Identity-based attacks are becoming an increasingly common way to compromise organizations. Hackers steal IDs, compromise individual accounts and devices, or use other methods to hack into individual accounts so they can infiltrate an organization more deeply.
Identity-based attacks have become so prevalent that one report even states three out of four cyberattacks depend on credentials rather than on malware.
The reason for this is simple. Regardless of how locked down your network is, an authenticated user has free rein inside that network, which is why security leaders must pay attention to this trend.
Credential theft and other ID-based attacks aren’t only a matter of personal risk. They directly apply to an organization’s security posture.
Here’s how ID-based attacks can impact companies.
Many identity-based attacks look like they only risk the individual being targeted. However, the scope of an ID-based attack can quickly escalate to cause an organizational compromise.
For example, credential stuffing and brute-force attacks are common ways that hackers use to infiltrate businesses. Sixty-five percent of people reuse passwords across multiple websites. Cybercriminals not only know this, but they rely on it to successfully compromise high-value targets.
In 2025, credential stuffing led to attacks on Cartier and clothing company The North Face. In 2012, Dropbox was hacked because an employee reused their LinkedIn password, leading to 68 million leaked email addresses. Other corporate victims of credential stuffing include JPMorgan Chase, Gawker, and Yahoo.
2FA and MFA can mitigate these kinds of attacks, but they’re not a silver bullet. “Alert Fatigue” can quickly set in—a condition where a user receives so many MFA notifications that they eventually give in and authorize one of the requests. Users will either do this knowingly, in the belief that some error is creating the incessant MFA requests; or unknowingly, such as by mistakenly clicking OK in the confusion of all their other notifications.
MFA fatigue is what allowed hackers to gain access to Uber’s systems in 2022.
Another ID-based attack vector is the Man-in-the-Middle (MiTM) attack. MitM attacks can enable identity-based attacks by intercepting communications to steal credentials or session tokens.
The increase in the use of encryption has made these attacks more challenging to execute, but hackers have likewise increased their level of sophistication.
If employees are using company devices, a MitM attack would effectively give the hacker access to any resource that the devices are authenticated to use.
Attackers are aware that the easiest way to access an organization’s resources is through an individual compromise. The more valuable the target, the more effort an attacker will put into breaching it.
For example, instead of using general phishing campaigns, hackers might use more targeted spear phishing and BEC (business email compromise) campaigns to try to steal credentials. They might try to penetrate an individual’s device directly or an executive’s personal cloud storage account. Such compromises often lead to deeper infiltrations.
Verizon’s latest Data Breach Investigation Report (DBIR), a highly comprehensive cybersecurity report published annually, states that the “human element” is present in about 60% of all data breaches. The human element includes credential theft, breaches from social actions, and human error.
The report also states that engineering errors are present in 23% of all data breaches. But, in all fairness to the cybersecurity industry, the technology and tools for protecting assets are incredibly effective. It’s rare to hear of hacks getting through any properly robust cybersecurity posture. We don’t know of even one recent major attack that didn’t include some form of human error.
Hackers know this, and therefore humans remain their primary target. The more valuable the potential booty, the more targeted the attacks become, such as in spear phishing and BEC attacks.
AI is making it easier to manipulate humans because hackers can now easily create well-worded and compelling emails with only a prompt. They can also generate lifelike images of real people. These tools lower the barrier to entry for hackers and make it more likely that end users will believe a phishing website designed to steal credentials.
The AI problem is made worse if employees aren’t aware of it, which is why it’s essential to educate employees about the risks.
Microsoft Active Directory (AD) is prone to sophisticated ID-based attacks that can give an attacker deep access to your company’s network, potentially leading to an APT (advanced persistent threat).
These types of attacks focus on Kerberos, the authentication protocol used in AD. The Kerberos protocol was developed at MIT in the 1980s and is named after the Greek mythological creature Cerberus, which guarded the gates of the Underworld. The name is a nod to Kerberos’s functionality as the network’s protector.
Unfortunately, the Kerberos protocol can be compromised, notably through three methods:
At a high level, Kerberos functions as a “ticket” system, much like a ticket gives you access to an event. It uses symmetric key cryptography to do the initial authentication, then issues a “ticket” to the authenticated user. Once users have this ticket, they can request additional tickets to access specific services on the network for which they’re authorized.
Kerberoasting exploits the system by first getting access to a low-privileged user’s account, such as through phishing. The hacker then queries the Kerberos protocol for access tickets for each service. The Kerberos system provides these, even if the user doesn’t have access. The tickets contain hashed authentication data, which the hacker removes and then, using an offline tool, decrypts through brute force to obtain credentials for a user with higher privileges.
Yes, it’s technical, but all you really need to know is that the problem exists. The solution is to insist on complex passwords so that brute force attacks become useless. The other solution is to educate users about phishing so they don’t inadvertently give away credentials. Even getting credentials from a low-privileged user can open the door to obtaining credentials for users with higher privileges.
The Silver Ticket and Golden Ticket attacks consist of forging a ticket that gives the user access to one service (Silver Ticket) or all services (Golden Ticket) on the network.
All three attacks can lead to an APT, where hackers start to move laterally through an organization, gaining access to deeper levels of information to exfiltrate as they go.
Identity-based attacks are growing in popularity because they’re effective and work across multiple vectors. They can work by compromising an employee’s account directly or one of their devices. They often rely on tried-and-tested methods such as phishing and social engineering.
They can also be highly sophisticated, as in AD-based attacks like Kerberroasting.
ID-based threats are evolving rapidly. Security leaders should therefore create proactive solutions that blend technology, awareness, and policies.
A suggested approach would focus on:
SolCyber can help with all these aspects, lowering the load on your cybersecurity team significantly. To find out more about SolCyber’s outsourced cybersecurity services, check out our website or reach out to us directly for more info.
Photo by Arthur Mazi on Unsplash
By subscribing you agree to our Privacy Policy and provide consent to receive updates from our company.
