Loading…
← Back to schedule
The Second Front: Detecting LOTL Off the Endpoint
Saturday September 12, 2026 10:30am - 11:30am CDT
Swissôtel Chicago
Living-off-the-land (LOTL) isn't what it used to be. Blue teams have spent years tuning detections for the classic playbook - LOLBins, malicious macros, WMI abuse, PowerShell, etc. - and endpoint tooling has gotten pretty good at catching it. So, attackers moved.
LOTL is now operating across a second front: the identity and management plane, which spans hundreds (if not thousands) of SaaS apps and authorizations in an enterprise. Stolen session tokens, abused OAuth flows, device code phishing, and browser-native credential harvesting let adversaries operate entirely within sanctioned tools and legitimate traffic. 
Scattered Spider, and more recent evolutions like Scattered Lapsus$ Hunters, operate inside victim environments using legitimate SaaS APIs and identity tooling: SSO, MFA bypass via social engineering and post-auth attacks, and direct access to cloud management planes. In every case, the attackers aren’t hiding from EDR; they’re operating in the browser context where EDR doesn't see.
This “missing middle” is a structural gap: EDR owns the endpoint, and the IdP owns authentication events. But the space in between - the authenticated browser session, the OAuth token, the SaaS API call from a legitimate identity - belongs to no tool and appears on no dashboard. It’s a second front for LOTL, and most blue teams don't have a strategy for it because they don't have visibility into it.
This talk maps the evolution of LOTL techniques from endpoint to identities and SaaS, walks through the attack patterns that define the second front (AitM session hijacking, OAuth abuse, infostealer-to-IAB pipelines, MFA-resilient phishing infrastructure), and describes a practical detection framework that addresses both fronts simultaneously. We'll look at what telemetry sources actually exist for in-browser and identity-plane activity, how to build detection logic when you're pattern-matching against legitimate behavior rather than malicious binaries, and how SOC teams can prioritize coverage across two active fronts without exponentially increasing analyst workload.
Attendees will leave with a mental model for how these two LOTL fronts interact, a framework for evaluating their own detection coverage gaps, and concrete starting points for building detection programs that account for the full attack surface - not just the stuff that shows up in endpoint logs!
Speakers
avatar for Mark Orlando

Mark Orlando

Field CTO, Push Security
Mark is the Field CTO at Push Security, where he advances detection and response for in-browser threats. With 25 years of experience building and leading security operations teams at the White House, the Pentagon, the Department of Energy, and Fortune 500 companies, Mark has investigated... Read More →
Saturday September 12, 2026 10:30am - 11:30am CDT
Swissôtel Chicago 323 E Wacker Dr, Chicago, IL 60601, USA
  Talk

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Tweet Share

Get help with the event

Contact event planner Event login
View support guides Find upcoming events
Create an event you'd love to attend!
Explore why organizers choose Sched Success stories
Event App Event scheduling Event registration Event ticketing Sched forms Call for papers Badges Conferences
© 2026. SCHED LLC - All rights reserved - Helping events since 2008
Event Planning Software Privacy Terms
Share Modal

Share this link via

Or copy link