Defending against breaches isn’t just about preventing ransomware. One increasingly dangerous type of threat facing organizations of all sizes is identity-based threats.
There are many types of identity-based threats, but one of the most impactful breaches of 2024 began with a common identity-based threat: compromised credentials. Previously stolen credentials from a global cloud services provider, purchased on the dark web, allowed threat actors to launch infostealer malware against that provider, granting subsequent access to the data of over 160 organizations.
This low-tech access attack tactic is all too common, allowing threat actors to bypass high-tech security systems by mimicking known users, exploiting that access, and launching secondary sophisticated attacks such as ransomware and data exfiltration.
And it all starts with identity.
What Are Identity Threats and Identity-based Attacks?
Identity threats are any cyber threats or exploit techniques where the threat actor targets a user’s individual credentials, access, privileges, or even an organization’s identity systems within its IT environment. An identity-based attack includes any attack based on a user’s identity attributes, their access, or against an identity system itself. These include but are not limited to attacks such as credential stuffing, phishing, password spraying, and more.
An identity-based attack can take place at any part of the attack chain, but most commonly occurs in early stages of an attack, including performing intrusion actions like reconnaissance, privilege escalation, and establishing persistence.
If we look at the example above, the identity threat, was the compromised credentials from the dark web. The identity-based attack was the use of those compromised credentials to pose as legitimate users and gain access to victim organizations.
Why Are Identity-Based Attacks Increasing?
The volume of identity-based attacks, and the overall threat of one occurring in an organization’s environment, are increasing for several reasons, including:
- A dissolution of the traditional enterprise perimeter – in a distributed, cloud-centric era, firewalls and VPNs are less effective. Instead, organizations are turning to identity systems to define and manage their new virtual perimeters
- An increasing reliance on web applications, cloud-based environments, and remote users — which in turn has multiplied the number of credentials required in an environment
- A lack of password hygiene, identity monitoring, and security awareness training among organizations which leaves the human element as a vulnerable risk point
- The rise of data exfiltration during ransomware attacks and the proliferation of leak sites, which has created a treasure trove of credentials on the dark web for threat actors to use in attacks
- A lack of phishing-resistant multi-factor authentication (MFA) and other access controls that could hinder attacks
- Misconfigurations and permissive policies within organizations’ identity and access management (IAM) systems that create opportunities for threat actors
For many modern and digital-first organizations, identity is quickly turning into a critical part of the attack surface, and recent data highlights the real risks posed to identities and identity systems within IT environments.
According to the 2025 Arctic Wolf Threat Report, 27% of Arctic Wolf® Incident Response cases were business email compromise (BEC) related, and the leading causes of BEC cases were phishing and compromised credentials . Additionally, 23.9% of intrusion cases – where the threat actor was stopped in the environment before future action was taken – were traced back to human action. The 2024 Arctic Wolf Security Operations report indicated a similar trend, as identity telemetry dominated the top ten indictor of compromise (IOC) telemetry sources within the Arctic Wolf Aurora™ Platform.
It’s clear these threats are prominent, and as such it’s important for organizations to understand exactly what attacks may occur, how, and what defensive actions can be taken to stop them.
Top Types of Identity-Based Attacks
From the more low-tech to the more complex, identity-based attacks take multiple forms in order to gain access, credentials, and even data.
Common identity-based attacks include:
1. Social engineering attack
These attacks, such as phishing or smishing, have moved beyond just targeting individuals for financial benefit (though that is still a tactic) and are now often used to steal credentials and gain initial access to an organization. If a threat actor already has credentials to, say, an email account within a target organization, the threat actor can then use that account to phish another user, causing them to hand over access, assets, or even download sensitive data. According to Verizon’s 2024 Data Breach Investigations Report, phishing and pretexting (another social engineering type) via email accounted for 73% of breaches.
Learn more about different types of social engineering attacks.
2. Credential compromise attack
This kind of attack originates with credential theft, by way of a credential stuffing attack, or even with previously exposed credentials, but all the tactics have the same outcome: the threat actor obtaining valid credentials and the subsequent access they grant. Having credentials equals movement so an attacker’s movements can fly under the radar of many traditional security tools, buying time to launch a more sophisticated attack. In recent ransomware attacks, threat actors have taken to exfiltrating credentials and other access-related data, knowing it fetches a high price on the dark web and can be used for future attacks by other cybercriminals.
3. Man-in-the-middle attack
Also known as “adversary-in-the-middle” or “manipulator-in-the-middle” attacks, these identity-based attacks involve a threat actor getting between a user and the party to which they’re attempting to send data, assets, or credentials. This attack type can allow the threat actor to see and steal sensitive data, including usernames and passwords, or even gain access without either party – or the victim organization – realizing it occurred.
4. Active Directory attack
Microsoft Active Directory (AD) is a directory tool for system administrators to set and manage network access and permissions for users and assets within an IT environment, making it a top prize for threat actors looking to gain access and impersonate users within a system. Whether through vulnerability exploit, or a golden-ticket attack – where a threat actor gains access to an organization’s domain by forging authentication tickets within AD – threat actors who can compromise AD gain a valuable set of digital keys within an environment.
5. Kerberoasting attack
A specific technical method of gaining unauthorized access and identity information from within Active Directory, Kerberoasting is a favorite of many threat actors. The attack targets service accounts and exploits the way in which AD uses the Kerberos protocol to manage access requests, allowing an attacker to potentially obtain and crack the “password hash” or encrypted form of a password for a user account. If successful, this attack allows a threat actor to pose as a legitimate user, bypassing more traditional security measures.
6. Pass-the-hash attack
Another more technical attack, similar to Kerberoasting, pass-the-hash attacks also aim to access a password hash. These attacks use tools like MimiKatz, which exploits authentication protocols, to impersonate a user and dump credential hashes from memory.
7. Silver ticket attack
Related to a golden ticket attack mentioned above, a silver ticket attack also seeks to forge authentication tickets, but this time within Windows New Technology LAN Manager (NTLM), an identity authentication tool. This kind of attack is used after initial access has been gained and allows the threat actor to gain privileged access or make lateral movement within an environment. In this attack, using local administrator privileges, the threat actor will compromise the NTLM of a service account and then forge a service ticket, allowing for authentication. This kind of attack is used after initial access has been gained and allows the threat actor to gain privileged access or make lateral movement within an environment.
8. Password spraying attack
A simpler attack as compared to other approaches, a threat actor will try a known password on multiple accounts to see if it works. Because password hygiene can vary, it’s possible (though not ideal) that a user has re-used a password for multiple accounts, creating an opening for a threat actor to just log in. Password spraying is considered a subset of a brute-force attack, where a threat actor attempts to guess credentials. Password spraying applies the same mass trial and error approach.
Identity and Business Email Compromise
While it falls under the broader umbrella of social engineering, business email compromise (BEC) is often considered its own category of cyber attack due to its increased prominence and unique execution – it’s the impersonation of, or takeover of, an email account with the intent of committing financial fraud. Identity is at the core of a BEC attack, as social engineering, credentials, and account access, are often fundamental to its success. Hardening your identity attack surface is crucial to reducing your risk of a BEC incident.
Learn more about BEC attacks.
How To Defend Against Identity Threats
To prevent identity-based threats is no small task, because it heavily involves securing users. And users are harder to secure than a firewall or a server or an endpoint. They are coming, going, gaining access to certain assets and applications at certain times, and are often left responsible for their own password hygiene, ability to spot threats, and personal device security. This makes identity security a difficult, ongoing process for any organization. But it’s certainly not impossible.
As we delve into the various techniques and processes an organization can implement to harden its identity attack surface and reduce identity-based attacks, it’s important to note that one solution won’t fix all problems. Multi-factor authentication (MFA), for example, is vulnerable to MFA fatigue attacks, privilege access management (PAM) doesn’t protect against AD attacks, and any application used to secure identity could contain a vulnerability ripe for exploitation.
Below are several strategies, technologies, and techniques businesses can employ to combat identity threats while improving their security posture and hardening their attack surface.
1. Utilize, and secure, identity and access management (IAM) systems
IAM is the broader technological approach organizations should use to both manage and secure their identity infrastructure. It provides the foundation for sound authentication, authorization, access control, and overall identity management for an organization. IAM systems often follow a zero trust framework and should employ the principle of least privilege (PloP) to prevent lateral movement or privileged escalation.
However, an IAM system is not impenetrable. Overprivileged access, orphaned accounts, shadow directories, and technical misconfigurations can leave these systems vulnerable to threat actors, so it’s important for organizations to continually evaluate and harden these systems.
2. Employ phishing-resistant MFA
A key access control in IAM systems, MFA acts a safeguard to prevent threat actor access if they are able to obtain credentials. It’s a simple tool that can go a long way in protecting systems from unauthorized access, simply by requiring a secondary authentication method that an attacker will be unable to complete. If a threat actor is trying a brute-force attack or has obtained stolen credentials, MFA will not only stop that access but, depending on the specific tool, but also often alert the user or security teams to the unusual behavior.
3. Deploy 24×7 monitoring of identity sources alongside identity threat detection and response systems
These two tactics – monitoring and threat detection and response – often go together to prevent identity-based attacks from succeeding. While an organization can’t guarantee that every user has the strongest possible password or that credentials have never been compromised, this multifaceted approach can help keep an eye on the environment, watching for unusual moves and suspicious behavior.
Identity threat detection and response (ITDR) includes monitoring and offers broader identity security capabilities to include alerting on suspicious identity-related activity, incident investigation, and response to incidents in a swift, comprehensive manner. An example would be alerting on an unusual login or rule change that’s occurring during off hours Many managed detection and response (MDR) solutions can now monitor identities in addition to other components across the extended IT environment.
See how Arctic Wolf® Managed Detection and Response used identity monitoring, and subsequent unusual behavior detection, to stop an in-progress incident before it escalated.
4. Harden identity infrastructure, including Active Directory
Credentials aren’t the only way threat actors target identities and gain privileged access into environments. Active Directory and other technologies within the identity infrastructure are vulnerable to attack, so taking measures to harden them – including conducting password policy updates, remediating vulnerabilities, enforcing strong encryption, and ensuring software patches are updated promptly – will help prevent attacks from succeeding.
5. Provide comprehensive security awareness training
Identities are always tied back to users, and while technical attacks are a valuable tool in a threat actor’s tool belt, a simple phishing email can often aid in granting access easier and faster. A strong security awareness program not only understands the human risk your organization faces, but also offers consistent microlearning content to drive behavior change and achieve the security culture needed to reduce human risk.
See how security awareness training can transform your user base while reducing human risk.
Explore how an MDR solution, like Arctic Wolf® Managed Detection and Response, can monitor your identity sources and help your organization detect and respond to identity threats.
