A

You're listening to the Cyberwire Network, powered by N2K.

B

I'm David Moulton and this is Threat Vector.

A

Prevention is ideal, but detection and response is a must.

B

Today I'm speaking with Steve elovitz about the Unit 42 Incident Response Report for 2026. What more than 750 breach investigations reveal about how attackers are succeeding and the preventable gaps defenders must close. Fair warning, this one does get into the weeds a bit with defense strategy and attacker ttps. So strap in. Steve, welcome to Threat Vector. Excited to talk to you again about this report.

A

Thanks, David. Great to be here.

B

Talk to me a little bit about your background in incident response. I know you've been doing this for a while, maybe what, 15 years or so. And you've been at places like Mandiant, Booz Allen, PwC, and now you lead Unit 42's North America Consulting practice. I think that's our largest practice. I'm curious, what drew you to your career in incident response?

A

I'd say it started out before that in it somehow landed in doing ediscovery, discovered I really didn't like doing ediscovery but really got my forensics chops up there, moved into malware analysis and some penetration testing and that all kind of converged towards incident response discovered I really enjoyed stepping into the chaotic situations and helping bring order out to them and solving the puzzles. And it's really become a mission, right? Helping organizations become more secure and wherever possible imposing costs to the threat actors, making their lives harder, making it more difficult for them to achieve their missions.

B

Steve, today we're going to be Talking about the Unit 42 Global Incident Response Report and all the things that your team learned and have shared. Responding to more than 750 major cybersecurity incidents in the past year. For our listeners who haven't experienced a major breach, help us understand what it's like when an organization calls unit 42. What does pulling the fire alarm actually look like?

A

We have a 247 Follow the Sun team that's available and expecting to receive these phone calls. It happens every day. We're pretty easy to get in touch with. We have an email address, we have a web forum. We have a phone number that's manned 247 365. When someone reaches out, our team is trained in expecting to have the conversation with someone who's experiencing potentially one of the worst days in their career. And we're there to really try to apply a process and some rigor into the response as this is Our everyday, we see this, as you say, 750 times plus a year. So we've had to build these processes and procedures in order to really normalize this.

B

When you get that call, what are the first questions that you're asking? To understand the scope of the problem and I assume, the containment needs, we.

A

Need to get situational awareness. What's happened, Tell us the story, tell us the timeline of the attack, what have you observed, what triggered this concern and tell us what you have seen the attacker do. We ask to try to build a chronology around it. Just as important is what have you done to the victim organization? What steps have you already taken to start containing, eradicating, or just investigating? And with these information, we're able to start really understanding what the next steps would be. We're also going to ask for any observables that the organization may have, IP addresses that they've seen, for example, or pieces of malware. And right there on the call, I would usually tell my team, never take these alone. That way you have one person focusing on the conversation and the second person who's diving into our threat intelligence database with the observables to see if we can immediately provide some attribution and what to expect. Right. We have this massive internal database called Ticker. It's a giant graphing database where every time we see an attacker do something, we model it and we relate it in a cluster to other observables. So if we have an IP address that we have seen recently used by a specific cluster, a specific threat actor, we're then able to provide right back immediately on the call to our customer, look, we've seen this attacker recently. Here's what you could expect. Here's what's typically their mission, here's their typical tools, tactics and procedures that we'll typically follow. And this allows us to really build that playbook to defend against them.

B

So, Steve, do you actually take the calls yourself? Because you have one of the most calming, soothing voices that I could imagine being on the other end of any panicked call.

A

Yeah, I'm told I have both a voice and a face for radio. So I do occasionally take calls myself, yes. As you say, oftentimes feast or famine happens very often Friday night. And I'll absolutely dive in with my team. Yes.

B

When you get those calls, I'm wondering if they follow a similar pattern each time and you start to know it's going to be type A, type B, type C, kind of a problem, or if it's just absolutely absolute chaos, completely New every single time because of the nature of the business.

A

No, I mean, you'll definitely find some patterns. There's organizations that have some very mature processes and I'm finding this more and more as the entire industry progresses. We'll even have customers that have fully scoped the attack and they're just looking for a second pair of eyes. But it goes on a spectrum. We'll also have organizations that this is truly novel to them and they're not sure where to start. But it could be a threat actor we've seen dozens of times and know exactly what to do.

B

Steve, you're talking about these organizations that'll call in sometimes their first time seeing an attack. Sometimes they're really mature, they know what they're doing, but they're at their most vulnerable at that moment. Right. They've been ransomed or had their data exfiltration exfiltrated. Um, they're operationally disrupted. What's something about incident response that surprises people who've never been through it?

A

The human element, it's. It's really hard to explain until you've experienced the level of stress people are under during an incident. I've had, Unfortunately, I've had CISOs have medical issues during engagements. We've had CISOs have heart attacks. The amount of victim blaming that goes on in this culture when organizations have been attacked is really staggering. I think that's gotten a little bit better over time. But still we've had recently public company get attacked and then their employees who have nothing to do with cybersecurity, sometimes they're driving around in a truck with the logo and it's a public incident and they get flack from the public. It's really unfortunate.

B

Yeah. I think what you're talking about is human emotion gets involved and sometimes the collateral damage is to people that have nothing to do with the security and then even the entirety of the company. They're trying their hardest. But this is what happens when criminals or state backed actors decide to target your company or take advantage of a mistake.

A

And sometimes as you say, a state backed actor, it's a nation state, basically a military targeting a retail organization or a hospitality organization. It's not congruent. I'd say the other thing that people tend to have a misconception on is how long things take. There's the expectation that analysis can be done in minutes and hours and some analyses maybe, but if it's a long term intrusion, you may be measuring in days enterprise disruptions. Even if ransomware actors, for example, if unfortunately Sometimes organizations have to choose to pay them. The decryption is an instant. It still takes days, weeks sometimes to reconstitute a business and get back up and running. And oftentimes people think all of the stuff should be instant. You know that CSI effect.

B

Yeah, yeah. Well, as you say, the Hollywood where you can click the word or click the enhance button over and over and suddenly the picture comes into sharp relief. I think the same thing is expected during a decryption. And it's like, no, that's lot of processing power, that's a lot of time and you know, nothing is instant or free. Well, let's, let's shift gears a little bit. The report made four major claims and saw four major trends. And one of the big bold claims was that AI has become a force multiplier for threat actors and that we've got the data to prove it. I think I read in there that in the top quartile, or top 25% of the fastest intrusions, threat actors were able to exfil data in about one hour, maybe a little more than that. And that's down from just under 5 last year. Can you walk us through what AI is actually doing in these attacks?

A

Sure. You know, first I'd like to make a bit of a maybe a bold prediction. Attackers have been faster to start leveraging AI than defenders because they don't have change control, they don't have to worry about enterprise level implementation. Right. They're able to just experiment with much lower cost. I think that AI actually is suited better for the defense use case than the ATTCK use case. And I'm actually quite optimistic on what I'm seeing in the industry and seeing different security platform vendors as they implement AI into their capabilities. I think it's really going to be more of a boon for defenders than attack attackers. That said, you're right. Attackers are using it now and it is speeding their attacks up. You know, reconnaissance has really been automated. You know, even, even our own offensive security team, we have our own red team that organizations can hire to simulate an offensive attack against their organization. We've automated reconnaissance. Social engineering has largely been automated by AI and it makes things much more believable. We do see occasional things like deep fakes where an attacker is able to easily mimic someone's voice or even sometimes some video in order to make their social engineering attempts more believable. This past year we saw scripting automations of the attack that were probably generated by AI. You can tell this from the amount of comments in the Code, the way some of the code was written just felt more like an AI generating. What this has really done is it's provided the ability to automate to a larger array of threat actors. Typically you'll have a access broker. I mean putting aside nation state, if we're talking about financially motivated threat actors, you typically will have an access broker that gains access to a large swath of organizations usually specializing in a specific exploit and just trying to mass scan the Internet for it or a lot of social engineering. They get access and then they'll sell that access and then the really time consuming part of the attack comes, right? If you're following that attack kill chain, they have the initial access to the environment, they've established their foothold and now it's time consuming to do that lateral movement to reconnoiter the environment, to establish additional persistence mechanisms to escalate your privileges and ultimately find the information you're interested in stealing or potentially encrypting to complete the mission. That's time consuming. And we've seen attackers this year automate those steps and that automation is now more accessible to more threat actors because AI can help them generate it. Very interestingly, there was a nation state actor that we saw leverage a piece of malware dubbed Lame Hug. Lame because LLM Hug because it reached out to an online AI processing site called Hugging Face. Right. And what this did was it completely outsourced that time consuming post exploitation phase of the attack to an AI providing it the instructions of this is where I am. This is the computer I'm on, understanding the mission. What are the next commands I should be executing to follow the mission. And this provided that actor the ability to scale and move much faster in many more organizations at once lowered the attacker's cost. I think we're going to see more of that this year.

B

I just want to interject here because I think I'm hearing two things. First, you've got less skilled threat actors using AI to help them get over the hump and or to automate away sort of the drudge work of an attack.

A

Right?

B

So you've brought up the bottom group and its skill and capability with AI. But then on the other side, the elite attacker, if you will, the military, the apt. And maybe I didn't hear that right, but that's, that's a group that you wouldn't think was just going to go grab an AI to do the work because they've got access to anything they want. And yet you're seeing evidence that they chose AI to help them with the attack, which suggests that it's some of the very best tooling they could get their hands on. Where, you know, maybe budget access skill aren't necessarily the, the thing that's holding them back.

A

Yeah, I think it was a. I mean it's hard to, hard to assume. I would give the educated guess that it was economics. It would allow them to hit more targets much more quickly.

B

Sure.

A

The third and final point on this is AI is an attack surface. Right. With organizations leveraging AI more and more giving AI access to data. We've seen attackers ask AI to help them get access to systems inside of a victim's organization and the AI was very happy to oblige.

B

I know that as I was reading through the report there were a couple of times that I ran across some surprising bits and then heard some inside stories here about unskilled actors literally going in and asking a chat, what do I say now, what do I do next? And you know, helping them move to be very believable. And I think that that's helpful now. But I'm interested to see if your prediction that this helps defenders more comes true. Can I put you on the spot and get you to come back next year when we do this report and talk about the wins you're seeing for AI as we, you know, as we go through 26 and into 27?

A

Sure.

B

Perfect. Steve. One of the other big themes that I noticed in the report and I think our readers will be interested in was identity as a weakness. Our team saw that the identity weaknesses played a material role in 90% of our investigations. Why is identity such a reliable path for attacker success?

A

I mean, identity is the new attack surface is the slogan you'll hear repeated. It's true, right? You can compromise an identity, you can gain access to an organization in many cases. Most organizations and I have to acknowledge a sampling bias on the IR side, but most of the organizations I deal with when you see an identity compromised for remote access, the organizations using single factor authentication still in some cases or SMS for the multi factor or a push notification or a one time pin, all of those are fishable. And we have attackers reliably sim swapping reliably socially engineering people to get that one time password passcode provided to them for the push notifications. We've seen attackers just spam it until someone got it frustrated and pressed approve. And this gains access to the organization rather than moving towards something that's phishing resistant. Right. You know, device registration, FIDO, 2, things like that. It's also aside from just one, the initial access identity is the fabric that stitches environments together. Right. You compromise an identity in active directory in organizations using Ad Connect or I think they call it Azure Connect now we've seen organizations that will sync their domain admins with their entra global admins and then you compromise one environment because of how they structured that identity. The attackers now compromise both environments and can move laterally between them. And this will be true even as you continue federating identity through other environments. Organizations haven't commonly started to think of identity segmentation as a strategy to understand what should this identity have access to.

B

Are we losing this battle because defenders are still focused on patching vulns and attackers have just moved on to scooping up, stealing identities or credentials and walking in instead of breaking in.

A

I think that might be a bridge too far. I think vulnerabilities are still important but we have to prioritize them, right? Like a remote code execution external vulnerability, yeah, that needs to be prioritized immediately. An internal vulnerability that's not accessible to the Internet, that's probably a lower priority. And then you know, you think an attacker gains access, they get a foothold into the environment. The question that we need to be asking ourselves as defenders is what identities could be exposed on that foothold. The two most commonly compromised population of systems are going to be edge, meaning they're Internet accessible or user workstations. If you are allowing your administrative accounts to authenticate to either of those, it could be cached and then an attacker can take it from the cache and they've compromised one device. But now they have domain administration. Right. A lot of organizations don't think to go both ways on that. Right. When you think about the principle of least privilege which we've all learned in school, right? The normal user account absolutely does not have access to your domain controllers, right? Never. That would never happen. But how many organizations think oh my domain admins, they should not be able to access the user workstations. That's part of principle of least privilege too.

B

I don't remember that in elementary school personally, but there's a lot that I've forgotten about my early days of education. Steve Palo Alto did this point in time study where we looked at, I think it was nearly 700,000 identities across cloud accounts and we saw that 99% of them had excessive permissions. Help us understand what excessive permissions means in practice and why that matters to an attackers.

A

That's exactly it. Right. That's what I mean by the principle of least privilege. I think in the study you're referencing, it was a comparison between what a specific identity had capabilities and authorization to do compared to going back as far as the logs were available to see what it was actually used for, and seeing a tremendous delta there, seeing all of these identities that had authorizations, permissions to do activities that they weren't being used for. So it's very much like that example I just gave. The identities should be authorized to only do what they are required to do. And then for those truly break glass or global administrative level accounts, we should be looking to do as much just in time, provisioning as possible instead of having that identity be static and always available for someone to steal.

B

Steve, help me understand the difference between a human identity and a machine identity from an attacker's perspective. And why do service accounts matter so much?

A

So the reality is an identity is an identity, right? We have different ways of organizing things, but if an attacker is able to leverage an identity to get access to a system and a certain set of authorizations on those system, it doesn't matter if that identity was assigned to a human or an application or an AI agent, right? The identity still provides that access and that authorization. Service accounts are complicated because they are very static, right? You configure an application, you tell that application that it's going to be using this specific credential, and you tell it how to authenticate as that credential, and then it goes and performs its job. Now think about, you need to change that credential months later, you now need to go update that application and tell it, okay, this is now how you authenticate, right? We had to change that credential, change that password. When you have hundreds of service accounts, that becomes a very onerous task. And this is where applications like Cyberark come in that really, really help automate that.

B

So the third trend in the report talks about supply chain risk and how it's expanding beyond vulnerable code to what we call trusted connectivity. The SaaS integrations, the vendor tools, and a lot of different dependencies. Data from SaaS applications was relevant in 23% of the cases that your teams investigated last year, and that's up from just 6% back in 2022. What's driving this sharp increase?

A

Yeah, so first off, some organizations aren't federating identity into SaaS in a good way. Ideally, we have limited what IP addresses are allowed to connect into it, or we've set up some kind of SASE layer so that you have to authenticate first before you're even Allowed to connect and we have really everything going through a platform like that. If you're just having local access to SaaS applications, it becomes really hard to defend as there's so much sprawl you think about as you're running your business, how many different business units find a new SaaS application that they want to have access to. And if they're not properly registering it through it, but they're putting business data up there, it's not getting properly secured. Aside from that, you know, when we're looking at dependencies, like you said, if I have a SaaS application that I've then installed another dependency into another application into, I might leverage an OAuth token. Right. If that token gets stolen, I've now expanded my attack surface even more as an attacker is able to leverage that to come in.

B

In the report, you had a case study about a compromised sales platform using OAuth tokens accessing Salesforce. What did the post incident review reveal that scared you?

A

I'd say it's how often these were over privileged. Right. So we had organizations that had OAuth tokens providing third party access to leverage this application into the platform. Right. Nothing wrong with that. That's common across many applications. Where a lot of organizations felt down was really twofold. Number one, not limiting what IP addresses this could come from. Right. We should know to a certain extent this OAuth token should be leveraged from this set of IPs, right. Instead of allowing the entire global Internet to access that OAuth token to access my environment through that OAuth token. Right. The second is what that token had access to. I'm back again to the principle of least privilege to what you Learned in the third grade, apparently.

B

Thank you, Mrs. Grass.

A

If it didn't have access to more than it needed, then you would have really limited the impact of that incident. Right. You know, what objects can this OAuth application, what processes can this OAUTH token access? And if it sprawls beyond what it needs for its job, you've just added risk without adding function.

B

Yeah. No reward for that extra risk that you've taken on. Steve, I want to zoom out a little bit and talk about nation state actors. That was the focus of the fourth trend and we're seeing these nation state actors adapting stealth tactics in modern enterprise environments. How are state actors different from the cyber criminals that you observe?

A

I mean, you're absolutely right. The state actors, they have much higher budget, much more organized. We're actually seeing infrastructure and tool sharing amongst different actors within the same nexus of state sponsorship, some of that working together, and it's truly turning into very mature operations. You're 100% right with what you said. Frankly, we as defenders have gotten a lot better. The entire industry has gotten a lot better in the past few years. Detection and response is getting really good at many organizations. Attackers are just choosing not to have to deal with that. Right. If an EDR is difficult to evade, launch your attack on edge devices, on switches, on firewalls that are available, the firewalls anyway being available on the edge, compromising that and then living off at that network layer where there is no edr. Right. If you're conducting your attack on these network devices on hypervisor bare metal, you know, you're not authenticating into a system that is supporting an edr. It's a lot harder to detect for a lot of organizations. And this allows the attackers to remain much more stealthy. The Persona driven infiltration, very similar. Right. If you can simply get hired into an organization and get given credentials or a laptop from the onboarding team. Thank you very much. I now have access to the environment.

B

So you're talking about that fake employment. There are nation states literally applying for, for jobs just to get access.

A

Absolutely. We're seeing, we're seeing North Korea do this a lot. We've seen these IT worker campaigns. Basically they apply for a job. Oftentimes it's using Genai to help with the interview and getting a laptop shipped somewhere, typically domestically, where it's plugged into a network kvm and then the attacker comes in over that. And oftentimes they do the job. I've even had clients of mine that have said they did good work, they received it exceeds expectation on their annual evaluation. And sometimes it's literally just that it's stealing frankly millions of dollars to evade sanctions. But there's also cases where it's used much more nefariously where the attacker then gets access to source code repositories, the ability to make change to source code. We have seen cases where this access was then leveraged for ransomware deployment and extortion.

B

I'm just picturing a bizarre world where somebody has faked their way into a job, they get a great review and then they go back to the nation state and they get a bad review for their work elsewhere. You know, which one counts in their personal employment there kind of an oddball situation, I suppose. Probably never happened. So there was a line in the report that stopped me in more than 90% of the incidents preventable gaps materially enabled the intrusion. 90% of incidents, preventable gaps materially enabled the intrusion. I thought that was a surprising line. If most breaches were enabled by exposure rather than sophistication or HR sending you a laptop, why aren't those gaps being fixed?

A

Well, I mean, they are, right? They absolutely are being fixed. This is what security teams do. At the end of the day, if you're connected to the Internet, there's always going to be risk. Right. And every security team out there has a list of projects they're working on to try to burn down some of the risk and operate in a more safe way. More mature security teams will hopefully be having risk registers where they're tracking what risks remain that they're aware of in the environment and have mitigation plans for all of these. But there's a bit of an arms race going on. You know, you're going to see attackers come up with new novel exploits that organizations then have to defend against. And at the same time, your attack surface tends to continue growing as the business wants to leverage new applications, new systems, new software. And we as security professionals have to provide a way to allow this to be done as securely as possible. But some level of risk will always exist.

B

So for the security leaders that are listening, what's the highest ROI controls that they should be prioritizing based on what you're seeing right now?

A

Yeah, so I'm going to give the famous answer of it depends. It's obviously going to be different in each organization. You'll have to understand your own kind of your own critical assets that you're trying to defend and work your way backwards from those. I'll give you a couple high level principles though, that I think, you know, as close to universally apply as possible. The first being, let's reduce that attack surface. Right. So this is one of five. What's in my perimeter that includes my on prem environment, all of my cloud environments, anything that is exposed to the public and what can I remove from it? Maybe it doesn't need to be exposed at all and I just take it out. A lot of times people misconfigure and they'll have like a management interface of a network device accidentally exposed to the Internet. Pull it off. Right. So let's start by defining that perimeter, regularly scanning that perimeter to see what's in it and remove it. If it doesn't need to be there, if it does need to be there, if external people do need to access it. Let's ask the question, does the entire Public need to. Or can we limit it to a certain set of people through an IP allow list or a SASE layer so that we have to first authenticate before we can access it. The second is our other perimeter, right. It's identity. How are we authenticating users into the environment? Can we leverage something that's a non social engineer able. If I can make up a word form of authentication. Right. FIDO 2, for example, how can we actually deploy that enterprise wide so that we're less worried about an identity compromise. Right? Because we know that it's not. Someone would have to have the physical asset in order to authenticate. Number three, I would say would be to work on identity segmentation, not letting those administrative accounts, especially those enterprise level administrative accounts have any access to workstations or edge devices. You know, set up those that just in time authentication. Set up privileged access workstations separate from from your user workstations for your domain admins. Number four would be network filtering. Right. If a server doesn't need access to a certain destination, it shouldn't have access to that destination. All of these four, these were about prevention. Now prevention is ideal, but detection and response is a must. We won't prevent everything. So that brings me to number five, ensuring enterprise wide visibility so that your team can respond when something gets by the goalie. And this is network host cloud identity.

B

Steve, I'd be remiss if I didn't ask you as the leader of our North America consulting team where your team fits in. When organizations realize that their SOC can't keep pace with an attack and they need help.

A

So really, really two ways if there's a specific attack, the obvious one, we're here to help, right? Call us. Hopefully we're on retainer and we have an obligation to get involved within hours and you get extra hands and we're there to plug in with your team and immediately start firefighting with you. The other is the more general case our soc is having trouble keeping up. In general, there's not a specific attacker, how can we improve? Right. And there's everything from playbook improvement to tool improvement to training that we can then offer to help skill up organizations.

B

So if a CISO or security leader reads our report and we're going to have a link to the report in the show notes, if you're listening, what's the one action that you'd advise them to take away this quarter or as soon as possible? Based on what we're seeing after investigating 750 plus incident responses.

A

Can I just say my list of five that I said earlier. Are you going to hold me to one?

B

So what you need to do is hit that rewind button just a few times and you're going to go back to Steve's list. No, that's fair, man. Thanks for this great conversation today. I don't often get to talk to somebody specifically about what they've learned from hundreds of cases, and it's a privilege to be able to bring you on Threatvector and dig into the report with you. I know in prepping for this, you and I have had a couple of other conversations. I think that you and your team have done an amazing job bringing this report together again. We'll have that listed in the show Notes, so if you want to download the report or go read it online, it's available on the Palo Alto Network's website.

A

Can't thank you enough for having me. I sincerely think these conversations are very valuable and I hope that someone out there listening to this is inspired to make a change in their environment. And if we even prevent one incident by having this conversation, that's a good day at work. Foreign.

B

That's it for today. If you like what you heard, please subscribe wherever you listen and leave us a review on Apple Podcast or Spotify. Those reviews and your feedback really do help me understand what you want to hear about. If you want to reach out to me directly about the show, email me at threatvectorloaltonetworks.com I want to thank our executive producer, Michael Heller, our content and production teams, which include Kenny Miller, Joe Benecourt and Virginia Tran. Elliot Peltzman edits the show and mixes the audio. We'll be back next week. Until then, stay secure, stay vigilant. Goodbye for.

A

Sa.