The cybersecurity landscape has seen a substantial threat vector transformation. While malware and ransomware continue to be relevant threats, a more nuanced class of attacks has gained traction.
Over 80% of breaches now involve compromised credentials or identity-based attacks, underscoring this emerging trend. Authentication centered attacks are prevailing, including credential stuffing, session hijacking, identity abuse and lateral movement using legitimate IT tools. Stolen identity and privileged access credentials now account for 61% of all data breaches. Unlike traditional threats, these attacks exploit trust, leveraging the very mechanisms meant to protect access and enable productivity.
The frequency of identity abuse as a favored tactic among threat actors stems from several factors. Attackers have refined their use of phishing kits and automation, enabling them to harvest credentials and session cookies with increasing ease and sophistication making it possible to bypass even robust multi-factor authentication protocols.
Beyond direct identity abuse, threat actors increasingly gain initial access through third-party relationships and software supply chains. Compromised CI/CD pipelines, exposed tokens in code repositories, and over-permissioned integrations provide a stealthy and often overlooked path into enterprise environments. These indirect access points are difficult to detect when wrapped in trusted vendor relationships or API-driven automation.
At the same time, APIs, particularly those used in mobile applications and login workflows, are being exploited for their lack of defense mechanisms such as CAPTCHA or throttling, ultimately turning them into ideal vectors for automated attacks. These authentication endpoints have become attractive not only because of their ubiquity but also because of their relatively limited visibility in most organizations’ detection strategies.
Hiding in Plain Sight
Authentication-based attacks have grown in their ability to unfold quietly. Right under our noses, attackers are using credentials that are valid, if stolen, and tools that are legitimate. Rather than deploying malware or triggering security alerts with anomalous binaries, adversaries now rely on standard utilities like PowerShell, remote access tools or internal SSO portals to move laterally within networks.
By establishing persistence and evading detection for extended periods, defenders face increasing difficulty in distinguishing malicious behavior from authorized user activity.
Trust as a Weapon
Campaigns exploiting identity systems, like the Scattered Spider group who breached Hawaiian Airlines and WestJet, demonstrate that threat actors are bypassing MFA via help‑desk impersonation and MFA fatigue tactics, shedding light on how federated access mechanisms can be turned against organizations when misconfigured.
The blending of attacker TTPs ranging from APT-style tradecraft to the use of commoditized remote access software has made attribution more difficult, especially as attackers frequently use the same infrastructure and tools available to IT administrators and support personnel.
Traditional defenses, designed to monitor or scan for known malware signatures, are ill-equipped and foundationally unprepared to combat threats that look and act like legitimate users. Even endpoint solutions with advanced detection capabilities can overlook subtle signs of compromise if behavioral context is missing. A successful attack might not involve malware at all but rather an uptick in login attempts from an unusual geography or a spike in privilege changes. These signals, though minor in isolation, are critical when correlated within a broader behavioral pattern.
Security Can No Longer Operate in Isolation
Security operations must evolve and make themselves more intelligence-driven and behavior-aware. When there are widely accessible frameworks like MITRE ATT&CK to provide a structured guide to understand and anticipate how attackers will operate, it feels almost negligent to not take the time to prepare. Moving forward, security teams should use these models to create hypotheses about likely adversary behavior and test them against their environment’s telemetry. By staying proactive, organizations’ posture can transform threat intelligence from a static reference into an operational asset that can inform detection engineering, alert tuning, and incident response.
As a good example, defenders might build detections around patterns that reflect real adversary behavior: anomalous access to APIs, repeated failed logins followed by a sudden success or authentication events tied to uncommon device fingerprints. These indicators often exist in logs that sit outside the traditional security toolset, like API gateway logs, identity provider analytics or OAuth token issuance events. Engaging IT, DevOps and IAM teams becomes essential in order to access and interpret this data effectively.
Mapping the Blind Spots
Attackers are also increasingly leveraging refresh token theft and token replay techniques, especially within mobile app and API-centric authentication workflows. Because these tokens often bypass traditional credential-based authentication checks, they can be reused silently to impersonate legitimate users and maintain persistent access without triggering alarms.
Developing a more resilient and risk-aligned defense strategy is reliant on security leaders who focus on mapping detection capabilities to frameworks like MITRE ATT&CK and uncovering existing gaps in telemetry and analytics. Prioritizing high-impact use cases such as credential stuffing, token theft and the misuse of remote access tools enables organizations to tailor playbooks that address the most damaging identity-based attacks.
Regular simulation of real-world adversary behavior through exercises also helps teams strengthen their readiness and refine detection capabilities. Equally important is fostering cross-functional collaboration with development and infrastructure teams to identify vulnerabilities in authentication workflows and eliminate common misconfigurations. Finally, expanding visibility into identity systems including mobile APIs, login behavior and session token activity ensures that subtle indicators of compromise, such as abnormal user agents or suspicious token refreshes, do not go unnoticed.
Adversary-Inform ed Advantage
Organizations that follow these strategies will undeniably see improvements in several critical areas. They will be able to detect credential-based attacks and lateral movement earlier in the attack chain, limiting the opportunity for data exfiltration or persistent access. Their response strategies will become more aligned with real-world risk, reducing alert fatigue and improving mean time to resolution. Perhaps most importantly, their teams will operate from a place of understanding rooted in adversary behavior rather than fear or guesswork.
This evolution is not optional. Attackers have shifted tactics, and defenders must respond in kind. By moving beyond legacy detection and embracing adversary-informed strategies, security teams can reclaim the initiative. Protecting the identity layer is now central to protecting the business, and the organizations that act on this truth will be those best positioned to resist compromise and disruption in the face of increasingly sophisticated threats.
About the Author
Randolph Barr is a seasoned Chief Information Security Officer (CISO) at Cequence Security with over two decades of experience in cybersecurity, IT, and risk management. He has led the development and expansion of security programs across various industries, establishing foundational frameworks that not only address immediate threats but also scale with business growth. Randolph’s expertise has enabled organizations to achieve recognized security certifications and third-party attestations, ensuring security governance and compliance. Committed to fostering a collaborative environment within the security community, he focuses on sharing and learning from experiences to strengthen collective defenses against bad actors. Equally, Randolph emphasizes building transparency within security programs to enhance trust and demonstrate a strong commitment to safeguarding customer interests. His strategic initiatives in offensive security and risk management have significantly reinforced security resilience. Randolph holds a CISSP certification, dual bachelor’s degrees in computer science and business administration, and has completed advanced studies in artificial intelligence (AI) at UC Berkeley. Randy can be reached online on LinkedIn and via the company website: https://www.cequence.ai/
