Breach School
Steve Elovitz: There are humans involved on security teams and we have to be empathetic and understand, you know, what they're going through and what they care about. [ Music ]
David Moulton: Today I'm speaking with Steve Elovitz, VP and Managing Partner for Unit 42's North America practice, about his career in the trenches of incidence response and how that shapes the way he sees security, leadership, and what it really means to protect an organization. [ Music ] >> Steve, welcome to "Threat Vector." It's really nice to see you again in person. We recently spoke, but that's always virtual and, you know, it's nice to have somebody in the room for one of these conversations here on "Threat Vector."
Steve Elovitz: Yeah, it's great to be here. Thanks for having me.
David Moulton: Well, let's start with a little bit about your path in this industry and talk to me a little bit about how you got here and, you know, share with the listeners the version of your career from the frontlines to where you are now with Unit 42.
Steve Elovitz: Sure, well I mean I started actually doing IT work originally, everything from building patch cables to patching servers, and then I landed in forensics and eDiscovery with PwC. This was really before cyber was much of a thing. We had a separate security team that sat side-by-side. I got to come on some of their pen tests. Eventually, we found a few real cyber cases there where the teams worked together and that's where I found that I had a passion for things, moved over to Booz Allen to focus on exactly that for a government agency for a number of years, before eventually landing at Mandiant for about a decade, and then eventually made the move over to here to Unit 42.
David Moulton: Yeah. Well, I mean you just mentioned Booz Allen, PwC, what drew you to the work in those early years, you know, and maybe talk about the differences of what you were doing at those organizations, how that shifted with Mandiant and then, you know, take us to a point in time to, you know, today.
Steve Elovitz: Yeah. So, back in-back then, the-I don't want to age myself too much.
David Moulton: Sure.
Steve Elovitz: The work was very different, right, but it was still the adversarial nature that I really enjoyed that really drove me towards it, doing the more eDiscovery type forensics, traditional forensics. I didn't enjoy it quite as much. But then once I got a taste for incidence response for breach response, and you have the adversary out there that is trying to respond to your response; that's trying to stay in an environment while you're trying to kick them out, I found very enjoyable. And it allowed me to kind of merge my interest in security with my interest in forensics together and I found that very interesting.
David Moulton: I'm curious, do you consider yourself a competitive guy?
Steve Elovitz: Yes.
David Moulton: Yeah.
Steve Elovitz: I would say I'm very competitive.
David Moulton: And I know this isn't a videogame, but like as you're describing this like back and forth and outmaneuvering and kicking out and then they're back in and discovering, is it somewhere in that sense of the feel of that excitement that you might get?
Steve Elovitz: Yeah. I would say-I would say so, yeah. It was very different back then though, things were slower.
David Moulton: Okay.
Steve Elovitz: So, this was really pre-EDR, right?
David Moulton: Yeah.
Steve Elovitz: So, yeah a lot of the work was taking forensic images, lots of chains of custody, and then analyzing the forensic image and then, you know, making kind of those organizational-like changes. Remediation plans were put together over days, right, and then you would have a single remediation event where, you know, you have this coordination to kick an attacker out. That doesn't really exist against, you know, some of the more financially motivated attackers today. We really have to start remediation on, you know, hour zero.
David Moulton: Yeah. Is there a specific case or maybe a early moment in your career that clarified for you what this job is really about?
Steve Elovitz: It's hard to name just one case. At PwC there was one bank that we helped that was one of the larger cases we did and I got to actually work closer with some of-some people who ended up even today I consider mentors today, where I learned a lot. And that really, I think, codified for me the desire to focus on this for my career.
David Moulton: Yeah. And you and I have had a couple conversations, you were on "Threat Vector" before talking about our IR report, and it seems like you and a lot of folks in this industry are very mission-oriented. What is it about somebody who is a mission-oriented person that looks at this type of work and goes, "Yeah, these things come together." Is there a particular satisfaction that you get out of it? Is it just how you, you know, tell the story of yourself? Talk to me about that.
Steve Elovitz: I mean certainly. You know, I do feel a sense of duty to do this work. You know, when you see children's hospitals for example getting hit by ransomware groups, you know, and you have the talent to be able to assist even in you know whatever way, how can you not?
David Moulton: Um-hmm.
Steve Elovitz: Right? So, the mission of, you know, with joining Mandiant, the mission was fight crime and find the evil. And, you know, that really spoke to me and that was the direction we moved in, right? And that's, you know, we celebrated when we imposed costs to threat actors.
David Moulton: Yeah.
Steve Elovitz: We celebrated when we were able to evict threat actors from environments, right? That's the-was our DNA.
David Moulton: Yeah.
Steve Elovitz: And that really spoke a lot to me.
David Moulton: Yeah, I don't know if our guests can pick this up, maybe on the video feed, but your eyes kind of twinkle thinking about that and I love it. When you were at Mandiant-that was-they had a really great reputation or a particular reputation at that time; what's it like to build your career inside an organization that storied that was known for going in.
Steve Elovitz: Yeah.
David Moulton: And inflicting, you know, friction or cost on a threat actor and working some of the most consequential breaches?
Steve Elovitz: Yeah, well I would-I hope they still have a good reputation.
David Moulton: Yeah, yes they do absolutely.
Steve Elovitz: While we're competitors, we have the same mission, right [multiple speakers]?
David Moulton: Absolutely.
Steve Elovitz: We just have the same email addresses.
David Moulton: Yeah.
Steve Elovitz: The-I'll say joining Mandiant was probably the most humbling experience of my life.
David Moulton: Yeah.
Steve Elovitz: You know, are you familiar with the cognitive bias of the Dunning-Kruger effect?
David Moulton: Sure.
Steve Elovitz: Yeah.
David Moulton: Yeah.
Steve Elovitz: Where it's basically the less you know about something the more you might think [multiple speakers] you know about it.
David Moulton: Yeah.
Steve Elovitz: So, joining that team was pretty humbling for me. I, you know, thought if I, you know, working where I had worked before, I knew a lot. But I realized how much I had to learn. But, you know, it was just such a frankly a busy organization, that you get thrown right into it. But the team around you is so vested in your success that I learned so much so quickly. I just-I think going into there you needed to be able to eat that humble pie and realize that there was a lot for you to learn and dig in and do it.
David Moulton: So, at some point in your career, you went from being the person who was analyzing the breach to the person that would walk into the room with the executive team, with the CEO, with the board, to understand what had happened and then what that group needed to do next. I've talked to some of the forensic analysts and the DFIR folks here about how intimidating and empowering that feels. Talk to me about what you learned from that frontline to sitting at the table with the leadership teams.
Steve Elovitz: So, you know, first off I don't think you can ever truly stop being the person that analyzes the breaches if want to be effective with the executives, right? You know, these are some of the smartest people in the world. They can see inauthenticity a mile away.
David Moulton: Um-hmm.
Steve Elovitz: So, having the-you know, interest and curiosity, I think remains a requirement. And, you know, whenever I brief even a CISO even, let alone a board of directors, I'm still going to want to make sure that I get eyes on the actual data itself, right? And I need to be able to understand the artifacts that went into forming the conclusions, especially on the key points like the initial entry, how did the attacker get into the environment? I'm going to want to understand what was initial artifact that allowed us to form that conclusion and, you know, make sure it makes sense in the context of the organization and the rest of the incident, things like espionage, data theft, anything that's, you know, really causes enterprise level risk or impact, I need to actually understand, show me the artifacts that allows us to limit our findings to what we're calling an impact, and making sure that I agree from the actual artifact. If you're unable to actually get into that granular level of detail, you know, you're unable to really dig in when you get the eventual follow-ups and.
David Moulton: Yeah.
Steve Elovitz: You become far less effective when you have that inauthenticity.
David Moulton: So, Steve, when you're digging in, you're talking about the forensic data.
Steve Elovitz: Yes.
David Moulton: The attack itself. Is there also a level of understanding the business, the specifics of what their data or their business model is? Why they might be targeted that you have to get into as well?
Steve Elovitz: Absolutely, right? Because the kind of double-edged sword of what I just said is that, you could have a tendency to get into the minutia that the organization may not care about, right? It's your responsibility when you're presenting to these executives, you have to understand both what they want to know from you and what they need to know, right, and it's your responsibility to arm them with the data they need know and you can't do that without understanding the business context.
David Moulton: Yeah. You mentioned presenting to them. Is there a particular communication skill or a technique that you have found is really helpful but maybe it took a while to develop, but now that you have it, you know, you want to share it the "Threat Vector" audience today?
Steve Elovitz: I think I'm still developing having conversations in front of a camera, how am I doing?
David Moulton: Fantastic!
Steve Elovitz: Fantastic.
David Moulton: Fantastic. Yeah.
Steve Elovitz: Yeah. I think it's one thing that I had to learn was probably having multiple versions of one presentation. You walk into a board meeting, you have no idea how much time you have, or you might be scheduled for an hour and get 15 minutes.
David Moulton: Um-hmm.
Steve Elovitz: You might be scheduled for 5 minutes and you're speaking for an hour.
David Moulton: Um-hmm.
Steve Elovitz: So, coming prepared with the ability to, again, tell the-tell them what they need to know and what they're interested in, in this different segments of time and being able to make that adjustment is very, very important.
David Moulton: When an organization is in the middle of an active crisis, right, they're executives are in the room that are under this, I don't know how to even describe the level of pressure, and it's got be incredibly, incredibly stressful. What do you know now about managing that dynamic, right, managing that human factor of stress and, you know, how it affects people to take in information you said "what they need to know and what they want to know" a moment ago. What do you understand now that you wish you would have understood earlier?
Steve Elovitz: So, I think it's a-it's something that you never stop learning and developing, right, because we're talking about empathy really at the end of the day. You know, understanding the position that my customer is in, that the CISO I'm working with is in, all the way down to the members of the team. You know, if it's a public incident, everyone in that organization is feeling substantial pressure.
David Moulton: Um-hmm.
Steve Elovitz: You know, it's they might be thinking about, "Will I have a job tomorrow?" So, it's really understanding the role that they play and trying to do your best to empathize with it. This could include things like, who is my contact, whoever I'm working with right now, who are they reporting to? What do they have to report and when are they reporting it? How can I arm them to communicate up and out better? You know, what's important to them and how can I help them achieve it?
David Moulton: Yeah. Something I've heard recently and I found I keep reflecting on it is, when you go into a room understand who's not in the room.
Steve Elovitz: Yeah.
David Moulton: That is in the room. And it sounds to me like you're talking to the CISO and maybe they have got a boss or an executive that they've got to report to, or there are other folks that.
Steve Elovitz: Sure.
David Moulton: That board's worried about their shareholders; those people are in the room even though they're not in the room.
Steve Elovitz: Yeah.
David Moulton: Yeah, and you've got to consider those things, they're not your boss, but they're definitely influencing the situation that you find yourself in. Alright, so you've been doing this work long enough to understand what attackers are doing and then how they're evolving from one era to the next. When you compare the cases that were working on back in those early days, PwC, you know, Mandiant, what are the things that you're responding to now that strike you as the biggest changes?
Steve Elovitz: Probably speed to be honest is the biggest change, you know, back in, you know, before I think 2016, give or take, was when you know the SamSam attackers starting really doing enterprise ransomware, CryptoLocker, et cetera. Before that, dwell time was measured in hundreds of days, right? You had attackers that would be environments I, you know, if I recall the Mandiant M-Trends report in 2014, was like 229 days or something, it was the median dwell time that an attacker was in an enterprise before, you know, they were detected. That's substantially longer than today, you know, when we're talking of attackers completing entire missions in 72 hours.
David Moulton: Um-hmm.
Steve Elovitz: So, you know, everything was quite a lot slower, even post-EDR, right? The response is faster than the forensic image days we were talking about earlier, but the attacks were moving much, much slower. Attackers were generally trying for long-term access to environments, of course that still happens today, but just so much more of the work is that opportunistic financially motivated attacker.
David Moulton: Is there anything from say 15-20 years ago that is now making a return?
Steve Elovitz: I would say the things that worked then that still work today and really never go away, social engineering is a great example of that. You know, it's never really gone away. I'd say, you know, before AI, GenAI really became a thing, attackers finding these external vulnerabilities were able to be more scalable that way for initial access to environments.
David Moulton: Yeah.
Steve Elovitz: And that's still true today, of course, but now we've unfortunately unlocked scalability in social engineering, and we're definitely seeing attackers leverage that more and more, but it was always effective. You know, just today it's more often you're going to hear someone with an accent matching what you would expect being able to speak in, you know, the local colloquialisms that you would expect making him a more believable social engineer.
David Moulton: Yeah.
Steve Elovitz: And that's not even to mention GenAI and deepfakes and things like that. [ Music ]
David Moulton: So, you mentioned a second ago, attacks being compressed to.
Steve Elovitz: Um-hmm.
David Moulton: Seventy-two hours instead of three-quarters of a year, and I think that was a stat that we saw out of the IR report, the Incidence Response report that we put out in February. What is the effect of that compression time on defenders who are watching this happen near real-time?
Steve Elovitz: Yeah, I think-I think the stat might have been 72 minutes even for some of the.
David Moulton: Yeah.
Steve Elovitz: Some of the attacks, right? You know, it's very fast. You know, attackers-we've lowered the bar on automation for attackers, right? You know, often times a lot of these opportunistic attack-I mean, obviously your nation states, your highly skilled attackers always had the ability to engineer their own tools and tactics. But for the more opportunistic attackers, often times we would see them leverage, you know, a third-party malware or working with something like a ransomware as a service and a lot of the post-exploitation phase of the attack was after they purchased the initial access before it went to their ransomware as a service. And a lot of that was manual, right, and a hacker moving laterally escalating privileges reconnoitering the environment.
David Moulton: Um-hmm.
Steve Elovitz: And this bar on automation has been lowered through GenAI so that attackers can more and more automate that phase of the attack with just scripts, right? Now we've also started see-to see attackers leverage AI directly to actually outsource that phase of the attack. I think we're going to see more of that. But this really reduces the amount of time that you have to respond, right? Fifteen years ago, a mean time to respond of a day for a SOC was pretty good.
David Moulton: Um-hmm.
Steve Elovitz: And now when we're talking 72 minutes for an entire mission, you know, it doesn't cut it.
David Moulton: Yeah.
Steve Elovitz: Right?
David Moulton: Somebody's got your lunch if you're waiting around an entire day. And forgive me for misspeaking there; it still blows my mind that these attacks are happening, you know, basically in the bound of an hour.
Steve Elovitz: Yeah.
David Moulton: An hour and change. When did you start to feel that speed increase in your career and is there a moment where that speed really caught you off guard?
Steve Elovitz: So, I think it was gradual. I don't think it was overnight. And I would say actually, if I had to name a time it would probably be around the pandemic, and that's even predating, you know, AI right? But it was when we quickly had to-we as kind of, you know, I guess of people had to quickly.
David Moulton: Yeah.
Steve Elovitz: Make the change to remote work and we had much less of that castle-and-moat model, of course VPNs and remote access software existed back then, but they weren't as ubiquitous and a lot of organizations were moving more to the cloud and more to these distributed models without the proper, you know, security controls to implement around them. And, you know, this led to broad-scale attacks. This led to, you know, substantial amounts of vulnerabilities if I recall; in that year we had a lot of zero days for, you know, remote or edge devices.
David Moulton: Yeah.
Steve Elovitz: That allowed attackers to get into an environment and, you know, we had a very flat environments back then, so attackers were able to compromise an identity and start causing harm very, very quickly.
David Moulton: Well, you mentioned identity, and I recall in the report that we found identity playing a role in, oh I think it was 90% of.
Steve Elovitz: Eighty-nine percent in.
David Moulton: Yeah, yeah 89% in the investigations. You've been watching this, you said build for years; this as kind of gradual. When did identity start showing up consistently in the postmortems?
Steve Elovitz: So, as a contributing factor always, right, so you know, Active Directory has existed long before, you know, cybersecurity has as an industry, and it tends towards entropy, right? So, organizations have had these active directories sometimes for, you know, 20-plus years.
David Moulton: Yeah.
Steve Elovitz: You know?
David Moulton: They're older than some of the analysts some might say.
Steve Elovitz: They're active directories.
David Moulton: Right.
Steve Elovitz: And, you know, a lot of organizations don't do a good job of going through and, you know, saying okay why did we create this OU, this organization unit? Why does this?
David Moulton: Yeah.
Steve Elovitz: Group exist? Why does it have this privilege, right, and this entitlement? And let's trim that, let's remove it, or setting up temporary entitlements. A lot of organizations don't do that well and that dates way back to then. And attackers looking at this kind of like a graph and how they can move from system to system, to account to account, has always been a weakness that organizations have faced. I'd say it got way worse around again 2020, when identity really became more of the fabric that stitches different environments together.
David Moulton: Um-hmm.
Steve Elovitz: Yeah.
David Moulton: With all of the focus on identity and I actually think this is a space that's going to only be more important; what's one thing that you're frustrated isn't getting more coverage given the risk that identity poses?
Steve Elovitz: That's a good question. I get one? So, I'd say-I would say probably it's that sprawl, the active directories I was just saying if I had to pick just one.
David Moulton: Um-hmm.
Steve Elovitz: It would probably be that. Just how a attacker can just move laterally escalate privileges, move laterally. If I get two, I would say probably static privilege; something that doesn't get enough attention, you know, having accounts that, you know, will take domain admin and or Entra Global Admin or something similar and retain that privilege, right, versus being able to temporarily check out that privilege requiring that, you know, modern FIDO2, MFA.
David Moulton: Right.
Steve Elovitz: To check out the privilege and have it temporarily.
David Moulton: Yeah. No, I've actually notices that as I've joined Palo Alto and I want to escalate my privilege, it's like going to the library, checking it out for a minute, and then it goes away.
Steve Elovitz: And that's for your local account.
David Moulton: Yeah.
Steve Elovitz: Imagine how many organizations where they'll-the keys to the entire kingdom is assigned to a user and that account doesn't change, it's just a normal account that that user sometimes uses and sometimes they use it as their daily driver too.
David Moulton: I understand that it happens, but-and I don't say the word "befuddled" when I hear this, I don't use that word often, but it blows my mind that that is a behavior that here in the world of 2026 that we're still going, you know, yeah we're going to go ahead and give you the keys to everything and in 2016, and here we're a decade on and it's still the same and you're going, "We know that's a terrible idea. Why are we doing this?"
Steve Elovitz: Yeah.
David Moulton: And yet, here we are. Steve, where are organizations underestimating where they need to put their investments?
Steve Elovitz: Sure. So, you know, there's a few different areas I had mentioned. The first is, we need to reduce our perimeter. We need to reduce the scope of where attackers can come in from to take pressure off the team. And then we need to harden the interior of environments to give teams more time to detect and respond, right? You don't want to be in the position where an attack can be conducted on you in 72 hours, right? On the first point, we're talking about attack surface reduction; what's inside your perimeter and what's exposed to the world, right? And then making the decisions on to pull more of this inside, or if it has to be on the Internet, let's put a SaaS or something in front of it so that we are enforcing authentication.
David Moulton: Yeah.
Steve Elovitz: Before someone's able to connect. On the authentication front as well, using a more modern type of multifactor authentication, right, SMS is gone, one-time pin is going, should be gone. We should be working on leveraging the more efficient resistant MFAs, you know, FIDO2 or device-bound, device registration authentication, right, something that someone can't convince you to give them over the phone.
David Moulton: Right.
Steve Elovitz: If you, you know, do that then you're much, much better protected, both your identity and any potential vulnerabilities that could exist in your perimeter. And then once an attacker gets inside, then we have to talk about what privileges are available to them, right? So, separating the privilege accounts away from the commonly compromised assets by setting up a tiering model or doing that just in time authentication-authorization rather, that I mentioned where you check out a credential. Beyond that, putting all of our security visibility into a single platform, I think is really critical. If you have your analyst constantly swivel chairing between platforms, where a minute hacker is using an automated attack, you're never going to keep up.
David Moulton: Yeah.
Steve Elovitz: Right? So, we need to be able to get all of our visibility together and then you're able to create your own automations off of it through something like a SOR or more and more organizations are going to start moving towards creating agents to respond to, you know, more varied types of attacks and I think that's going to be really where the future is.
David Moulton: So, let's flip the question a little bit, what looks great on, you know, a budget item or is expected, maybe it's those executive conversations they know that this is coming, but you're like this is not good spend given the rapidly changing environment and in the way attacks are going. You know, it's just aged out at this point.
Steve Elovitz: Gosh. This is a very dangerous question for me to answer given that I think Palo Alto Networks sells one of everything, but I'll say a DLP, a-you know, an organization really needs to understand what they get out of a DLP. A creative human attacker can creatively think of different ways to exfiltrated data. DLP is great at stopping accidental disclosure or, you know, lower skilled potential insider threats, but an advanced attacker, you know, could think of other covert channels to exfiltrated data that a DLP likely won't prevent. But it sounds great, data loss prevention, I want one of those.
David Moulton: Absolutely. You spent your career with other people who are having their maybe worst moment professionally. What has all that taught you about what it means to lead well in security and not just to respond well?
Steve Elovitz: Yeah. So, I think it comes down to empathy and investing in your team, right? Security is 100% a team sport. You can't do it alone. Anyone who tries even like the most skilled, will eventually burnout even incidence response aside. You know, so you got to build the people around you, have their backs, they'll have your backs.
David Moulton: Yeah.
Steve Elovitz: It also has the benefit of being the right thing to do, so.
David Moulton: Yeah. That doesn't hurt. For somebody who's early in their career or thinking about going into this space, you know, how do you advise them on what they should focus on, you know, where do they put their energy?
Steve Elovitz: That's hard to answer generally versus a specific person. Generally, I would say first identify if you have any fatal flaws, right? If there's anything that, you know, is going to keep you from being able to advance and then take care of your fatal flaws, right? Get those up to acceptable and then invest in your strengths, right? Whatever area that you think that is, you know, a differentiator of yours, invest in it and try to become really the best at it rather than just trying to, you know, be a well-rounded average person across the board.
David Moulton: Absolutely.
Steve Elovitz: Yeah.
David Moulton: Steve, I appreciate you pulling back the curtain on your career a little bit and sharing with me and joining us here on "Threat Vector," sharing with our audience today, you know, some of your ideas, your insights, what you've learned going from that, you know, seat as a investigator going into IR and then sitting side-by-side with some of these teams as they've, you know, these executive teams as they try to navigate, is really stressful and important situations.
Steve Elovitz: I appreciate you having me. But I don't think I can end this without now asking you for a dad joke.
David Moulton: Oh. Well, do you want one that's a security-themed dad joke?
Steve Elovitz: Sure.
David Moulton: Like to really double down? Alright, so my son, he's a drummer and it inspired me the other day when the bank said I needed to change my password. So, I set it to HIAD [assumed spelling]. It didn't work. They said no symbols.
Steve Elovitz: Uh, okay.
David Moulton: Yeah. [ Music ] Alright, well thanks for coming in Steve. That's it for today. If you like what you heard, please subscribe wherever you listen and leave us a review on Apple Podcast or Spotify. Your reviews and your feedback really do help me understand what you want to hear about on this show. You can email me at threatvector @paloaltonetworks.com. I want to thank our Executive Producer Michael Heller, original mix and music by Elliott Peltzman. We'll be back next week. Until then, stay secure. Bye for now. [ Music ]
