Threat Vector by Palo Alto Networks
Episode: "Inside 750 Breaches with Unit 42"
Date: February 19, 2026
Guests:
- Host: David Moulton
- Guest: Steve Elovitz, Head of Unit 42’s North America Consulting Practice
Episode Overview
This episode delves into the findings of the Unit 42 2026 Incident Response Report, built on insights from over 750 breach investigations conducted in the last year. Host David Moulton sits down with veteran incident responder Steve Elovitz to unpack attack trends, persistent gaps in defense, and practical steps organizations need to take to bolster their cybersecurity posture. From the role of AI in threat actor toolkits to identity and supply chain weaknesses, this conversation targets security professionals eager to extract actionable lessons from front-line breach response.
Key Discussion Points & Insights
Steve Elovitz’s Background in Incident Response
- 15+ years experience at Mandiant, Booz Allen, PwC, now leading Unit 42’s North America Consulting.
- Drawn to incident response for "stepping into chaotic situations and helping bring order" ([01:31]).
The Realities of Breach Response: Human and Technical
-
Incident Response Kickoff:
-
Organizations contact Unit 42 via multiple channels; team is “trained for conversations with people on potentially the worst day of their career” ([02:43]).
-
Process focuses on situational awareness: what’s happened, what’s been done to contain, provided observables (IPs, malware, etc.).
“This is our every day, we see this, as you say, 750 times plus a year." — Steve Elovitz ([02:43])
-
-
Teamwork in Triage:
- Never handle initial calls alone: one person manages conversation, another dives into threat intelligence for immediate feedback ([03:39]).
-
Patterns in Incidents:
- Breach responses range from mature orgs seeking a ‘second pair of eyes’ to total chaos for first-timers.
-
The Human Element & Stress
- “It’s really hard to explain until you’ve experienced the level of stress people are under during an incident. ...I’ve had CISOs have medical issues during engagements. We’ve had CISOs have heart attacks. The amount of victim blaming...is really staggering.” – Steve Elovitz ([07:16])
- Collateral effects often impact non-security employees, especially during public breaches.
-
Misconceptions of Speed:
- Recovery isn't instant; ransomware decryption and business restoration can take days or weeks.
“Even if ransomware actors...you have to choose to pay them, decryption isn’t instant...the ‘CSI effect’ is not real.” — Steve ([08:40])
- Recovery isn't instant; ransomware decryption and business restoration can take days or weeks.
Four Major Trends in the 2026 Report
1. AI as a Force Multiplier for Threat Actors
-
A Quantitative Shift:
- Fastest attacks: Data exfil in just over 1 hour, down from 5 hours last year.
-
AI Use Cases:
- Reconnaissance, social engineering (deepfakes, voice/video mimicry), scripting and automating post-exploitation.
- Entry-level attackers use AI for guidance and automation; nation-state actors, such as those using 'Lame Hug', use it to scale sophisticated campaigns ([13:50]).
“Attackers have been faster to start leveraging AI than defenders because they don’t have change control...they can just experiment.” — Steve ([10:37])
- Real-life: Attackers outsourcing post-exploitation to AI via platforms like Hugging Face.
-
Defensive Outlook:
- Steve believes AI will ultimately aid defenders more, but attackers currently benefit from faster innovation.
-
AI as an Attack Surface:
- Attackers exploit AI systems integrated within organizations; sometimes AI systems themselves facilitate unauthorized access.
2. Identity Remains the Weakest Link
-
Prevalence:
- Identity issues played a material role in 90% of investigations.
“Identity is the new attack surface...Most organizations, when you see an identity compromised for remote access, [are] still using single factor authentication or fishable MFA.” ([17:30])
- Tactics: SIM swapping, MFA fatigue attacks, credential phishing, abusing weak push or PIN-based MFA.
- Identity issues played a material role in 90% of investigations.
-
Structural Weakness:
- Overprovisioned cloud accounts: 99% of identities analyzed had excessive permissions ([21:00]).
- Lack of identity segmentation, especially for admins—privileged accounts often cross boundaries they shouldn’t.
“How many organizations think ‘oh, my domain admins, they should not be able to access user workstations’? ...That’s part of principle of least privilege too.” — Steve ([20:10])
-
Machine vs. Human Identities:
- Both are equally exploitable. Service accounts matter due to their static nature and difficulty to rotate at scale ([22:44]).
3. Supply Chain & Trusted Connectivity Risk
- Evolving Risk:
- Not just vulnerable code, but interconnected SaaS platforms and vendor tools.
- SaaS data was relevant in 23% of incidents (up from 6% in 2022).
- Key Vulnerabilities:
- Poor identity federation, SaaS sprawl, and lack of proper source IP restriction.
- OAuth tokens often overprivileged and left accessible from anywhere ([25:46]).
“If it sprawls beyond what it needs for its job, you’ve just added risk without adding function.” — Steve ([27:02])
4. Nation-State Actors & Stealth
- Tactics and Trends:
- Increasingly mature, organized operations with shared infrastructure and tools.
- Where EDR is effective, state actors pivot to edge devices or network infrastructure without endpoint protections ([27:50]).
- Person-Driven Attacks:
- Nation states (e.g., North Korea) infiltrating organizations via fake employment, sometimes even performing the job to maintain access ([29:39]).
“Oftentimes they do the job...they received 'exceeds expectations' on their annual evaluation.” — Steve ([29:39])
- Gaining code repo access, sometimes leading to ransomware and extortion.
- Nation states (e.g., North Korea) infiltrating organizations via fake employment, sometimes even performing the job to maintain access ([29:39]).
Notable Quotes & Memorable Moments
-
On the Security Arms Race:
“There’s a bit of an arms race...Attackers come up with new novel exploits, organizations defend, but the attack surface continues to grow as the business wants to leverage new apps, new software…Some level of risk will always exist.” — Steve ([31:43])
-
On Preventable Gaps:
"In more than 90% of incidents, preventable gaps materially enabled the intrusion." (Read by David, emphasized as a remarkable finding — [30:41])
-
Advice for Security Leaders:
“Let’s reduce that attack surface...define that perimeter, scan and remove what doesn’t need to be there...identity, can we move to phishing-resistant authentication? ...work on identity segmentation...network filtering...but finally, detection and response is a must. We won't prevent everything, so ensure enterprise-wide visibility.” — Steve ([33:01])
-
"Can I just say my list of five that I said earlier. Are you going to hold me to one?" — Steve, on action items for CISOs ([37:28])
(David jokes: "So what you need to do is hit that rewind button...that's fair!")
Timestamps for Key Segments
| Segment | Timestamp | |--------------------------------------------------------------|------------| | Steve’s background & career philosophy | 01:07–02:13| | What happens during a breach call | 02:13–05:27| | Emotional impact & common misconceptions | 06:48–09:37| | AI’s role in accelerating attacks | 09:37–16:26| | Identity as primary attack surface | 17:05–22:44| | Supply chain/SaaS and OAuth case study | 23:52–27:02| | Nation-state tactics & person-driven infiltration | 27:25–31:43| | On the prevalence of preventable gaps | 30:41 | | Five high-ROI security controls | 33:01–36:02| | Unit 42's role; advice for CISOs | 36:02–37:28|
Summary of Actionable Takeaways
Steve’s Five High-ROI Controls for Security Leaders:
- Reduce exposed attack surface (remove unneeded internet-side exposure, regular scanning, shrinking perimeter).
- Strengthen authentication (phishing-resistant methods like FIDO2, not just single factor/MFA).
- Identity segmentation (admin accounts shouldn't touch user/edge devices; "just in time" privileged access).
- Network filtering (servers/services only communicate as needed; strong boundary controls).
- Comprehensive visibility (across network, host, cloud, identity; strong detection & rapid response).
Additional Guidance:
- Focus on realistic privilege/permission needs, cut excess wherever possible.
- Recognize that most breaches exploit old habits, not groundbreaking hacks.
- Accept that no practice is perfect; prioritize agility and visibility over perfection.
Tone:
Conversational, pragmatic, deeply informed by fieldwork, and empathetic toward both technical challenges and the human side of incident response.
Closing Reflections
Steve stresses that even a single listener making a security improvement after this episode is a worthy outcome. The conversation offers a rare window into what really enables modern intrusions and how organizations—despite progress—must constantly adapt as attackers evolve.
“If we even prevent one incident by having this conversation, that’s a good day at work.” — Steve ([38:19])
For more, read the full 2026 Unit 42 Incident Response Report at the Palo Alto Networks website.
