Identity Abuse and Credential Misuse as the Primary Initial Access Vector
Recent threat intelligence reporting indicates identity-based attacks (credential theft, social engineering, and misuse of legitimate access) are now the dominant driver of initial compromise, increasingly outpacing exploitation of software vulnerabilities. A Unit 42 report cited by SC Media attributes 65% of initial access to identity techniques versus 22% to vulnerabilities, and notes accelerating attacker tempo—down to 72 minutes from initial access to data exfiltration in the fastest observed cases—alongside growing cross-surface intrusions where 87% of incidents span multiple environments (endpoints, cloud, SaaS, and identity systems). The report also highlights the browser as a key battleground (involved in 48% of attacks) and a sharp rise in SaaS supply-chain abuse (nearly 4x since 2022), including the use of OAuth tokens and API keys for lateral movement.
Separately, Google Threat Intelligence Group commentary on the defense industrial base (DIB) describes adversaries shifting beyond classic espionage toward operations intended to disrupt production capacity and compromise supply chains, with identity increasingly treated as the “new security boundary” across the broader defense ecosystem (from prime contractors to smaller dual-use suppliers). The DIB focus underscores that credential-driven access and downstream supply-chain compromise can have strategic impact beyond data theft, including staging access for future contingencies and enabling ransomware/extortion that indirectly degrades defense supply availability.
Related Entities
Organizations
Sources
Related Stories
Credential-Based Attacks and Identity Threats in Modern Cybersecurity
Credential abuse, phishing, and vulnerability exploitation remain the primary vectors for cyber breaches, with attackers increasingly leveraging automation, AI-driven social engineering, and new evasion techniques. Recent research highlights a 160% surge in leaked credentials, with billions exposed in single incidents, and a significant rise in email-based threats, including a 130% increase in malware delivered via email and a resurgence of ransomware. Attackers exploit overlooked file types and advanced obfuscation tactics to bypass security controls, while compromised credentials and endpoint exploitation are now frequently blended in multi-stage attacks. The rapid proliferation of non-human digital identities, such as AI agents, has dramatically expanded the attack surface, with non-human accounts now outnumbering human users by 82 to 1. This shift has led 90% of business leaders to rank identity attacks as their top concern, and most organizations are reevaluating their identity and access management strategies. The growing complexity and scale of identity-based threats have eroded confidence in rapid recovery, underscoring the need for robust identity resilience and specialized security staff to defend against increasingly sophisticated credential and identity attacks.
3 months ago
Incident Response Reports Highlight Identity and Low-Complexity Initial Access as Dominant Intrusion Drivers
Two 2026 incident-response reports describe threat actors increasingly favoring **fast, low-complexity initial access** over sophisticated exploitation, with **identity compromise** and common remote access paths repeatedly enabling broad downstream impact. Unit 42’s *Global Incident Response Report 2026* data (based on 750+ engagements) indicates attacker activity crossed multiple attack surfaces in **87%** of cases, requiring investigation across endpoints, identity systems, networks, and cloud services; it also attributes a material role to **identity weaknesses** in nearly **90%** of investigations and reports identity-based techniques as the initial access method in **65%** of cases (e.g., phishing, stolen credentials, brute force, insider activity). Phishing and vulnerability exploitation were cited as top initial access vectors (tied at **22%** each), reinforcing that common, repeatable techniques remain highly effective. Arctic Wolf reporting similarly concludes that attackers are prioritizing **accessible entry points**, with **phishing** frequently initiating business email compromise and with ransomware intrusions often beginning via abuse of **remote access services** such as `RDP`, `VPN`, and **remote monitoring and management (RMM)** tooling. Both sources emphasize that weak access controls—such as excessive permissions, non-phishing-resistant MFA, credential reuse/default passwords, IAM misconfigurations, unmanaged OAuth grants, and stale/shared accounts—allow a single foothold to expand laterally across SaaS, cloud, and on-prem environments, increasing blast radius and complicating detection and response.
3 weeks ago
Threat Reports Highlight Identity Abuse and OT Intrusions as Primary Initial Access Vectors
Palo Alto Networks’ **Unit 42** reported that **identity abuse** has become the dominant initial access vector in incident response engagements, with identity-based techniques accounting for **nearly two-thirds** of initial intrusions and an identity-related element present in **nearly 90%** of cases across the attack lifecycle. The report highlights **social engineering** as the leading entry method (about **one-third** of cases), alongside compromised credentials, brute force, overly permissive identity policies, and insider threats; it also notes that growth in **machine identities** and **AI agents** is expanding the identity attack surface and complicating detection because malicious use of valid identities can blend into normal telemetry. Dragos’ 2026 OT/ICS Year in Review described industrial threat actors increasingly moving beyond opportunistic access toward **control-loop mapping**—identifying engineering workstations and collecting configuration/alarm files to understand how processes behave and enable physical impact. Dragos tracked **26** OT-targeting threat groups and identified new groups (**AZURITE, PYROXENE, SYLVANITE**), emphasizing specialization and a division of labor where initial-access activity (including targeting **internet-facing systems**) feeds more OT-capable operators; it also warned that **ransomware** is driving operational disruption and multi-day outages that require OT-specific recovery and is often underestimated as “just IT.”
3 weeks ago