Identity-Based Attacks: The Evolution from Social Engineering to Zero Trust Attack Vectors

Identity-based attacks have emerged as the dominant threat vector in modern cybersecurity, accounting for 60% of cyber incidents in 2024. What began as simple password compromises and social engineering has evolved into sophisticated campaigns targeting the very foundation of organizational security: digital identity.

In the past year alone, 90% of organizations experienced at least one identity-related incident, and 37% of surveyed organizations reported that stolen credentials resulted in a breach, making poorly managed credentials the second-leading cause of breaches in 2024.

This blog examines the intersection of identity attacks with Zero Trust architectures, and the emerging threats that organizations face today. As traditional perimeter-based security models collapse under the weight of cloud adoption and remote work, attackers have adapted their techniques to exploit the new reality: machine identities now outnumber human identities 82:1, with AI projected to be the largest creator of new privileged identities and sensitive access by 2025.

Modern Sophistication: AI and Advanced Persistent Threats

Today's identity-based attacks demonstrate unprecedented sophistication. According to CrowdStrike, 79% of cyber intrusions in 2024 were malware-free, as attackers increasingly leveraged legitimate remote management and monitoring tools to bypass traditional security measures.

The modern threat landscape includes:

• AI-enhanced social engineering and deepfake attacks
• Supply chain compromises targeting identity providers
• Living-off-the-land techniques using legitimate tools
• Sophisticated persistent access through identity impersonation

2024 also saw an unprecedented rise in infostealers, which played a huge role in attacks on Snowflake customers, where 80% of the accounts were targeted using credentials found in infostealer infections.

Zero Trust as a Response to Identity Vulnerabilities

Zero Trust emerged as a security model based on the principle "never trust, always verify." It recognizes that traditional network security models trust anyone and anything inside the network, while Zero Trust architecture assumes no user, device, or application should be trusted by default.

This model was developed to address the reality that threats can come from anywhere—both outside and inside the network perimeter.

Identity as the New Attack Vector in Zero Trust Environments

Not surprisingly, while Zero Trust was designed to mitigate identity-based risks, it has also created new attack vectors:

Identity-Based Segmentation Vulnerabilities

Identity-based segmentation provides flexible and effective access control, as it is tied directly to the identity of the user or device rather than static network boundaries. However, this creates new opportunities for attackers who successfully compromise identities to move laterally across supposedly segmented environments.

Policy Drift and Configuration Issues

As organizations adapt to changing business needs and well-intentioned exceptions to security policies pile up like digital debt, policy drift occurs. These incremental compromises create vulnerabilities that attackers love to exploit.

Supply Chain Identity Dependencies

Zero Trust implementations often rely on multiple identity providers and cloud services, creating complex webs of trust relationships that attackers can exploit through supply chain attacks.

The Continuous Evolution Challenge

Zero Trust isn't a project with a completion date—it's a continuous cycle. The "never trust, always verify" principle demands constant vigilance because the threats constantly change, technology stacks evolve, and organizations never stop shifting and growing.

This continuous evolution also means that attackers are constantly probing for new weaknesses in identity implementations, making Zero Trust a moving target for both defenders and attackers.

Nation-State Actors Leading Identity Attacks

Several Advanced Persistent Threat (APT) groups have made identity attacks their primary focus:

Chinese State-Sponsored Groups

• Salt Typhoon: A Chinese state-sponsored APT active since 2020, linked to China's Ministry of State Security.
• Flax Typhoon: (also known as Ethereal Panda, Storm-0919, UNC5007, and Red Juliet), specializes in cyber espionage and data theft, primarily targeting Taiwanese government, academic, and defense entities.

Russian APT Activity

Russian state-sponsored ATP groups have shifted from destructive wiper malware to spear-phishing campaigns. The Ukrainian Computer Emergency Response Team (CERT) responded to over 1,700 phishing attacks in 2023, including distributing malware, harvesting credentials, and extortion.

North Korean Operations

North Korea-aligned groups such as DeceptiveDevelopment expanded financially motivated attacks, significantly broadening its targeting using fake job listings primarily within the cryptocurrency, blockchain, and finance sectors.

Attack Techniques and Tools

Modern APT groups employ sophisticated techniques:

• Vishing (Voice Phishing): Vishing surged more than fivefold in 2024, replacing traditional phishing as a primary method of initial access.
• Help Desk Impersonation: Adversaries pose as IT staff to persuade employees to reset passwords or bypass multi-factor authentication (MFA).
• Access Broker Operations: Access broker advertisements, where attackers sell stolen credentials, rose 50% throughout 2024.

Emerging AI-Enhanced Threats

Adversaries like FAMOUS CHOLLIMA now use generative AI to supercharge insider threats and social engineering. This represents a fundamental shift in the threat landscape where AI tools democratize sophisticated attack techniques.

The Change Healthcare Breach

The Change Healthcare incident represents one of the most devastating identity-based attacks in healthcare history. The ALPHV/BlackCat ransomware group gained access through compromised credentials, then moved laterally through the network. The attack paralyzed operations for over 67,000 pharmacies and affected more than 100 million individuals.

Key Identity Failures:

• Insufficient MFA coverage
• Excessive privileged access allowing lateral movement
• Inadequate monitoring of identity-based anomalies

The Snowflake Ecosystem Breach

The Snowflake breach exemplifies the new reality of interconnected cloud ecosystems. Threat actors leveraged Lumma Stealer, a credential-stealing malware, to gain access to a compromised Snowflake sales engineer's account. This single compromise led to data exposure for major organizations like Santander Bank and Ticketmaster.

Affected Organizations and Impact:

• AT&T: Access to subscriber call and text records over six months in 2022
• Ticketmaster: Exposure of information on more than 500 million customers, including partial credit card data
• Santander Bank: Customer data breaches in Chile, Spain, and Uruguay
• Overall Impact: At least 160 organizations were affected through vulnerabilities in how their Snowflake environments were configured and accessed

Root Cause: Security investigations revealed that the attackers accessed customer environments by exploiting stolen credentials obtained via infostealer malware, often lacking MFA protection. This allowed attackers to log directly in to Snowflake instances.

ARUP's $25 Million Deepfake Scam

ARUP's $25 Million Deepfake Scam demonstrated the evolution of identity attacks into the physical realm. Cybercriminals used sophisticated deepfake video calls to impersonate executives and authorize fraudulent financial transactions. This attack highlights how identity verification must now account for AI-generated impersonation.

Multi-Factor Authentication: Evolution and Limitations

MFA remains a critical defense, but its implementation varies significantly in effectiveness:

Traditional MFA Approaches:

• SMS-based authentication (decreasing in security value)
• App-based time-based one-time password (TOTP) tokens
• Hardware security keys
• Biometric authentication

SMS MFA Vulnerabilities: The cybersecurity community has increasingly recognized the weaknesses in SMS-based MFA. In December 2024, the FBI and CISA advised Americans to avoid SMS codes for MFA. The CISA Mobile Communications Best Practices Guidance bluntly stating: "Do not use SMS as a second factor for authentication."

Specific SMS Risks:

• Messages are unencrypted and can be intercepted
• Susceptible to SIM swapping attacks where attackers convince phone providers to transfer phone numbers
• Exploitable SS7 protocol vulnerabilities allowing hackers to intercept and redirect SMS messages
• Deprecated by The National Institute of Standards and Technology (NIST) since 2016

Recommended Alternatives:

• Fast Identity Online (FIDO): Uses the strongest form of MFA and is effective against MFA bypass techniques
• Passkeys: Seamless and highly secure login experience, stored securely on a user's device and synced across trusted ecosystems
• Authenticator Applications: TOTPs or one-time passcodes (OTPs), which refresh every 30 seconds

Identity Security Posture Management (ISPM): The Emerging Standard

ISPM represents the next evolution in identity security, moving beyond traditional identity and access management (IAM) to continuous monitoring and risk assessment.

ISPM strengthens and maintains the security posture of an organization's identity infrastructure to prevent breaches. It involves monitoring and analyzing identities, access rights, and authentication processes across the entire ecosystem.

The ISPM market is projected to grow from $13.7 billion in 2024 to $33.1 billion by 2029, at a 19.3% Compound Annual Growth Rate (CAGR).

Core ISPM Capabilities:

• Continuous monitoring and analysis of identity activity for anomalies
• Identifying vulnerabilities and gaps, preventing accidental and overprivileged access, and ensuring access rights and permissions are properly managed
• Automatically mapping relationships between identities, resources, and entitlements to detect risks like dormant accounts, shadow admins, and credential-stuffing attacks

Key Components:

1. Identity Governance and Administration (IGA)
2. Cloud Infrastructure Entitlement Management (CIEM)
3. Privileged Access Management (PAM)
4. Identity Threat Detection and Response (ITDR)

Advanced Identity Protection Technologies

Passwordless Authentication: Organizations are moving toward eliminating passwords entirely through technologies like:

• Biometrics
• FIDO2/WebAuthn standards
• Certificate-based
• Smart cards and hardware tokens

Behavioral Analytics: Modern identity protection incorporates user and entity behavior analytics (UEBA) to detect anomalous access patterns that may indicate compromise.

Identity Threat Detection and Response (ITDR): Gartner defines ITDR as "a collection of tools and best practices to defend identity systems. ITDR tools can help protect identity systems, detect when they are compromised, and enable efficient remediation."

Common Identity Security Misconfigurations

Common misconfigurations include over-privileging accounts, improper identity lifecycle management, and failing to implement MFA correctly.

Specific Risk Areas:

• Dormant or orphaned accounts
• Excessive privileged access
• Weak password policies
• Insufficient monitoring of identity activity
• Poor third-party identity management

Enterprise Implementation Strategy

Visibility First: The identity landscape spans cloud, on-premises, and hybrid environments. It is critical to have identity visibility into all users, accounts (human or service), access rights, and configurations (regardless of where they reside).

Risk-Based Approach: Organizations should prioritize identity protection based on risk assessment, focusing on:

• High-privileged accounts
• Critical system access
• External-facing services
• Third-party integrations

Continuous Monitoring: Given the dynamic nature of cyber threats and constant changes to IT infrastructures, organizations must continuously monitor and assess their identity security posture.

AI and Machine Learning Integration

The future of identity security will be heavily influenced by AI and machine learning (ML) technologies:

• Predictive threat modeling based on behavioral patterns
• Automated detection and response to identity threats
• AI-enhanced authentication methods
• Intelligent access governance frameworks

Machine Identity Management

With machine identities now outnumbering human identities 82:1, organizations must prepare for AI scalability challenges by adopting:

• Automated machine identity lifecycle management
• Certificate and key management at scale
• Service-to-service authentication frameworks
• Identity security for containers and microservices

Zero Trust Evolution

Zero Trust architectures will continue evolving to address identity challenges through:

• Micro-segmentation based on identity
• Continuous risk assessment and adaptive access
• Integration of identity with network security
• Policy automation and orchestration

Industry Consolidation and Standards

The identity security market is heading toward:

• Consolidation of point solutions into comprehensive platforms
• Standardization on FIDO2, WebAuthn, and other open standards
• Integration with broader security orchestration platforms
• Enhanced interoperability between identity providers

Recommendations for Modern Organizations

Immediate Actions

1. Audit Current MFA Implementation: Eliminate SMS-based MFA and migrate to more secure alternatives.
2. Implement ISPM Capabilities: Deploy tools for continuous identity posture monitoring.
3. Establish Identity Governance: Create clear policies for identity lifecycle management.
4. Enable Advanced Logging: Implement comprehensive identity activity monitoring.

Strategic Initiatives

1. Develop a Zero Trust Identity Strategy: Move beyond perimeter-based security to identity-centric models.
2. Invest in Employee Training: Focus on social engineering and phishing awareness.
3. Enhance Third-Party Risk Management: Extend identity security requirements to suppliers and partners.
4. Plan for Machine Identity Scale: Prepare for the exponential growth in non-human identities.

Long-Term Vision

Organizations should work toward a future state where:

• Identity becomes a primary security control plane.
• All access decisions are risk-based and continuously evaluated.
• ML provides predictive threat detection
• Security becomes embedded into the identity experience, not layered on top.

Conclusion

Identity-based attacks have evolved from simple password theft to sophisticated campaigns that exploit the very foundation of digital trust. With 98% of organizations ranking identity protection as a top 10 priority, organizations must recognize that traditional approaches are insufficient for today's threat landscape.

The convergence of AI, cloud computing, and remote work has created both opportunities and challenges. While Zero Trust provides a framework for improvement, it also introduces new attack vectors that adversaries are already exploiting.

Success in this environment requires a fundamental shift from reactive defense to proactive identity security. Organizations must implement comprehensive ISPM strategies, move beyond vulnerable authentication methods like SMS MFA, and prepare for a future dominated by machine identities and AI-enhanced threats.

The cost of inaction is clear: 30 publicly disclosed breaches in 2024 resulted from identity-based initial access vectors, affecting hundreds of millions of customer records. Organizations that invest in modern identity security architecture today will be better positioned to defend against tomorrow's threats.

As we move forward, identity security is not just a technical requirement, it's a business imperative affecting every aspect of digital operations. Organizations that master identity security will not only survive but thrive in the digital age, while those that don't risk becoming the next cautionary tale in cybersecurity history.

As organizations confront the growing challenges of identity-based threats, effective cybersecurity leadership is more essential than ever. Building a resilient, identity-first strategy requires leaders who can align people, process, and technology within a Zero Trust framework. LDR512: Security Leadership Essentials for Managers helps professionals develop the insight and practical skills to lead these efforts—turning identity security from a vulnerability into a strength.