For many years, cybersecurity professionals have relied on Indicators of Compromise (IOCs) such as IP addresses, domain names, and file hashes to defend against a number of cyber threats. While these technical artifacts provide valuable data points, their effectiveness as a primary defense mechanism is waning in the face of increasingly strategic adversaries. Time has shown that adversarial strategies gravitate towards paths of least resistance.
The Limitations of Traditional IOCs
Attackers can easily spoof traffic sources and rapidly change their operational infrastructure, rendering techniques like IP address blocking efforts futile. An IP address identified as malicious today might be obsolete tomorrow. Additionally, threat actors can manipulate malware file hashes in seconds, bypassing signature-based detection systems. The proliferation of polymorphic malware, which automatically alters its code, further diminishes the effectiveness of traditional hash-based detection methods.
Cybersecurity teams are often overwhelmed by the sheer volume of data from threat intelligence feeds, much of which quickly becomes irrelevant. These massive “blacklists” of IOCs are often outdated due to the ephemeral nature of attacker infrastructure and the ease of modifying malware signatures. This data overload makes it difficult for security analysts to identify genuine threats and implement effective proactive measures. Furthermore, traditional threat intelligence often lacks the context needed to identify the actor behind an attack, hindering preventative efforts.
The Shift Towards Identity-Centric Security
The reality is that identifying malware before user execution is increasingly challenging. Modern security breaches frequently involve compromised identities, an element that traditional IOC feeds often miss. Verizon’s 2024 Data Breach Investigations Report (DBIR) indicates that stolen credentials have been a factor in nearly one-third (31%) of all breaches over the past decade. Research from Varonis in 2024 reveals that 57% of cyberattacks begin with a compromised identity. Attackers are increasingly choosing to “log in” rather than “hack in,” exploiting either valid username and password combinations or exposed session objects (e.g. cookies) obtained through various means. This approach allows them to bypass security controls by impersonating legitimate users. Multi-Factor Authentication (MFA), while valuable, does not fully mitigate the risks associated with compromised identities, especially when considering session objects exfiltrated through infostealer malware. Traditional defensive strategies and IOC-based defenses are often blind to these incursions, as malicious activity appears to be legitimate user behavior.
This evolving threat landscape necessitates a proactive approach, driving cybersecurity professionals to adopt identity-centric cyber intelligence. This approach shifts the focus from chasing transient technical indicators to monitoring human and non-human entities within digital ecosystems. Instead of solely focusing on blocking malware or IP addresses, cybersecurity teams are now prioritizing questions like “which identities, credentials, sessions, or personal data have been compromised?”. This evolved strategy involves correlating various seemingly disparate signals, such as usernames, email addresses, and passwords, across multiple data breaches and leaks to develop a comprehensive understanding of risky identities and the threat actors behind them. The effectiveness of this approach is directly related to the volume and hygiene of the data analyzed; more high fidelity data leads to richer and more accurate intelligence. For example, identity-centric cyber intelligence can quickly verify if a user’s email and password have been exposed in recent data breaches and analyze historical data to identify patterns of misuse. Correlating timely and comprehensive data provides a level of contextual awareness that traditional threat intelligence lacks.
The Power of Identity Signals
Identity signals are crucial for distinguishing legitimate users from imposters or synthetic identities. The rise of remote and hybrid work models, cloud services, and VPNs has made it easier for attackers to create synthetic identities or compromise valid user identities. While traditional indicators like source IP addresses are insufficient to determine the legitimacy of a user, an identity-centric approach excels in this area. By analyzing multiple attributes associated with an identity against extensive data stores of breached data and fraudulent identities, organizations can identify risky identities. For instance, an email address with no prior legitimate online presence that suddenly appears in numerous unrelated breach datasets could indicate a synthetic profile.
Advanced threat intelligence platforms utilize entity graphing to visually map and correlate seemingly unrelated signals, revealing hidden connections. These interconnected graphs can expose relationships between threat actors, even when they use obscure data points. This high-fidelity intelligence can identify not just isolated threat artifacts but also the human adversaries orchestrating malicious campaigns. Understanding the identity of the individual behind the keyboard is as critical as understanding their Tactics, Techniques, and Procedures (TTPs).
Historical Context: The Power of Signa l Analysis
The concept of analyzing signals for threat intelligence is not new. The National Security Agency (NSA) project labeled ThinThread (circa 1990s) aimed to analyze phone and email metadata to identify potential threats. ThinThread demonstrated the potential of analyzing seemingly disparate signals to gain critical insights. The core component of ThinThread, known as MAINWAY, which focused on analyzing communication patterns, was eventually deployed and became a key part of the NSA’s domestic surveillance program. This historical example illustrates the potential of analyzing seemingly disparate signals to gain critical insights into potential threats, a principle that underpins modern identity risk intelligence.
Real-World Example: North Korean Cyber Espionage
Recent events highlight the urgent need for identity-centric intelligence, particularly the numerous cases of North Korean intelligence operatives infiltrating companies by posing as remote IT workers. These highly skilled agents create elaborate fake personas with fabricated online presences, counterfeit resumes, stolen personal data, and AI-generated profile pictures to secure employment. Once employed, they often exfiltrate data. In some cases, they diligently perform their IT work to avoid suspicion. U.S. investigators have corroborated the widespread nature of this tactic, revealing that North Korean nationals have fraudulently obtained employment by presenting themselves as citizens of other countries. These operatives create synthetic identities to pass background checks and interviews, acquiring personal information to appear as proficient software developers or IT specialists. One North Korean hacker even secured a software developer position at a cybersecurity company using a stolen American identity and an AI-generated profile photo, deceiving HR and recruiters. In some instances, these actors exfiltrate sensitive data within days of employment. KnowBe4, a security training firm, discovered a newly hired engineer who was a North Korean operative downloading hacking tools onto the company network. The operative was only apprehended because of the company’s proactive monitoring systems.
This example underscores that traditional security measures, background screenings, and network monitoring may be insufficient to detect these sophisticated threats. Intelligence that can unmask these malicious actors early in the process is crucial, highlighting the value of identity risk intelligence. Proactively incorporating identity risk signals early in the screening process can help organizations identify potential imposters before they gain network access. For example, an identity-centric approach might have flagged the KnowBe4 hire as high-risk before onboarding by uncovering inconsistencies or prior exposure of their personal data.
Identity Risk Intelligence for Disinformation Security
Identity risk intelligence enables several types of disinformation security measures:
- Digital footprint verification: Cybersecurity analysts can investigate a job applicant’s claimed identity by leveraging breach and darknet databases. Discrepancies, such as an email address or name appearing in breach data associated with different individuals, or a supposed U.S.-based engineer’s records tracing back to foreign IP addresses, should raise concerns. In disinformation security, this helps identify fabricated identities used to spread false information or gain unauthorized access. Digital footprint analysis involves thoroughly examining a user’s online presence across platforms to verify their legitimacy. Inconsistencies or a lack of a genuine online presence can indicate a synthetic identity.
- Proof of life / Synthetic identity detection: Advanced platforms can analyze combinations of Personally Identifiable Information (PII) to determine the likelihood of an identity being genuine versus fabricated. Non-existent social media presence or AI-generated profile photos are strong indicators of a synthetic persona. This is crucial for disinformation security, as threat actors often use AI-generated profiles to create believable fake identities. AI algorithms and machine learning techniques are essential for detecting these anomalies within large datasets. Behavioral biometrics, which analyzes unique user interaction patterns, can further aid in distinguishing between genuine and synthetic identities.
- Continuous identity monitoring: Monitoring activity and credentials can expose anomalies even after an individual is hired. For example, an alert could be generated if a contractor’s account appears in a credential dump online. For disinformation security, this allows for the detection of compromised accounts used to spread malicious content or propaganda.
Sophisticated disinformation campaigns highlight the importance of linking cyber threats to identity risk intelligence. Static IOCs cannot reveal the danger of a seemingly “normal” user account belonging to a hostile actor; nor can it reveal if a “normal” user’s data is actively being used by a nefarious actor. However, identity-centric analysis can provide early warnings by meticulously vetting an individual’s true identity and determining if their digital persona connects to known threat activity. This is threat attribution in action: prioritizing identity signals makes it possible to attribute suspicious activity to the actual threat actor. The Lazarus Group, for instance, utilizes social engineering tactics on platforms like LinkedIn to distribute malware and steal credentials, highlighting the need for identity-focused monitoring even on professional networks. Similarly, APT29 (Cozy Bear) employs advanced spear-phishing campaigns, underscoring the importance of verifying the legitimacy of individuals and their digital footprints.
About the Author
Andres Andreu serves as both the Chief Operating Officer (COO) and Chief Information Security Officer (CISO) at Constella Intelligence. He is a 4X CISO and distinguished cybersecurity leader with credentials including CISSP, ISSAP, and Boardroom Certified Qualified Technology Expert (QTE). His diverse career spans federal law enforcement—where he earned three U.S. Department of Justice awards for contributions to lawful intercept technology—corporate leadership at Hearst, Ogilvy & Mather and 2U, Inc./edX, and entrepreneurial success as a founding executive at Bayshore Networks (acquired by Opswat in 2021). Recognized as a Top 100 CISO (C100) and a Top 50 Information Security Professional, he balances offensive and defensive cybersecurity strategies with a leadership philosophy that aligns executive and employee objectives. An acclaimed author of The CISO Playbook and Professional Pen Testing Web Applications, he also holds patents in cybersecurity innovations and advises at Forgepoint Capital’s Cybersecurity Advisory Council.
Andres can be reached online at Linkedin and at our company website https://constella.ai/
