An image of shield with a lock demonstrating adaptive defense.

The Stryker Wakeup Call: Building an Adaptive Defense for the Age of Destructive Attacks

/in /by

On March 11, 2026, employees at Stryker Corporation arrived at work to find their laptops, phones, and desktops wiped clean. Login screens displayed the logo of Handala, an Iranian government-linked hacker group. Stryker is a Fortune 500 medical technology company with 56,000 employees, $25 billion in annual revenue, and operations across 61 countries.

This was not ransomware. It was a deliberate wiper attack designed for pure destruction.

According to reporting from KrebsOnSecurity and Cybersecurity Dive, attackers compromised Stryker’s Microsoft Intune environment and used global administrator privileges to issue a mass remote wipe command. At 3:30 a.m. EST, about 200,000 employee devices were factory-reset before anyone could respond. Offices in 79 countries went offline. Manufacturing, electronic ordering, and shipping systems went dark. Leaders in Ireland sent staff home and resorted to WhatsApp for basic coordination. Stryker filed an 8-K with the SEC, and CISA launched a formal investigation.

No traditional malware was deployed. The attackers used Stryker’s own enterprise management tools against it — a textbook living-off-the-land attack executed at devastating scale. As one security expert noted, when an attacker gains global administrator privileges, they can execute absolute destruction in minutes that takes months to repair.

Beyond Frameworks: Building an Adaptive Defense

We operate in an industry reliant on security frameworks like NIST and CIS that reflect traditional program maturity, but not the capability to defend against the shifting tactics of modern adversaries. In an era where nation-state actors move at machine speed, organizations need a defense strategy that adapts to the current threat landscape rather than checking boxes against historical standards. At In Balance IT Solutions, we call this Adaptive Defense.

Here are five tactical areas every organization should evaluate, and how In Balance can help:

1. Intune and Endpoint Management Health Checks. The Stryker attack effectively weaponized a device management platform. In this case, threat actors exploited global administrator roles, a practice Microsoft’s own documentation explicitly warns against for daily Intune management. Best practices — and Microsoft’s recommendations — advocate for least-privilege role assignments, Privileged Identity Management (PIM) for just-in-time elevation, phishing-resistant MFA, and Multi-Admin Approval for high-impact actions like bulk device wipes. These concepts are not new, but the frequently erode as organizations, workforces, and security policies evolve.

Action: In Balance offers Intune Health Check services that audit your configuration against these practices and ensure no single credential can trigger organization-wide destruction.

2. Identity Recovery Solutions. When a wiper attack takes out your environment, the first thing you need to rebuild is identity. Without Active Directory and Entra ID, nothing else comes back online. Users cannot authenticate, applications cannot authorize, and recovery stalls at the starting line. Understanding how long the threat actor has been active in the environment and being able to recover/restore cleanly from a point in time is a crucial but overlooked aspect of identity management and backup/recovery solutions.

Action: Solutions like Rubrik Identity Recovery and Semperis Active Directory Forest Recovery restore your identity infrastructure from known-good, validated backups independent of the compromised environment.

3. Data Resilience and Accelerated Recovery. Stryker’s employees were sent back to pen and paper. Having backups is a necessary component of a recovery strategy, but business continuity is much more nuanced. When you need to rehydrate terabytes or petabytes of data across a global footprint, recovery becomes a physics problem. Organizations need tiered, contingent, and orchestrated recovery and continuity strategies and solutions that accelerate the restoration process to minimize the window between incident and operational recovery.

Action: In Balance offers workshops to illustrate and derive recovery strategies that go beyond restoring technical systems, but address business continuity and contingencies. We then help our customers test, validate and improve these strategies through pen testing, tabletop exercises, and simulations that prepare our customers for various scenarios.

4. Agentic SOC and Integrated Threat Detection. The Stryker attackers used legitimate admin tools through authorized credentials, which means traditional endpoint detection would not have flagged the initial activity. Most organizations have a SIEM, an EDR platform, and an identity provider that operate in silos. With threat actors using modern “living-off-the-land” techniques, organizations need to integrate their detection capabilities to identify threats at the source rather than waiting for alerts to propagate through a pipeline.

Action: Agentic platforms like BlinkOps offer machine speed security automation that correlates signals across your entire stack and triggers response workflows in seconds.

5. Policies, Governance, and Tabletop Exercises. The least glamorous recommendation and arguably the most important. Is your organization prepared for a scenario where every corporate device is wiped simultaneously? Do your teams know who to call if Teams and email are both down and their phones have been wiped? Have you conducted a tabletop that simulates total endpoint loss, not just ransomware encryption? Stryker was reduced to WhatsApp and personal phones for basic coordination.

Action: In Balance helps organizations build, document, and pressure-test their incident response and business continuity plans so that when the worst comes, the response is rehearsed rather than improvised.

The Threat Landscape Has Changed. Has Your Defense?

The Stryker attack is a signal, not an anomaly. Compliance frameworks tell you where you have been. Adaptive Defense prepares you for where the threat is going and can extend and activate traditional control frameworks to achieve both compliance AND cybersecurity.

If your organization is ready to evaluate its readiness across endpoint management, identity recovery, data resilience, threat detection, and incident response, In Balance IT Solutions is ready to help. Reach out to us today.

Michael Caplan is the Chief Technology Officer for In Balance IT Solutions.

Image describing identity as the new perimeter of cybersecurity

Identity is the New Perimeter: 4 Lessons from the 2026 CrowdStrike Global Threat Report

/in /by

Hackers used to break in. Now they just log in. That stark warning comes directly from CrowdStrike via the 2026 Global Threat Report, which details a fundamental shift in adversary tradecraft: the defenses most organizations spent the last decade building are becoming obsolete in real-time.

For years, the cybersecurity conversation centered on malware: ransomware, trojan horses, and viruses. In response, we built formidable walls:

  • Advanced antivirus software
  • Endpoint Detection and Response (EDR)
  • Robust email filtering

While these tools remain essential, adversaries have pivoted. Today, 82% of detected security threats are malware-free. Rather than deploying malicious code that’s detected and blocked by modern endpoint protection tools, attackers are using your own employees’ credentials. Valid credentials, trusted authentication methods and approved SaaS integrations allow adversaries to breach and move laterally across your network.

The CISO’s Reality: From the perspective of your monitoring tools, an attacker with a legitimate set of credentials isn’t a threat — they’re just a user finishing their Tuesday to-do list.

These attack methods provide staggering results. The average breakout time — the window between initial access and first lateral movement — has plummeted:

  • 2023: 98 minutes
  • 2024: 48 minutes
  • 2025: 29 minutes

In one example, the adversary began exfiltrating data within four minutes of obtaining initial access. Most security teams can’t even open a ticket in four minutes, let alone contain a live intrusion.

The Evasive Adversary’s Playbook

The speed with which attackers are moving is headline-grabbing, but it is a distraction from the more important story: the method. The fundamental way adversaries enter your network has changed, and it has everything to do with identity.

CrowdStrike refers to 2025 as “the year of the evasive adversary,” where the defining characteristic of an attack is the exploitation of trust. By pivoting away from malware, cybercriminals now move through authorized pathways and trusted systems using valid employee credentials.

This activity blends in perfectly with normal network traffic, which is why modern identity attacks are so difficult to stop:

  • No malware to flag: Attackers don’t need to use malware when they’re able to log directly into your systems.
  • Authorized pathways: Attackers use the same SaaS integrations and VPNs your employees use daily.
  • The “User” Illusion: From the vantage point of your security tools, an attacker with a legitimate set of credentials isn’t a threat — they are the user.

This is the core of the modern identity crisis. When an attack looks identical to a standard login, the traditional security posture of detecting malicious code fails by design. We aren’t just fighting a faster enemy; we’re fighting one that is wearing our own uniform. This shift fundamentally changes the nature of the security mechanisms necessary to identify adversarial activity. We’re no longer relying on our endpoint detection systems to identify malicious software. Instead, we need behavioral analytics capable of identifying anomalous behavior performed by seemingly authorized users.

AI Is Changing the Game — For Attackers

While organizations leverage AI for productivity, cybercriminals are using it to become more efficient and create more sophisticated attack patterns. The number of adversaries utilizing AI in 2025 grew by 89% year-over-year, creating a shift in the threat landscape.

This evolution manifests in three primary ways:

  • The End of the “Obvious” Phish: Social engineering — the phishing emails, vishing calls, and fake IT help desk scenarios used to harvest credentials — is now more personalized and far easier to scale. AI has lowered the skill level necessary to commit cybercrime and provides less sophisticated actors with the tools necessary to execute more convincing campaigns that previously could only be performed by elite attackers.
  • Prompt Injection as an Entry Vector: In 2025, at least 90 organizations were compromised when adversaries injected malicious prompts into legitimate GenAI tools. These “jailbroken” prompts forced corporate AI to generate commands for stealing credentials and cryptocurrency.
  • Infrastructure as an Attack Surface: Beyond just using AI, attackers are targeting the AI development platforms themselves. By exploiting vulnerabilities in these environments, they establish persistent footholds and deploy ransomware, turning the tools your employees use daily into a new, unmonitored attack surface.

The Identity Sprawl Problem

The technology and identity footprint of the modern enterprise continues to sprawl. And given the ease with which an employee can procure a SaaS subscription with a corporate credit card, there is no end in sight.

This sprawl creates massive visibility gaps, turning what should be a unified defense into a fragmented collection of access controls that are easily exploitable. Identity no longer lives in one place; it lives in Active Directory, Entra ID, Okta, and dozens of additional SaaS platforms simultaneously.

As credentials get cached, reused, and shared across these systems, each connection point becomes a seam. In a world of identity-based attacks, these seams are the primary targets. Attackers are experts at finding them, pulling at the threads where one system ends and another begins until the entire fabric of your security posture unravels.

The Core Problem: Credentials Are Not Identity

We’ve now reached the point where the 2026 report provides something deeper than a tactical threat update – it challenges the entire way we think about authentication.

Traditional authentication factors verify credentials, not people.

  • A password proves that someone knew the password.
  • A time-based one-time password (TOTP) proves that someone possessed the device.

But neither proves that the person doing the authenticating is actually the authorized employee — and that distinction is where the entire modern identity attack pattern lives.

An account is not a person. You need to know that the person behind the action is the right person. That principle becomes even more urgent as Agentic AI is introduced into enterprise workflows. The acceleration of these “digital workers” creates additional opportunities for threat actors to exploit poorly managed Agent credentials and over-privileged Agent identities.

When AI Agents can autonomously act on behalf of users, the identity question is further compounded. Who is providing the authorization that is actually driving that action? If we cannot distinguish between a person, a legitimate agent, and an adversary, our security model effectively collapses.

What This Means for Your Organization’s Cyber Defense

The implications of CrowdStrike’s findings are disastrous for many organizations’ existing security strategies. Most identity security strategies rely on SIEM alerts, anomaly detection, and behavioral analytics to detect compromised identities. The problem is that these are all reactive capabilities. Static signatures and isolated endpoint detection systems cannot keep pace with adversaries whose actions mirror normal user activity.

While some are difficult to execute, the takeaways from the report are straightforward:

  • Treat account recovery as a primary attack surface. Password resets, helpdesk verification, and backup MFA methods often represent the weakest links in an otherwise strong identity posture. Review these activities with the same rigor as your primary authentication paths.
  • Stop assuming your detections work. Only cross-domain detection controls can identify the attack chains that move from identity providers to SaaS logs to cloud infrastructure. Because most organizations silo their detection capabilities, adversaries easily operate unnoticed across systems.
  • Start assuming adversaries will use AI against you. Phishing, vishing, and credential harvesting attempts have become more convincing with the assistance of AI. Yesterday’s security awareness training fails to address today’s threats.
  • Get ahead of Agentic AI risk now. Organizations must design authorization models that match the specific risks of AI Agents rather than allowing them to inherit the permissions of the human accounts that provisioned them.

Conclusion

While I strongly urge all cybersecurity professionals to read the full 2026 CrowdStrike Global Threat Report, the most important message is this:

Intrusions now move through trusted identities, SaaS applications, and cloud infrastructure, bypassing traditional detection capabilities by blending in with normal user activity, and thereby reducing an organization’s time to respond.

The window to act is shrinking. The methods being used against you are increasingly invisible. And the assumption that you’ll catch your attackers’ actions after they happen is the one that adversaries are counting on the most.

The CrowdStrike 2026 Global Threat Report is available for download at crowdstrike.com. The report covers threat intelligence and adversary tradecraft observed across CrowdStrike’s global customer base throughout 2025.