Sacramento InfraGard
Q2 2026
The 10:45 Keynote

Identity Security:
How It Helps Curb Fraud

Bruce Johnson
Bruce Johnson
Sr. Manager, Sales Engineering · Delinea
Member Engagement Meeting
Cal CCIC · Sacramento
What you'll walk away with
Three things.
01
A mental model for how BEC actually works
Not the phishing poster version — the real sequence, with real timestamps, from credential theft to ransomware detonation.
02
Seven controls mapped to the gaps
Each control is tied to a specific day in the attack where it would have changed the outcome. Not a feature list — a causal map.
03
Something to take back Monday
A prioritization lens: which control eliminates the most blast radius for your org, and where to start if budget is the constraint.
What About Bob?
A short story
Meet Bob.

IT Security Lead at Clear Creek County Water District.

11 years on the job. Small team. Tight budget.

FBI InfraGard member — probably sat in this exact room a year ago.

He cares. He's trying.
TREATMENT PLANT IT CLOSET CLEAR CREEK WATER BOB IT SECURITY LEAD · 11 YEARS ON THE JOB ·
Bob's world
What Bob actually protects.

SCADA systems. Treatment plant controls. Chlorine dosing. The billing portal where residents pay their water bills.

340 employees. 27 contractors. An aging VPN from 2017.

180,000 people's drinking water.
TREATMENT SCADA · CHLORINE HQ · OFFICE 340 EMPLOYEES CONTRACTORS 27 · VPN (2017) CITIZEN PORTAL BILL PAY · USAGE 180K RESIDENTS DRINKING WATER · 24 / 7 / 365
What Bob has in place today
Bob thinks he's doing the right things.

And honestly — he mostly is. This list isn't negligent. It's what most shops run.

If you're nodding right now, good. Bob is you. Stay with me.

  • MFA enabled · SMS-BASED
  • Annual phishing training
  • Antivirus on every endpoint
  • Next-gen firewall
  • Password policy · rotates every 90d
  • Backups · TESTED… MOSTLY
Bob is not negligent. Bob is doing what most shops do.
Over the next 40 minutes
Here's what happens to Bob — and what he builds next.
01
Meet Bob
Critical infrastructure
defender · day one
02
90 Days
Day-by-day
what unfolds
03
The Rebuild
Seven specific controls
that change the outcome
Real dates. Specific controls. One story.
Part 2 · The breach
What happened
to Bob.
90 days. Six escalations. One outcome.
DAY 1 · THE EMAIL
An invoice email lands.
Known vendor. Slightly off domain.
"Please update our banking info."
Sarah — the A/P clerk — forwards it to her manager for approval. The manager is on vacation. Nothing happens yet.
INBOX · SARAH (A/P) From: invoicing@pipe-inspect-co.com "Please update our banking info on file." ⬢ IMPERSONATED STEP 2 Forward to manager (Manager is on vacation.) ⟁ DELAYED THE EMAIL SITS IN A QUEUE Bob doesn't know it exists. Day 1 goes by. THE ATTACKER IS PATIENT
DAY 12 · THE LOGIN
Sarah's credentials, on sale for $4.

Password reused from a 2023 retail breach. Sitting in an infostealer marketplace ever since.

Attacker logs in from Vilnius. SMS MFA code intercepted via SIM swap.

No alert fires. The login looks clean.

⬢ INFOSTEALER MARKET sarah.chen@clearck.gov pwd: ••••••••••••• breach: retail-co · 2023 MFA: sms (sim-swappable) $4.00 VILNIUS MICROSOFT 365 sarah.chen@clearck.gov •••••••••••• ✓ SIGNED IN FROM · LITHUANIA THE MFA BYPASS SARAH SIM SWAP 483921 SMS code ATTACKER THE DBIR Majority of breaches start like this.
DAY 28 · THE PATIENT SIT
The attacker just reads.

Two weeks inside Sarah's mailbox. Learning who approves what. Learning how she writes.

Finds a real thread: "Hey, the pipe-inspect folks are changing their bank account next month."

Takes notes. Waits for the moment.

SARAH.CHEN · INBOX · 3,281 MESSAGES Finance Team Re: Q2 budget review — attached spreadsheet Mar 14 Mike (CFO) Approved — please proceed with vendor renewals Mar 18 Pipe Inspect Co. · David H. Heads up — we're switching banks next month Mar 22 HR Reminder: mandatory benefits enrollment ends Friday Mar 28 TARGET ● READING · LEARNING · WAITING · 14 DAYS
DAY 41 · THE DEEPFAKE CALL
Mike gets a Teams call.
On screen: the vendor's CEO and controller. Faces match. Voices match. "Just confirming the bank change for next week's payment — wanted to put a face to it." Mike says yes. The call lasted four minutes. Every face was synthetic.
! MIKE · CFO · CLEAR CREEK WATER LIVE "DAVID H." · CEO ⬢ SYNTHETIC "CONTROLLER" ⬢ SYNTHETIC "A/R MANAGER" ⬢ SYNTHETIC EVERY FACE EXCEPT MIKE'S IS FAKE
Real Incident · Not Bob
Arup Engineering.
$25 million.
One video call.

February 2024. A finance employee at Arup's Hong Kong office joins a video call with the CFO and several colleagues to authorize an urgent transfer.

All of them — the CFO, the colleagues, everyone except him — were AI-generated deepfakes, built from publicly available video and audio.

He wired $25M USD. The real CFO had no idea the call happened.

Arup · Hong Kong · Feb 2024
Reported by Hong Kong Police · BBC · Reuters
Bob's Day 41 is not hypothetical. It has already happened — at scale — to a sophisticated global firm.
BBC Technology 4 Feb 2024
Arup loses £20m in deepfake video call fraud in Hong Kong
An employee at the engineering firm was tricked into paying out more than £20m after criminals used deepfake technology to impersonate the company's CFO and other colleagues on a video call.
By BBC News bbc.com/news/technology
DAY 42 · THE WIRE
$847,000. Gone in 90 minutes.

Wired to "the vendor's new account" in Riga. Through 11 money-mule accounts across three continents.

Recovered: $0.

The money moved. The attacker didn't. Thirty days inside Sarah's mailbox is worth more than one wire. To Bob, Day 42 was Tuesday.

$847,000 OUTBOUND WIRE · MAY 4 CLEAR CREEK OPERATING ACCOUNT MULE · RIGA •••4729 · 18m MULE · DUBAI •••8312 · 31m MULE · HANOI •••2041 · 44m + 8 MORE ACCOUNTS TOTAL RECOVERED $0 90 MINUTES · 11 ACCOUNTS · 3 CONTINENTS
DAY 67 · IT GETS WORSE
A 2019 email with a password in it.

Still in Sarah's mailbox. Rummaging through her archive. Finds a 6-year-old thread from IT: "Deploying new patch agent, here's the creds, please don't change them."

Service account: svc-patch-deploy. Local admin on 40% of Bob's workstations. Nobody walked it back.

ARCHIVE · IT-INTERNAL · MAR 2019 From: it-ops@clearck.gov Subj: New patch deployment agent — creds account: svc-patch-deploy password: Cl3arCreek2019! "please don't change — will break deploy" BOB'S WORKSTATION FLEET · 340 ENDPOINTS · 40% OF FLEET HAS svc-patch-deploy AS LOCAL ADMIN · ⚠ THE ATTACKER NOW HAS LOCAL ADMIN ON ROUGHLY 136 WORKSTATIONS — UNDETECTED
DAY 90 · THE DETONATION
Business network: encrypted.

SCADA is air-gapped. Thank god. Water supply is safe.

But payroll. HR. Billing. The customer portal — all of it encrypts in four hours.

Ransom demand: $2.4M. County supervisors on the evening news by 6 PM.

AIR-GAPPED SCADA TREATMENT · CHLORINE · CONTROLS · WATER SUPPLY SAFE · ENCRYPTED PAYROLL 🔒 HR 🔒 BILLING 🔒 PORTAL 🔒 RANSOM DEMAND $2.4M IN BITCOIN · 72 HOURS LIVE · CHANNEL 13 NEWS · 6 PM "Clear Creek water district hit by cyberattack" County supervisors hold emergency press conference Bob's phone hasn't stopped ringing in 14 hours.
· BOB, AFTER ·
After the breach, Bob said —
"I thought I had MFA. I had the weakest kind."
"I thought I had least privilege. I had decade-old accounts with domain admin."
"I thought the FBI briefings were about other people."
Part 3 · The rebuild
What Bob did next.
Seven controls. Each maps to a day.
CONTROL · 01
Discovery & Visibility
Bob finds what he can't see.
Continuous, automated discovery of every privileged account — including the hidden ones. Local admins. Orphaned accounts. Hard-coded credentials. Service accounts nobody remembers.
→ WOULD HAVE SURFACED svc-patch-deploy ON DAY 1
BOB'S ENVIRONMENT SCANNING... DISCOVERED · 25 HIDDEN · 7 KNOWN
Stops initial access · lateral movement · insider misuse
CONTROL · 02
Credential Protection
Bob vaults it. Rotates it. Never knows it.
Privileged credentials live in a vault — rotated on schedule, injected into sessions, never directly known to humans. A credential the user never sees cannot be phished, infostolen, or pasted into an email.
→ WOULD HAVE MADE DAY 12 IMPOSSIBLE
VAULT CURRENT CREDENTIAL kX9!mR4zL2#qPv SARAH NEVER SEES PASSWORD ROTATED · NEW CREDENTIAL nP7@qT3%vB8$Wy INJECTED INTO SESSION ROTATED ON SCHEDULE
Stops credential theft · BEC · lateral movement
CONTROL · 03
Authentication
Bob upgrades MFA. Privileged first.
SMS codes can be SIM-swapped. Push can be fatigued. Hardware keys and passkeys (FIDO2) cannot. Bob starts with privileged accounts — the ones that can actually do damage — and works outward.
→ WOULD HAVE STOPPED THE SIM SWAP ON DAY 12
SMS CODE · WEAK 483921 SMS · 2 mins ago INTERCEPTED VS HARDWARE KEY · STRONG PHYSICAL POSSESSION CANNOT BE REMOTELY STOLEN FIDO2 · U2F · PASSKEYS
Stops credential stuffing · MFA fatigue · SIM swap · help-desk SE
CONTROL · 04
Access Governance
Bob kills standing privilege.
Access granted at the moment of need. Revoked when the task is done. A stolen credential with no standing privilege at 3 AM is a much smaller problem than domain admin rights forever.
→ REDUCES svc-patch-deploy BLAST RADIUS FROM 40% TO ZERO
STANDING PRIVILEGE { "user": "svc-patch", "role": "administrator", "permissions": [ "read:*", "write:*", "delete:*", "admin:*", "install:*", "users:*" ], "duration": "permanent", "expires": null } ⚠ STANDING JIT JUST-IN-TIME { "user": "svc-patch", "role": "none", "grant_on": [ "patch-window" ], "duration": "15m", "granted": null, "expires": null, "approver": "auto" } ✓ EXPIRES 15m
Stops blast radius of any compromised credential
CONTROL · 05
Detection
Bob watches what identities do.
Even with perfect controls, attackers get in. The login looks clean. The behavior is the tell. Anomaly detection on sessions, commands, and access patterns catches what authentication misses.
→ "SARAH · VILNIUS · 3 AM" WOULD HAVE FIRED ON DAY 12
ACTIVITY LEVEL TIME → BASELINE THRESHOLD ⚠ ANOMALY DETECTED sarah.chen · 3 AM · VILNIUS IP · NORMAL BEHAVIOR · · ANOMALY ·
Stops lateral movement · insider threat · post-compromise activity
CONTROL · 06
Response
Bob acts at machine speed.
Detection without response is just an alarm. Kill the session. Rotate the credential. Lock the account. Alert the SOC. In seconds. The window from compromise to containment is where damage happens.
→ ENDS DAY 55 BEFORE IT BECOMES DAY 67
SARAH.CHEN · ACCESS FREQUENCY OVER 24H THRESHOLD 12 AM 6 AM 12 PM 6 PM 12 AM 3:14 AM · VILNIUS ⚠ ALERT FIRED Behavior anomaly · 3:14 AM SOC + PagerDuty #48221 SESSION KILLED svc-patch-deploy terminated Credential rotated in vault ACCESS DENIED Account locked · pending review Attacker is out. Bob is notified. TIME TO CONTAINMENT 0.3 seconds
Stops ransomware detonation · data exfiltration · containment failure
CONTROL · 07
Decision-point verification
Bob picks up the phone.
At the moment of highest risk — wires, vendor bank changes, admin grants — use a second channel. A pre-agreed callback number. Not the one in the email. The cheapest control on this list.
→ ONE PHONE CALL WOULD HAVE STOPPED DAY 41
INCOMING · TEAMS CALL "David H." Pipe Inspect Co · CEO "confirming bank change..." · CAN'T TRUST THE VIDEO · VERIFIED VENDOR DIRECTORY Pipe Inspect Co. ☎ +1 (916) 555-0182 verified · updated quarterly CALL THIS NUMBER OUTBOUND CALL · 30 SECONDS "We didn't request a bank change." $847,000 · SAVED
Stops BEC · deepfake scams · vendor impersonation
The payoff · Bob's 90 days, mapped
Every beat. What would have stopped it.
Bob's timeline
Control(s) that would have stopped it
DAY 1 The spoofed email
Out-of-band verification
DAY 12 Login + SIM swap
Vaulting · phishing-resistant MFA · behavior analytics
DAY 28 The mailbox sit
Behavior analytics · auto-response
DAY 41 The deepfake call
Out-of-band verification · callback protocols
DAY 42 The $847K wire
Out-of-band verification
DAY 55 svc-patch-deploy
Discovery · JIT access · vaulting
DAY 67 Ransomware
Auto-response · behavior analytics
The mic drop
Bob is fictional.
His 90 days are not.
Every beat has happened — to a real utility, a real hospital, a real school district — in the last 24 months.
The credential is the crime scene.
Invest accordingly.
Questions.
Bruce Johnson · Delinea · bruce-johnson-bio.com
Thank you, Sacramento InfraGard.
01 / 23