No Vacancy: Evicting Attackers by Rolling Forward

In the modern threat landscape, the most dangerous “squatters“ in your environment aren't using malware, they’re using your organizations identities. By combining both traditional file-based attacks and leaning into identity-centric persistence, attackers are finding permanent residence in corporate environments, often surviving traditional “cleanup“ efforts.

This session pulls back the curtain on the “Malware-Free“ era, exploring how attackers exploit identity state to maintain a foothold long after the initial breach. We will break down why traditional recovery often fails and how businesses can issue an immediate eviction notice by rolling forward. Instead of looking back at compromised backups or trying to “patch“ an attacked environment, you’ll learn how to guarantee a clean recovery and a faster return to operations by navigating through identity state conflicts.

Key Takeaways:

• The Identity Squatter: Understanding how modern attackers bypass EDR by skipping malware and hijacking identity persistence.

• The Persistence Trap: Why “restoring“ often means bringing the attacker back with you.

• The Forward Motion: How to implement a “Roll Forward“ strategy to resolve identity conflicts and ensure a verified, clean environment.