Incident Response Reports Highlight Identity and Low-Complexity Initial Access as Dominant Intrusion Drivers
Two 2026 incident-response reports describe threat actors increasingly favoring fast, low-complexity initial access over sophisticated exploitation, with identity compromise and common remote access paths repeatedly enabling broad downstream impact. Unit 42’s Global Incident Response Report 2026 data (based on 750+ engagements) indicates attacker activity crossed multiple attack surfaces in 87% of cases, requiring investigation across endpoints, identity systems, networks, and cloud services; it also attributes a material role to identity weaknesses in nearly 90% of investigations and reports identity-based techniques as the initial access method in 65% of cases (e.g., phishing, stolen credentials, brute force, insider activity). Phishing and vulnerability exploitation were cited as top initial access vectors (tied at 22% each), reinforcing that common, repeatable techniques remain highly effective.
Arctic Wolf reporting similarly concludes that attackers are prioritizing accessible entry points, with phishing frequently initiating business email compromise and with ransomware intrusions often beginning via abuse of remote access services such as RDP, VPN, and remote monitoring and management (RMM) tooling. Both sources emphasize that weak access controls—such as excessive permissions, non-phishing-resistant MFA, credential reuse/default passwords, IAM misconfigurations, unmanaged OAuth grants, and stale/shared accounts—allow a single foothold to expand laterally across SaaS, cloud, and on-prem environments, increasing blast radius and complicating detection and response.
Sources
Related Stories
Threat Reports Highlight Identity Abuse and OT Intrusions as Primary Initial Access Vectors
Palo Alto Networks’ **Unit 42** reported that **identity abuse** has become the dominant initial access vector in incident response engagements, with identity-based techniques accounting for **nearly two-thirds** of initial intrusions and an identity-related element present in **nearly 90%** of cases across the attack lifecycle. The report highlights **social engineering** as the leading entry method (about **one-third** of cases), alongside compromised credentials, brute force, overly permissive identity policies, and insider threats; it also notes that growth in **machine identities** and **AI agents** is expanding the identity attack surface and complicating detection because malicious use of valid identities can blend into normal telemetry. Dragos’ 2026 OT/ICS Year in Review described industrial threat actors increasingly moving beyond opportunistic access toward **control-loop mapping**—identifying engineering workstations and collecting configuration/alarm files to understand how processes behave and enable physical impact. Dragos tracked **26** OT-targeting threat groups and identified new groups (**AZURITE, PYROXENE, SYLVANITE**), emphasizing specialization and a division of labor where initial-access activity (including targeting **internet-facing systems**) feeds more OT-capable operators; it also warned that **ransomware** is driving operational disruption and multi-day outages that require OT-specific recovery and is often underestimated as “just IT.”
3 weeks ago
Identity Abuse and Credential Misuse as the Primary Initial Access Vector
Recent threat intelligence reporting indicates **identity-based attacks** (credential theft, social engineering, and misuse of legitimate access) are now the dominant driver of initial compromise, increasingly outpacing exploitation of software vulnerabilities. A *Unit 42* report cited by SC Media attributes **65% of initial access** to identity techniques versus **22%** to vulnerabilities, and notes accelerating attacker tempo—down to **72 minutes** from initial access to data exfiltration in the fastest observed cases—alongside growing cross-surface intrusions where **87%** of incidents span multiple environments (endpoints, cloud, SaaS, and identity systems). The report also highlights the **browser** as a key battleground (involved in **48%** of attacks) and a sharp rise in **SaaS supply-chain** abuse (nearly **4x** since 2022), including the use of **OAuth tokens** and **API keys** for lateral movement. Separately, Google Threat Intelligence Group commentary on the **defense industrial base (DIB)** describes adversaries shifting beyond classic espionage toward operations intended to **disrupt production capacity** and **compromise supply chains**, with **identity** increasingly treated as the “new security boundary” across the broader defense ecosystem (from prime contractors to smaller dual-use suppliers). The DIB focus underscores that credential-driven access and downstream supply-chain compromise can have strategic impact beyond data theft, including staging access for future contingencies and enabling ransomware/extortion that indirectly degrades defense supply availability.
3 weeks ago
Reports Highlight Shift Toward Identity-First Attacks and Phishing-Driven Intrusions
Recent reporting and vendor research indicate threat actors are increasingly prioritizing **identity-based intrusion paths**—notably phishing, credential theft, and **Business Email Compromise (BEC)**—over traditional vulnerability exploitation as the most common initial access vector. A Darktrace report cited by SC Media describes identity breaches as the leading entry point, alongside broader trends including accelerated breach tempo, increased automation, and “converging” tactics; it also notes exploitation can occur **before public disclosure** and that overall **CVE volume rose by 20%+ year-over-year**. Email remains a dominant delivery mechanism in these identity-first campaigns. Darktrace telemetry referenced by SC Media reported **32M+ high-confidence phishing emails** across its customer base, with many messages bypassing baseline controls (including **70% passing DMARC**), targeting executives, using **malicious QR codes**, and leveraging newly registered domains. Separately, a SOCRadar analysis frames the U.S. financial sector as a disproportionate target for phishing and dark-web activity, emphasizing AI-enabled crime, persistent BEC, and third-party/supply-chain risk, and citing metrics such as **~48% of global financial phishing activity** and **~23.5% of finance-related dark web threat activity** attributed to the U.S. market.
2 weeks ago