A newly disclosed attack method called Stryker managed to wipe tens of thousands of devices without using any malware, exploiting legitimate system functions to destructive ends. It's a wake-up call about attacks hiding in plain sight.<br><br>This is what sophisticated attacks look like now - no malware to detect, just abuse of legitimate features. Security teams are still focused on finding malicious code when the real threats are using the system exactly as designed. This technique should worry every CISO.<br><br>The Stryker attack leveraged built-in device management capabilities that most enterprise systems use for legitimate purposes - remote wiping lost or stolen devices, deploying updates, managing fleets. The attackers didn't inject malware. They just gained access to management credentials and used official features to destroy data.<br><br>From a security detection standpoint, this is a nightmare. Traditional security tools look for abnormal behavior - suspicious code, unusual network traffic, malformed requests. Stryker used completely normal, authorized system functions. The commands to wipe devices looked identical to legitimate IT operations.<br><br>Tens of thousands of devices were affected before the attack was discovered. That's not because security teams were asleep. It's because the attack was designed to be invisible to conventional defenses. When malicious actions use the same pathways as legitimate administration, telling them apart becomes nearly impossible without human verification.<br><br>This attack technique isn't new in concept - it's called "living off the land" in security circles. But Stryker represents a particularly effective implementation at scale. The attackers clearly understood enterprise device management deeply enough to weaponize it.<br><br>The response can't be to disable device management features - organizations need those capabilities. The answer is better authentication and authorization around administrative functions, plus better monitoring of who's using those functions and when.<br><br>But there's a tension here. The same features that make device management convenient - remote access, automated operations, centralized control - also make it vulnerable. Every administrative shortcut is a potential attack vector. Making systems more secure often means making them less convenient.<br><br>Security teams will need to rethink their detection strategies. If you can't detect malicious code because there isn't any, you need to detect malicious intent through behavior patterns. That requires understanding what normal administrative behavior looks like, then flagging deviations.<br><br>It also requires accepting that some attacks will look completely normal until they execute. Wiping thousands of devices simultaneously isn't normal, but individual wipe commands are. By the time abnormal patterns emerge, damage is already done.<br><br>The Stryker disclosure should prompt organizations to audit who has access to administrative features and how that access is authenticated. Multi-factor authentication, time-limited credentials, and approval workflows add friction - but that friction is the point. It's harder for attackers to maintain persistent access when credentials expire and actions require approval.