2025-10-25 –, Track 3 - Room 2400
This talk will walk through how to structure and execute effective identity centric hunts. Identity is the new perimeter and a critical component in modern threats, as attackers increasingly exploit tokens, sessions, and human behavior.
We’ll start by discussing how to baseline normal behavior, formulate hunting hypotheses, and identify meaningful deviations in authentication. You’ll learn how to differentiate between false positives and benign true positives, avoid common pitfalls in chasing low-context anomalies, and uncover how seemingly benign events can offer deep insight into user behavior, misconfigurations, and organizational risk.
We will examine patterns observed after account compromise, focusing on how threat actors quietly maintain access, explore systems, and attempt to achieve their objectives. Whether working in Microsoft Entra, Okta, AWS, or GCP, this session will provide a practical approach to identity focused threat hunting in modern environments.
As a Threat Hunter, Alex works to proactively identify active threats through advanced analysis and data gathering. These efforts span multiple detection domains and target the activity most prevalent in today’s threat landscape. He began his career in banking, emulating attacker techniques to sharpen detection and response, and now focuses on hunting identity driven and cloud based threats at scale.