤시티 전체 매출의 20% 이상이 금융 서비스에서 나온다”며 “금융권은 IT 투자와 보안 지출 비중이 가장 높은 산업으로, 미국 대형 은행 대부분이 코헤시티 플랫폼을 표준으로 채택하고 있다”고 설명했다. 이어 “다른 국가 고객들도 미국 금융권 사례를 가장 먼저 벤치마킹하려 한다”고 덧붙였다.

공공과 헬스케어 분야에서도 글로벌 레퍼런스를 강조했다. 그는 “미국 연방정부와 주요 의료기관에서 확보한 경험을 한국, 싱가포르, 인도, 중동 등 다양한 국가에 확장 적용할 수 있을 것”이라고 말했다.

푸넨은 기술 투자 확대 흐름이 다른 산업으로도 빠르게 확산될 것으로 봤다. 그는 “이제 기술 기업이 아니더라도 모든 기업이 AI 전략을 고민해야 하는 시대”라며 “미국 S&P 500 대기업 중 상당수가 이미 기술 기업이지만, 나머지 기업들도 기술을 핵심 성장 동력으로 삼고 있다”고 강조했다.

이어 “석유·가스 산업은 시추와 유통에 AI를 적용하고 있고, 농업 등 전통 산업에서도 AI 활용이 빠르게 확산되고 있다”며 “이들 기업이 AI에 투자할수록 데이터는 폭발적으로 증가하게 된다”고 설명했다.

AI 확산과 함께 데이터 증가 속도도 주요 변수로 떠오르고 있다. 그는 “중요한 것은 AI의 작동 속도가 아니라, AI가 만들어내는 데이터의 증가 속도”라며 “현재 한국 고객도 페타바이트 단위 데이터를 보호하고 있는데, AI로 인해 10배 이상 늘어날 수 있다”라고 진단했다.

이어 “미국에서는 이미 수백 페타바이트 규모를 보호하고 있어 충분히 대응할 준비가 돼 있다”며 “데이터가 늘어날수록 보호와 활용 측면에서 새로운 기회가 된다”고 덧붙였다.

이와 함께 새로운 보안 영역도 부각되고 있다. 그는 “AI는 더 많은 에이전트를 만들어내고, 이들을 보호하는 ‘에이전트 레질리언스(Agent Resilience)’가 새로운 과제가 되고 있다”며 “코헤시티도 비인간 아이덴티티와 에이전트가 생성·삭제하는 데이터까지 보호하는 기술을 연구 및 투자하고 있다”고 밝혔다.
jihyun.lee@foundryco.com