)
)
)
Summary
Automox's Tom Bowyer and Ryan Braunstein run a live incident response drill with host Landon Miles. The scenario: an attacker logs into the company SSO with reused credentials, impersonates IT in Slack, and pushes employees to install a fake remote support tool. The team treats containment as the fast part. They disable the SSO and Slack accounts, revoke sessions on AWS, GitHub, and the IDP, and burn PAT and API tokens. The real work is weeks of log review to prove how the attacker got in. Bowyer says you should always carry a working theory of the adversary and prove it with data. Braunstein recommends hardware tokens and phishing-resistant MFA over push notifications that cause MFA fatigue. Attackers don't break in anymore. They log in. Identity does not equal trust.
)
)
)
)