Jamie Tolles
Vice President, Incident Response
IDX
About
Jamie Tolles runs the DFIR practice at IDX, investigating ransomware, BEC, and large- scale breaches for carriers and breach counsel. He has spent his career on the response side of the house, including twelve years at Ernst &Young and building the DFIR team at ZeroFox. He also advises organizations on improving their security posture through tabletop exercises and proactive assessments.
Sessions
No Encryption Required: Why Modern Ransomware Bypasses Everything and What DFIR Finds When It Does
What you will learn:
1. Identify the four MFA bypass and initial access techniques ransomware affiliates actively use (AiTM proxy phishing, session token replay, push fatigue, and social-engineered RMM tool installs) and determine which one was used from post-incident forensic artifacts 2. Recognize BYOVD as a pre-attack setup step, not a novel technique, and detect it through driver load auditing and EDR telemetry gap analysis rather than relying on blocklists 3. Scope exfiltration forensically when encryption-less extortion through legitimate cloud services defeats both DLP and backup strategies and no ransomware binary exists 4. Deploy honeycreds, canary files, and canary API keys as detection controls that generate zero false positives and function independently of endpoint agents, MFA, and network monitoring 5. Map each "comfort blanket" control to the specific deception-based detection that covers its known bypass, with a concrete deployment plan executable within one week