Incident Response in the Age of Identity-Driven Cyber Attacks 

If you want to watch the original discussion in full, you can find the podcast episode on Spotify.

Incident response is no longer an IT function hidden in the background

For a long time, incident response was treated as a technical discipline. Something broke, engineers investigated, systems were restored, and a report was written afterwards. 

That model no longer reflects how cyber incidents unfold. 

Today, a security incident is a business event from the very beginning. It affects operations, customer trust, regulatory exposure and revenue in parallel. In many cases, organisations are not the first to detect a breach. The attacker is the one who signals it. 

That shift changes everything about how incident response needs to work. 

The nature of cyber attacks has changed: access now looks like normal behaviour 

Modern cyber attacks are no longer defined by forced entry or obvious malware execution. Increasingly, they begin with identity. 

Stolen credentials, session tokens and compromised authentication flows have replaced traditional intrusion methods as the primary entry point into systems. Multi-factor authentication still plays an important role, but it is no longer a definitive boundary. Attackers have adapted to bypass or intercept authentication sessions in ways that allow them to appear fully legitimate once inside. 

From that point onwards, there is very little that looks abnormal in isolation. The attacker is not behaving like a hacker. They are behaving like a user. 

That is the fundamental problem defenders now face. 

Once inside, attackers blend into the system by design

One of the most significant shifts in attacker behaviour is the reliance on what is already available inside the environment. 

Rather than deploying custom malware that can be detected, attackers increasingly use legitimate tools and built-in administrative functions. This approach is often described as “living off the land,” but in practice it simply means there is no clear technical distinction between attacker activity and normal operations. 

Cloud platforms make this even more effective. Administrative actions, automation scripts and remote access tools are part of everyday operations. The same mechanisms that enable efficiency for businesses also provide cover for attackers. 

Once inside, movement is deliberate but quiet. Systems are explored, privileges are escalated and data is accessed in ways that rarely trigger obvious alarms. 

Detection is no longer about seeing activity, but understanding it

Most organisations today already have significant visibility into their environments. The problem is not a lack of data. It is a lack of clarity. 

Cloud adoption, remote working and distributed infrastructure have created environments where normal activity is complex enough to mask malicious behaviour. Attackers exploit this by blending into expected patterns and adjusting their behaviour when they detect monitoring. 

Artificial intelligence is accelerating this trend. It is improving phishing quality, enabling more convincing impersonation and increasing the speed at which attackers can map environments. In some cases, synthetic voice or video is already being used to reinforce social engineering attempts. 

This means that compromise is often not identified through internal alerts. It is discovered externally, or when attackers begin to apply pressure. 

When incidents occur, organisations lose shared understanding before they lose systems

When a serious incident begins, the first breakdown is rarely technical. It is informational. 

Systems behave inconsistently. Access becomes unreliable. Different teams see different symptoms at the same time. IT teams focus on stability. Security teams focus on scope. Leadership focuses on impact. Legal and communications teams focus on exposure. 

All of these perspectives are valid. None of them are complete. 

The challenge is that decisions still need to be made while no one has a full picture of what is happening. 

This is where incident response either becomes controlled or chaotic. 

Effective incident response is defined by decision structure, not tooling

In most serious incidents, the limiting factor is not technology. It is coordination. 

The organisations that manage incidents effectively are those that establish clarity quickly. A single point of authority. A defined escalation path. And a shared understanding of priorities even when information is incomplete. 

From there, technical teams focus on regaining visibility and understanding attacker behaviour, while operational teams manage dependencies across the business. 

The difficulty lies in containment decisions. Acting too slowly allows attackers to expand access. Acting too quickly risks disrupting services or destroying forensic evidence needed for investigation. There is rarely a perfect decision, only a timely one made with limited information. 

Preparation is the only reliable difference between organisations under pressure

Across real incidents, the gap between disruption and recovery is rarely caused by the sophistication of the attacker. It is caused by preparation. 

Organisations that perform well have usually rehearsed their response in advance. Not as documentation, but as practice. Tabletop exercises in particular expose weaknesses that only appear under pressure: unclear ownership, missing dependencies and assumptions that fail in real conditions. 

The most effective organisations treat incident response as a capability that must be exercised regularly, not a plan that sits unused. 

Alongside this, certain technical controls consistently reduce impact. Strong identity and access management limits attacker reach. Monitoring improves detection. Network segmentation reduces lateral movement. And immutable backups fundamentally change ransomware dynamics by removing the attacker’s ability to destroy recovery options. 

Incident response is where cyber resilience is proven

Cybersecurity strategies are often built around prevention. But prevention alone is no longer a sufficient measure of resilience. 

Most mature organisations now operate on the assumption that compromise will eventually occur. The differentiator is how quickly it is detected, how effectively it is contained, and how well the organisation continues operating during disruption. 

Incident response is where that assumption is tested in practice. It is not a support function behind the scenes. It is the point at which organisational discipline, coordination and decision-making are exposed under real pressure.