
[EDRM Editor’s Note: This article was first published here on August 5, 2025, and EDRM is grateful to Trusted Partner HaystackID for permission to republish. EDRM is happy to amplify our Trusted Partners news and events. All images included in the article are credited to HaystackID.]
HaystackID Editor’s Note: On July 31, 2025, at HaystackID’s Chicago office, professionals from across cybersecurity, digital forensics, and privacy law gathered for a micro-conference designed not just to inform, but to reset. CTRL ALT Defend, sponsored by HaystackID®, offered what many attendees described as a strategic pause —a rare opportunity to step back from the pace of breach response, regulatory deadlines, and investigative overload, to re-evaluate what actually works in today’s threat landscape. With sessions led by practitioners from CyberCX, the FBI, Cyera, and HaystackID, the event highlighted how rapidly the field has evolved. Where traditional forensics once centered on full-disk imaging and physical access, the focus has now shifted to digital artifact triage, remote investigations, and the rise of tools like HaystackID’s Remote Endpoint Analysis and Data Intelligence (READI™) for Email. The conference wasn’t about adopting the newest buzzwords—it was about pressure-testing real workflows against real-world threats, from MFA-bypassing phishing kits to hybrid espionage attacks. CTRL ALT Defend challenged attendees to reconsider whether their teams, their tooling, and their tactics were keeping up. For those navigating the front lines of data security, digital investigations, and compliance enforcement, it served as a timely reminder: sometimes, the most important action in a crisis is to pause, refocus, and rebuild smarter.
CHICAGO — Chris Pogue, Director of Digital Forensics at CyberCX, didn’t begin his session with a technical briefing. He started with a story. Recounting a conversation with the U.S. Secret Service, he described how not all ransomware operators are willing participants—some, he revealed, are victims of coercion, trapped in criminal operations under threat to their families. “It’s not just crime,” Pogue told the audience. “It’s human trafficking wrapped in extortion.”
That revelation set the tone for CTRL ALT Defend, a micro-conference hosted by HaystackID on July 31 at the company’s Chicago office. Billed as a space where bold ideas meet practical solutions, the event brought together digital forensics experts, red team operators, privacy professionals, and public-sector leaders for a candid reckoning with the rapid changes shaping today’s cyber threat landscape.
Pogue joined John Wilson, Chief Information Security Officer and President of Forensics at HaystackID, and Rene Novoa, HaystackID’s Vice President of Forensics, to present the CyberCX Digital Forensics and Incident Response (DFIR) Threat Report. Their findings painted a picture of accelerating complexity. While financially motivated cyberattacks had an average detection time of just 24 days, espionage-related breaches went undetected for an average of 403 days. Healthcare emerged as the most targeted sector, accounting for 17% of all cases investigated. And the volume of new ransomware groups surged, with 43 new extortion gangs documented in 2024.

Perhaps most concerning was the evolution of business email compromise (BEC). Novoa emphasized that in 75% of BEC cases investigated in 2024, attackers used phishing kits capable of session hijacking, enabling them to bypass multi-factor authentication entirely. That figure represented a dramatic leap from 38.5% just a year earlier. Additionally, about a quarter of organizations that refused to pay ransoms never saw their stolen data published, suggesting that attackers may be bluffing more often, or monetizing data in ways not yet fully understood.
The theme of necessary evolution continued with Robert O’Leary, Senior Solutions Architect at Binalyze, who made a compelling case for digital artifact collection over traditional disk imaging. O’Leary described how forensic investigations often involve sifting through terabytes of irrelevant data, slowing down response times, and overburdening teams. Instead, he advocated for targeted capture of key digital artifacts like system logs and volatile memory, a strategy that underpins HaystackID’s READI Suite. “You’re not trying to collect everything,” O’Leary said. “You’re trying to collect what matters, fast.”
You’re not trying to collect everything. You’re trying to collect what matters, fast.
Robert O’Leary, Senior Solutions Architect, Binalyze.
One application of this philosophy was demonstrated in HaystackID’s newly expanded READI for Email offering, which enables forensic triage of email activity across platforms like Microsoft 365 and Google Workspace. For incident response teams racing against lateral movement and data exfiltration, speed and remote precision are no longer luxuries—they’re table stakes.
Naheed Bleecker, Business Information Security Officer at RWE, added another layer by highlighting the importance of soft skills in cybersecurity leadership. Bleecker described the BISO role as a bridge between security operations and executive decision-making. “You don’t need to be the most technical person in the room,” she said. “But you do need to be the most trusted.” Her emphasis on communication and credibility resonated with attendees who often struggle to align cyber risk with business priorities.

Legal strategy took center stage with Richard Halm, Senior Attorney at Clark Hill, who didn’t mince words about industry shortcomings. “We are getting our asses kicked,” he said, pointing to gaps in visibility, inconsistent patching, and failure to maintain reliable backups. Halm urged attendees to focus on fundamentals—understanding their data, hardening infrastructure, and preparing not just for attacks but for breach response and legal notification.
From a financial intelligence angle, Steve Baer, Field Chief Information Security Officer at Digital Asset Redemption, offered insight into the structure of ransomware operations. He described how many ransomware-as-a-service groups now operate like startups—complete with tiered subscriptions, partner programs, and even help desks. Some are financially motivated. Others may be tied to state actors or political movements. Baer described this dynamic as the “freight train effect”: by the time a company knows it’s been compromised, the attackers have already encrypted files, exfiltrated data, and begun a second wave of extortion.
Chris Carlis, Red Team Operator and penetration tester, reminded attendees that the threat isn’t just virtual. Physical intrusions remain a potent risk. Carlis shared firsthand experiences of tailgating into secure offices, planting rogue USB devices, and using drones to map wireless infrastructure. “It’s not enough to defend your firewalls,” he said. “You have to defend your hallways, too.”
Kayla Williams, Chief Data Security and Privacy Officer at Cyera, shifted the focus to cloud investigations and Data Security Posture Management (DSPM). She walked through a case where a compromised identity moved laterally through a cloud environment. Using DSPM, her team was able to pinpoint exposed sensitive data and reconstruct the timeline of access. In another scenario, they traced unauthorized database access to an over-permissioned service account. Both examples showcased how DSPM helps prioritize response and align technical findings with regulatory obligations.

Jay Patel, Assistant Special Agent in Charge at the FBI’s Chicago Field Office, warned that threat attribution is now murkier than ever. Espionage campaigns, financial crimes, and ideological sabotage often blur together, making it harder to determine intent. Patel stressed the importance of collaboration between private organizations and law enforcement, not just for detection, but for meaningful response and long-term disruption of cybercriminal infrastructure.
In the conference’s closing session, Nate Latessa, HaystackID’s Chief Revenue Officer and Executive Vice President of Advisory Services, made a provocative observation: most companies are already doing data classification—they just don’t realize it. Drawing from years of experience managing large-scale litigation and advisory projects, Latessa argued that the manual review processes used during eDiscovery are a goldmine of classification work. Hundreds of attorneys, he explained, routinely tag documents for sensitivity, intellectual property, financials, contracts, and customer data. And then, once the case is closed, that work is discarded.
Latessa proposed reusing this rich metadata to power security workflows like DSPM and data loss prevention (DLP). Instead of reinventing the wheel, organizations could repurpose what they’ve already paid for—and in the process, reduce breach exposure, lower cyber insurance premiums, and better prepare for AI integration. He recounted how one firm deployed Microsoft Copilot without classification safeguards, only to have it surface sensitive internal compensation documents on day one. “Copilot was ripped out that afternoon,” he said. “AI doesn’t care what’s confidential if you haven’t labeled it.”
Latessa’s message resonated with the audience: the gap between legal and security teams isn’t a technical challenge—it’s a communication one. “Your attorneys are sitting on a map of your most sensitive data,” he said. “The security team just needs to know it exists.”
Your attorneys are sitting on a map of your most sensitive data. The security team just needs to know it exists.
Nate Latessa, Chief Revenue Officer and Executive Vice President of Advisory Services, HaystackID.
As attendees mingled during the post-event happy hour, the conversations didn’t revolve around tools or trends—they focused on transformation. Whether through artifact-based triage, better cross-team communication, or faster cloud data intelligence, the message was clear: cyber defense must now be built for speed, resilience, and clarity. CTRL ALT Defend wasn’t just a reset—it was a push forward. For the professionals in the room, the challenge wasn’t surviving the next breach. It was outpacing it.
Read the original article here.
SOURCE: HaystackID
Assisted by GAI and LLM Technologies per EDRM GAI and LLM Policy.