Identity Based Attacks: Tactics, Trends, and Identity Security Best Practices

Every data breach begins with initial network access, and identity-based attacks are a fast-rising favorite entry point for cyber adversaries. Troublingly, attackers don’t break in, they log in – three out of every four attacks now rely on valid credentials. But identity isn’t only an initial access vector; it’s also a vehicle for attackers to move laterally and escalate privileges while evading detection.  

To understand the evolving identity security landscape, we’ll break down common tactics, emerging trends, and best practices for enhancing identity protection.  

Identity Threats: Understanding Common Tactics  

Adversaries use myriad tactics to carry out identity-based attacks, but they share a common goal: target identity security gaps to gain authorized network access, impersonating a legitimate user to move laterally without triggering alerts.   

Phishing  

One of the most common identity attack techniques, phishing is a form of social engineering where adversaries pose as trusted entities to trick users into divulging credentials. Verizon’s 2025 Data Breach Investigations Report found that social engineering attacks account for nearly a quarter of external security breaches – 57% of those incidents involve phishing. Emails, text messages, phone calls, and even QR codes can serve as delivery mechanisms for phishing “lures,” which are becoming increasingly convincing as attackers embrace AI.  

Credential Stuffing  

Credential stuffing takes advantage of password reuse, relying on the assumption that most people default to the same password across systems. After extracting credentials, buying them from an access broker, or using automated tools to cycle through databases of stolen credentials, attackers attempt to log in to many accounts in parallel.  

Adversary-in-the-Middle (AiTM) Attacks  

Also called attacker-in-the-middle or man-in-the-middle, these schemes don’t directly trick users into sharing credentials. Instead, they sit between a user and a system, intercepting data passed between. This form of digital eavesdropping allows attackers to silently harvest credentials and bypass MFA protections. A testament to this technique’s effectiveness, AiTM attacks have risen 146% in the last year.  

Keberoasting  

In this type of attack, hackers request service tickets for accounts with access to a desired system, then attempt to crack them offline. All too often, service accounts are easy targets with relatively weak passwords and excessive permissions.  

Golden Ticket and Silver Ticket Attacks  

Two forms of pass-the-ticket (PtT) attacks, these techniques exploit vulnerabilities in the Kerberos identity authentication protocol, which allows attackers to use stolen tickets to bypass authentication requirements and gain access to sensitive systems. In a golden ticket attack, adversaries steal the ticket granting ticket, enabling them to impersonate any user; silver ticket attacks are narrower, targeting specific services.  

Password Spraying  

Similar to credential stuffing, password spraying is a brute force technique where attackers attempt to gain entry to many accounts simultaneously by guessing common passwords. After gaining a list of usernames, hackers will repeatedly test common passwords across all accounts. 

Pass-the-Hash Attacks  

Pass-the-hash (PtH) attacks allow adversaries to use hashed credentials without decrypting them, enabling them to start a new session and move laterally as a legitimate user – no cracking required.

Identity Security Trends: A Shifting Threat Landscape  

From the proliferation of machine identities to the rise of infostealers, the identity threat landscape is shifting. These trends make it easier than ever for attackers to exploit identity security vulnerabilities – and harder than ever for defenders to keep up.  

The Changing Definition of Credential Abuse  

The latest Verizon Data Breach Investigation Report found that the old way of thinking about credentials – as passwords and usernames – has become far too narrow. In reality, a broad range of other credential types can give hackers access to environments; they span categories like:  

• Web application infrastructure 
• Development and CI/CD secrets  
• Cloud infrastructure secrets  
• Database connections  

Many of these credentials are used by system admins and developers, and they will sometimes accidentally make their way into public code repositories, delivering a veritable credential buffet for attackers to peruse. Most commonly, these accidental exposures fall into the web application infrastructure category, with JSON Web Tokens – often used in authentication, session management, and access control – comprising the bulk.  

What’s worse, the report found that the median time to remediate exposed credentials on a GitHub repository is 94 days, leaving a wide window for hackers.  

Supply Chain Attacks and Vishing Keep Climbing  

As many organizations have embraced detection-centric security strategies, leaning into solutions like EDR and SIEM, attackers are increasingly adopting under-the-radar tactics in identity-based attacks.  

In the first half of 2025, supply chain attacks served as the initial access vector for even more publicly disclosed data breaches than ransomware. One glaring example of this trend is the Snowflake breach, where hackers are thought to have stolen Snowflake customers’ credentials by breaching an MSP; from there, attackers continued the chain by targeting Snowflake cloud storage at organizations like AT&T and TicketMaster. This far-reaching campaign highlights the urgent need to limit third-party vendor and partner access.  

Similarly, vishing (or voice phishing) attacks are on the rise. In these campaigns, attackers call would-be victims and attempt to trick them into downloading malicious payloads, establishing remote support sessions, or simply handing over their credentials via AiTM phishing pages. Between H1 and H2 2024, vishing intrusions increased by 442%. 

Machine Identities Outnumber Human Users 

Machine identities like service accounts and API tokens now make up over 70% of networked identities. This is a particularly troubling trend because machine identities are notoriously overprivileged and insecure. For example, only 2.6% of workload identity permissions are actually used, and 51% of workload identities are completely inactive. Further evidence of this growing risk, nearly half of the systems compromised with an infostealer to access corporate login data last year were non-managed devices.  

Because legacy systems, service accounts, OT/IoT devices, databases, and other non-SaaS assets often fall outside the bounds of traditional enforcement, large swaths of increasingly complex environments remain vulnerable to identity-based attacks.  

Infostealers and Access Brokers Are Surging 

Infostealers are malware designed to collect valuable data, like credentials, then package the data into “logs” and offer it for sale on online marketplaces. The proliferation of infostealers has given rise to a booming access-as-a-service industry. Advertisements for access brokers increased 50% YoY in 2024. Understanding this trend, it’s easy to see why credential abuse reigns supreme as the most common initial access vector.  

Anecdotally, it’s likely that the rise of infostealers and access brokers also unlocks an identity-based entry point for ransomware. Last year, 54% of the victims posted to ransomware extortion sites also appeared in infostealer logs. 

AI Gives Adversaries an Edge  

Attackers and defenders alike are embracing AI – with mismatched levels of success. Over 70% of security leaders have adopted or are evaluating AI for their security operations, yet just 20% are confident in their ability to secure their own AI models against cyber threats. Meanwhile, 80% of ransomware attacks reviewed in new research from MIT used AI for everything from phishing campaigns and deepfake-driven social engineering to password cracking and more.  

In other words, attackers are effectively leveraging AI to enhance identity-based attacks while security teams struggle to keep up.  

Identity Protection Best Practices: Securing the New Perimeter  

It’s no secret that identity is the new perimeter. But as Chris Boehm, Field CTO, points out: “Most networks were never designed to handle identity as a segmentation boundary.” As identity threats grow more pronounced, organizations need proactive, layered identity controls to turn identity from an all-access pass to another tightly controlled boundary.  

Secure Privileged Access with JIT MFA 

The prevalence of machine identities – and their status as a favorite target for infostealers – on top of increasingly sophisticated social engineering tactics tells us it’s time to stop gambling with privileged access. With network layer MFA, organizations can require just-in-time verification before granting access to admin and service accounts, and secure all privileged ports and protocols by default, including RDP, SSH, WMI, RPC, and WinRM.  

Granularly Segment Identities  

While MFA ensures only the right people gain access to an identity, identity segmentation ensures every user, device, and application has access to only pre-approved assets and logon types. By tracking logon activities, account behavior, and access patterns, security teams can create fine-grained policies that render stolen credentials useless. 

Importantly, segmentation transcends an identity firewall – even with an identity overlay, firewalls are inherently reactive. Instead, identity segmentation rearchitects access itself so every identity – human or machine – automatically operates with true least privilege.  

Build a Zero Trust Architecture  

At its core, Zero Trust security is based on the principle “never trust, always verify.” This means removing implicit trust and requiring continuous verification for every user, device, or application inside the network. To build a Zero Trust architecture, organizations need to enforce comprehensive least privilege across the network, limiting access to what’s needed, for as long as it’s needed – nothing more.  

Automatically Block Lateral Movement with Microsegmentation  

Microsegmentation protects against identity-based attacks by locking down yet another axis for network traffic. By securing every asset inside its own firewall bubble, microsegmentation prevents lateral movement unless it’s explicitly allowed, ensuring hackers hit a dead end regardless of the tactic they use.  

Dynamically Adapt Access Policies  

Cyber adversaries are moving faster than ever – with the help of AI and stealthy techniques, attackers are ready to exploit any temporary weakness in identity security. While granular access policies are key to blocking identity-based attacks, a static approach is too brittle to be effective. Instead, embrace automation to keep policies up to date as network changes occur.  

Proactively Thwart Identity Based Attacks with Zero Networks   

Zero Networks makes proactive identity protection effortless, scalable, and non-disruptive. By combining identity segmentation, automated microsegmentation, and network-layer MFA, Zero creates fine-grained, adaptive access controls based on the identity of users, devices, or applications, automatically blocking lateral movement and applying just-in-time MFA to privileged logons.   

This multi-layered approach to identity security blocks attackers at every turn, turning identity exploits from feast to famine for hackers. According to Chris Turek, CIO at Evercore, Zero’s combined capabilities create a “new sphere” of security capabilities:

Take a closer look at how Zero Networks strengthens and simplifies identity protection – request a demo.