The Human Cost of Incident Response
Steve Elovitz, who leads Unit 42's North America Consulting practice, opens with a sobering reality often overlooked in breach discussions: the profound human toll on security teams. Drawing from 15 years of incident response experience across Mandiant, Booz Allen, PwC, and now Palo Alto Networks, Elovitz describes responding to organizations experiencing some of the worst days in their careers. His team operates a 24/7 follow-the-sun model, fielding calls from security leaders under extreme stress. The conversation reveals that CISOs have suffered heart attacks during active incidents, and victim blaming remains a persistent cultural problem. When breaches become public, even employees unrelated to security face harassment. This human dimension underscores why Unit 42's 2026 Global Incident Response Report, based on 750+ investigations, emphasizes not just technical controls but the organizational resilience required to survive modern attacks.
Identity as the Primary Attack Surface
The report's most striking finding is that identity weaknesses played a material role in 90% of investigations—not vulnerabilities, not zero-days, but compromised credentials and excessive permissions. Elovitz explains that most organizations still rely on phishable authentication methods: single-factor authentication, SMS codes, push notifications, or one-time PINs. Attackers reliably defeat these through SIM swapping, social engineering, and notification spam until frustrated users approve access. The problem extends beyond initial access. Identity serves as the fabric stitching environments together, and organizations commonly sync domain admins with Azure global admins, allowing attackers to pivot between on-premises and cloud environments. A Palo Alto Networks study found 99% of nearly 700,000 cloud identities had excessive permissions—authorization to perform actions they never actually used. Service accounts compound the challenge because they're static and difficult to rotate without breaking applications. Elovitz advocates for phishing-resistant authentication like FIDO2, identity segmentation to prevent administrative accounts from accessing workstations or edge devices, and just-in-time provisioning for privileged access.
AI's Dual Impact on Attack Speed and Defense
Artificial intelligence is reshaping the threat landscape in three distinct ways, according to Unit 42's findings. First, AI accelerates attacker operations—data exfiltration timelines compressed from five hours to one hour as threat actors use AI to automate reconnaissance, lateral movement, and data extraction. Second, AI lowers the skill barrier for attackers. Elovitz describes unskilled actors literally asking chatbots what to say next during social engineering attacks, making them far more believable. Third, AI itself has become an attack surface. Organizations granting AI agents access to sensitive data have seen attackers successfully prompt those systems to help them gain deeper access, with the AI happily obliging. Despite these offensive advantages, Elovitz predicts AI will ultimately benefit defenders more by enabling faster threat detection, automated response, and pattern recognition across massive datasets. The key question for 2026 is whether defensive AI applications can mature quickly enough to offset the acceleration in attacker capabilities.
The Five Highest-ROI Security Controls
When pressed for actionable guidance, Elovitz outlines five controls that consistently prevent the attacks Unit 42 investigates. First, reduce attack surface by regularly scanning internet-exposed perimeters and removing anything that doesn't need public access—management interfaces, misconfigured cloud storage, forgotten test environments. For assets that must be exposed, implement IP allow lists or SASE layers requiring authentication before access. Second, deploy phishing-resistant authentication enterprise-wide, specifically FIDO2, to eliminate the social engineering vulnerabilities that enable 90% of breaches. Third, implement identity segmentation so administrative accounts cannot access workstations or edge devices where they're most likely to be compromised. Fourth, enforce network filtering so servers can only communicate with authorized destinations. Fifth, ensure enterprise-wide visibility across network, host, cloud, and identity layers because prevention will never be perfect. Elovitz frames this as prevention being ideal but detection and response being mandatory. The report's finding that over 90% of breaches were enabled by preventable gaps rather than sophisticated exploits underscores that these fundamentals, properly implemented, would eliminate the majority of successful attacks organizations face today.
