By SC Media Editorial Intelligence, reviewed by Dustin Sachs
Password breaches create immediate risk across all enterprise accounts using the same credentials. Attackers use previously compromised password databases against corporate login portals through credential stuffing attacks, requiring only automated tools and leaked credential lists. Brute force attacks target weak passwords through automated login attempts against authentication endpoints. Account lockout policies and impossible travel pattern monitoring limit these attacks' effectiveness.
Multi-factor authentication bypass techniques defeat secondary security layers through SIM swapping, which redirects SMS-based second factors to attacker-controlled devices. Push notification fatigue attacks overwhelm users with MFA prompts until they approve malicious requests to stop the bombardment. Phishing sites capture both passwords and one-time codes in real-time by proxying authentication flows. FIDO2 hardware tokens or certificate-based authentication resist these bypass methods but require hardware distribution and user training.
Directory services attacks exploit Active Directory and cloud identity providers through native protocol weaknesses. Kerberoasting extracts service account password hashes for offline cracking by requesting service tickets with weak encryption. ASREPRoasting targets accounts with "Do not require Kerberos preauthentication" enabled, allowing password hash extraction without authentication. Golden ticket attacks use compromised krbtgt account hashes to forge unlimited authentication tokens. Service account password rotation frequency reduces exposure time but may destabilize applications during rotation windows.
Privileged account abuse escalates access through legitimate administrative functions. Token theft attacks extract OAuth tokens from browser memory or storage locations. Pass-the-hash techniques use NTLM hashes without knowing plaintext passwords, enabling lateral movement across Windows networks. Privileged access management solutions with just-in-time elevation contain these attacks by limiting permanent administrative access.
Cloud identity provider attacks exploit federated authentication weaknesses across multiple connected applications. SAML assertion manipulation bypasses authentication by forging identity tokens between identity providers and service providers. OAuth redirect URI manipulation sends authorization codes to attacker-controlled endpoints during the authorization flow. Single sign-on compromise affects all connected applications in the federation trust relationship.
Detection GuidanceIdentity attack detection requires monitoring authentication events, directory service activity, and privileged account usage across multiple log sources.
Authentication anomaly detection identifies suspicious login patterns through impossible travel scenarios where accounts authenticate from geographically distant locations within short timeframes. (Source:
MITRE ATT&CK) Query pattern:
source_ip_country != previous_ip_country AND time_diff < 60_minutes. Failed login monitoring should trigger alerts after five consecutive failures from the same source IP. Alert volume increases with distributed attacks but provides coverage for credential spray techniques.
Kerberos attack detection focuses on service ticket requests and encryption downgrades through domain controller event monitoring. Kerberoasting generates distinctive patterns in authentication logs. Detection rule:
event_id=4769 AND service_name!="krbtgt" AND encryption_type="RC4_HMAC". ASREPRoasting creates authentication requests without pre-authentication. Query:
event_id=4768 AND pre_auth_type="0".
Directory service monitoring tracks unusual LDAP queries and group membership changes that indicate reconnaissance or privilege escalation. Excessive LDAP queries from single sources indicate reconnaissance activity. Detection threshold: more than 100 unique object queries per minute from single IP. (Source:
attack.mitre.org) Group membership modifications outside maintenance windows require investigation. (Source:
learn.microsoft.com) Baseline query volumes during business hours versus off-hours improve detection accuracy.
Token and session abuse detection monitors authentication artifacts and session behavior for signs of credential theft. OAuth token usage from new IP addresses should generate alerts for high-privilege accounts. Session duration monitoring identifies tokens that remain active beyond normal working hours. Browser user-agent changes within active sessions indicate potential token theft between different devices or applications.
Privileged access monitoring requires real-time alerting on administrative actions to prevent damage from compromised accounts. Administrative group membership changes require immediate notification to security teams. Service account password changes outside scheduled rotations indicate compromise or unauthorized administrative activity. Privileged access management platforms with built-in monitoring provide better visibility than native directory logs alone.
Expert Commentary
"Identity compromise remains one of the most common entry points for enterprise breaches, with attackers targeting credentials, privileged accounts, authentication systems, and identity infrastructure to gain persistent access and move laterally across environments. Common attack methods include password spraying, credential stuffing, phishing, social engineering, token theft, and exploitation of legacy authentication protocols such as NTLM. Privileged accounts, service accounts, and federated authentication systems create particularly high-risk attack surfaces because they often possess broad permissions and weak monitoring controls. Effective defense requires continuous authentication monitoring, anomaly detection, privileged account oversight, and identity infrastructure hardening. Organizations should implement phishing-resistant MFA, least-privilege access, just-in-time administrative privileges, network segmentation, and strong session management controls. Monitoring for unusual login behavior, suspicious Active Directory changes, token anomalies, and interactive service account usage is essential for detecting compromise early. Modern identity defense strategies increasingly align with Zero Trust principles and identity-centric security architectures.
Credential compromise costs enterprises an average of $4.88 million per breach, with identity attacks serving as the initial access vector in 80% of successful intrusions. These attacks succeed by compromising credentials, exploiting weak identity controls, or abusing legitimate identity management features to gain unauthorized access and escalate privileges. Identity attacks target the authentication and authorization systems that control access to enterprise resources." — Dustin Sachs
Identity attack mitigation requires layered controls addressing authentication, authorization, and account lifecycle management.
Authentication hardening eliminates weak credential practices through protocol restrictions and policy enforcement. Disable NTLM authentication where possible and enforce Kerberos AES encryption to prevent downgrade attacks. Application compatibility issues may arise but reduce attack surface significantly. Password policies should require 12-character minimum length with complexity requirements. (Source: Microsoft Learn) Password managers reduce user resistance to strong password policies while improving compliance rates.
Multi-factor authentication deployment must address bypass techniques through resistant authentication methods. FIDO2 hardware tokens resist phishing and man-in-the-middle attacks through cryptographic domain verification. Certificate-based authentication eliminates shared secrets vulnerable to interception during authentication flows. Deployment complexity and user training requirements increase but provide strong attack resistance. Conditional access policies should require MFA for all administrative accounts and external access. (Source:
Microsoft Learn)
Privileged account controls limit exposure and abuse potential through access restrictions and monitoring. Just-in-time access provides administrative privileges only when needed for specific tasks, reducing standing privilege exposure. Regular service account password rotation prevents long-term compromise but requires coordination with application owners. Automated password rotation tools reduce operational burden compared to manual processes. Administrative account monitoring should include real-time alerting on privilege escalation attempts.
Directory service hardening removes common attack vectors through configuration changes and account management. Disable "Do not require Kerberos preauthentication" on all accounts to prevent ASREPRoasting attacks. Service accounts should use managed service accounts where possible to eliminate password management requirements. Reduced attack surface comes with increased configuration complexity during initial deployment.
Session and token management limits the impact of credential compromise through lifecycle controls. Session timeout policies should terminate idle sessions after 30 minutes for privileged accounts. (Source:
NIST Special Publication 800-63B) OAuth token rotation prevents long-term abuse of stolen credentials but may impact application performance during rotation periods.
Identity governance programs provide ongoing risk reduction through regular review and automated controls. Regular access reviews identify and remove unnecessary permissions that accumulate over time. Automated provisioning and deprovisioning prevent orphaned accounts from remaining active after employee departures. Administrative overhead increases but reduces attack surface from accumulated privileges and stale accounts.
Sources:
attack.mitre.org
