What is an Identity-Based Attack?

Definition

An identity-based attack is an attack that abuses identities, credentials, sessions, tokens, or trust relationships to gain access, escalate privilege, move laterally, persist, or destroy data — instead of (or in addition to) exploiting a software vulnerability.

Once an attacker controls a legitimate identity, they often look like a normal user or service to traditional defenses. That's why identity-based attacks have become the dominant pattern in modern breaches.

The MITRE ATT&CK framework dedicates entire tactics — Initial Access, Credential Access, Lateral Movement, Privilege Escalation, Persistence, Defense Evasion — heavily to identity techniques.

---

Why Identity Attacks Dominate Today

• Cloud and SaaS expanded the identity surface.
• Phishing, infostealers, and credential dumps fuel an enormous credential market.
• MFA bypass techniques (push fatigue, AiTM phishing, token theft) have matured.
• Service accounts, OAuth apps, and AI agents add many more abusable identities.
• Identity-based actions look "normal" in logs, evading classic detections.

The Verizon DBIR has consistently ranked stolen credentials and social engineering as top initial-access vectors. CISA repeatedly warns about identity abuse in nation-state and ransomware activity.

---

Major Categories of Identity-Based Attacks

1. Credential Theft

Stealing usernames and passwords (or hashes, tokens, certificates).

Techniques:

• Phishing
• Infostealer malware
• Keylogging
• Credential dump reuse
• Password spraying
• Brute force
• OS credential dumping (LSASS, SAM, NTDS.dit)

2. MFA Bypass

Defeating second factors.

Techniques:

• MFA fatigue (push bombing)
• Adversary-in-the-middle (AiTM) phishing kits (e.g., Evilginx)
• Session/cookie theft
• SIM swap (SMS MFA)
• Authenticator seed theft
• Help desk social engineering for MFA reset

3. Token and Session Theft

Stealing live session tokens or OAuth access/refresh tokens to bypass authentication entirely.

Techniques:

• Browser cookie theft (infostealers)
• OAuth token interception
• Cloud session token replay
• SAML token forging (e.g., Golden SAML)

4. Privilege Escalation

Going from a normal account to a privileged one.

Techniques:

• Abusing misconfigurations (overprivileged groups, ACL weaknesses)
• Kerberoasting and AS-REP roasting
• DCSync
• AD CS abuse (ESC1–ESC15)
• Cloud role chaining (AssumeRole, impersonation)
• Group membership abuse (nested groups, AdminSDHolder bypass)

5. Lateral Movement

Moving across systems using legitimate identity.

Techniques:

• Pass-the-Hash
• Pass-the-Ticket
• Overpass-the-Hash
• RDP / SSH with stolen credentials
• WMI / PsExec / WinRM with valid credentials
• Cloud cross-account role assumption

6. Persistence via Identity

Staying in the environment by planting identity backdoors.

Techniques:

• Golden / Silver Ticket
• Skeleton key
• Adding backdoor users to privileged groups
• Creating malicious OAuth apps with high scopes
• Federation trust manipulation
• Creating long-lived API keys or service accounts

7. OAuth and Consent Abuse

Tricking users or admins to grant scopes to attacker-controlled apps.

Techniques:

• Consent phishing (illicit consent grants)
• Malicious OAuth apps with Mail.ReadWrite.All, Files.ReadWrite.All
• Abusing legitimate apps via overly broad scopes

8. Federation and Trust Abuse

Exploiting trust between identity systems.

Techniques:

• Golden SAML
• Federation trust modification
• Cross-tenant trust abuse
• AD trust relationship exploitation

9. AI Agent and Bot Abuse

Manipulating non-human identities to perform unintended actions.

Techniques:

• Prompt injection that triggers tool calls
• Stolen agent credentials
• Excessive scope abuse
• Agent impersonation

---

Real-World Examples

Example 1: MGM Resorts (2023)

Attackers social-engineered a help desk to reset MFA for a privileged user, then escalated to broad domain and cloud access — leading to massive operational disruption.

Example 2: Microsoft Midnight Blizzard (2024)

Russian-state actors (APT29) gained access via password spraying on a legacy account without MFA, then abused OAuth permissions to access executive mailboxes.

Example 3: Okta Support Sessions (2023)

Attackers used stolen session tokens from a third-party support tool to access multiple customer tenants.

Example 4: Snowflake Customer Breaches (2024)

Credentials harvested by infostealers from non-corporate devices were used against customer Snowflake tenants that didn't require MFA.

Example 5: SolarWinds (2020)

Attackers used Golden SAML and federation trust abuse to move from on-premises AD into multiple cloud tenants.

Example 6: Kerberoasting in Practice

An attacker with any domain user account requests service tickets for accounts with SPNs, then cracks the tickets offline to obtain service account passwords — a common precursor to lateral movement and privilege escalation.

---

Why Identity Attacks Are So Effective

• They blend in. Legitimate credentials produce legitimate-looking activity.
• They scale. One IdP compromise can reach many apps.
• They bypass network controls. Tokens and sessions work from anywhere.
• They reuse infrastructure. Standard tools (RDP, SSH, kubectl, AWS CLI, M365) become attack tools.
• They exploit complexity. Hidden privilege paths give many escalation options.

---

Defenses That Actually Work

Strong, Phishing-Resistant Authentication

• FIDO2 / passkeys for users and admins.
• Block legacy protocols.
• Eliminate SMS-only MFA where possible.

Zero Standing Privilege

• JIT elevation (PIM/PAM) for admin actions.
• Tiered admin model.
• Approval workflows for sensitive actions.

Token and Session Hardening

• Short-lived sessions for sensitive apps.
• Token binding to device where supported.
• Continuous re-evaluation (CAEP / continuous access evaluation).
• Reduce session lifetimes for privileged identities.

Privilege and Path Reduction

• Right-size service accounts and roles.
• Map and break attack paths to Tier 0.
• Remove standing membership in privileged groups.

Hardening Identity Infrastructure

• Protect domain controllers and IdPs as Tier 0.
• Monitor changes to federation trust, AD CS, sync configurations.
• Rotate KRBTGT regularly; alert on anomalies.

Detection and Response (ITDR)

• Detect Kerberoasting, DCSync, AS-REP roasting, abnormal Golden Ticket / Silver Ticket use.
• Alert on impossible travel, MFA fatigue, new device, mass downloads, unusual admin activations.
• Detect malicious OAuth consent and unusual app token use.

OAuth and Consent Governance

• Block user consent for high-risk scopes.
• Require admin approval for tenant-wide grants.
• Inventory and review enterprise apps.

Service Account and AI Agent Discipline

• Inventory, ownership, scoping, vaulting, rotation.
• For AI agents: tight tool scopes, human-in-the-loop, full action logging.

---

Identity Attack Defense Checklist

• Phishing-resistant MFA on every identity (including admins, service, break-glass)?
• Standing privilege eliminated for human admins?
• Privileged sessions brokered, recorded, and time-bound?
• Service accounts inventoried and right-sized?
• Attack paths to Tier 0 mapped and continuously reduced?
• Identity logs sent to SIEM with high-quality detections?
• OAuth consent governed and monitored?
• Federation and AD CS protected and monitored?
• Continuous access evaluation enabled where supported?
• AI agents under identity governance?

---

How Forestall Helps

Identity attacks succeed by chaining small weaknesses into large outcomes. Forestall makes those chains visible before attackers find them:

• Maps all identity relationships across AD, Entra ID, AWS, GCP, and SaaS.
• Surfaces privilege paths attackers could exploit (Kerberoast → DCSync, OAuth abuse → mass mailbox read, service account → Domain Admin).
• Prioritizes choke points — fixes that close many paths at once.
• Tracks posture improvements over time.

Combined with ITDR for detection, this gives defenders both prevention and response coverage for identity-based attacks.

---

Frequently Asked Questions

What is the most common identity-based attack?

Phishing for credentials remains #1, followed by MFA fatigue/AiTM phishing and infostealer-driven credential reuse.

Does MFA stop identity attacks?

Phishing-resistant MFA stops most credential-based attacks, but token theft, session replay, and consent abuse can still succeed without additional controls.

Are identity attacks only against humans?

No. Service accounts, OAuth apps, and AI agents are increasingly targeted because they often have broader access and weaker monitoring.

What's the relationship between identity attacks and ransomware?

Most ransomware attacks rely on identity abuse for initial access, lateral movement, and privilege escalation. Strong identity security significantly reduces ransomware impact.

How does attack path analysis help?

It surfaces the chains attackers will use, letting defenders break them in advance instead of discovering them during incident response.

---

Conclusion

Modern attackers prefer identities over exploits. They are easier to obtain, harder to detect, and more powerful once acquired. Defending against identity-based attacks requires more than MFA: it requires strong authentication, zero standing privilege, careful governance of OAuth and federation, hardened identity infrastructure, identity-focused detections, and continuous attack path reduction.

Organizations that treat identity as their primary attack surface — and defend it accordingly — make themselves dramatically harder targets.