Full Report
While credential abuse is a primary initial access vector, identity compromise plays a key role in most stages of a cyber attack. Here’s what you need to know — and how Tenable can help.Identity compromise plays a pivotal role in how attackers move laterally through an organization. Credential abuse is the top initial access vector, implicated in 22% of breaches, according to the 2025 Verizon Data Breach Investigations Report, followed closely by vulnerability exploitation (20%). But identity compromise doesn’t stop after initial access. It plays a key role in five stages of a cyber attack.Understanding the following stages of an attack helps illuminate where identity becomes a threat vector:Initial accessReconnaissanceLateral movement and privilege escalationPersistence and detection evasionDeploymentBelow, we explore actions security teams can take to protect identities in each of these stages. While the guidance we share here is based on protecting on-premises Microsoft Active Directory environments, it’s worth considering how credential compromise can affect Microsoft Entra ID and hybrid identity infrastructure. We also discuss how Tenable Identity Exposure, available in the Tenable One Exposure Management Platform, can be used at each stage to provide security teams with valuable insights to help them proactively reduce their exposure to cyber attacks.Stage 1: Initial accessAttackers need a foothold and credential abuse enables them to get one. To prevent credentials from being abused by attackers, organizations need to proactively make sure their users have a strong password accompanied with two-factor (2FA) or multi-factor authentication (MFA). This is done by enforcing policies for password complexity, length, reuse and change frequency to which an organization’s users have to adhere. Even so, having full visibility into identities can be challenging for the security teams tasked with enforcing these policies.Tenable Identity Exposure provides the following indicators that security teams can use to gain visibility into areas where weaknesses may exist.Password Policy WeaknessCleartext Passwords in UseDetection of Password WeaknessesStage 2: ReconnaissanceOnce attackers have access to an environment they need to understand what it looks like and how they can exploit configurations and/or vulnerabilities to move onto the next step of lateral movement and privilege escalation. There are a number of legitimate security tools available that attackers can use to gain visibility into the environment. When these are used against an environment maliciously, they give away key secrets that can then be leveraged for movement across the environment.Tenable Identity Exposure provides indicators of attack to give security teams visibility into behavior that looks like these security tools are being run in your environment, which could be malicious if not expected. These indicators include:Massive Computer EnumerationAdministrative Account ScanningStage 3: Lateral movement and privilege escalationOnce they’ve completed their reconnaissance, attackers will try to use their findings to move between your environment objects to gain access to the privileged assets required to further their attack. How do they do this? Exploitation of relationships. To do so, they may try to access a system that is caching privileged user credentials, or they may try to reset the password on another identity in the environment. To protect against such activity you need to enforce policies restricting who is allowed to log onto certain system types, prevent password caching where possible and remove unnecessary relationships between objects. Tenable Identity Exposure provides indicators that can help security teams manage restrictions and spot inconsistencies, including:Administrative Logon RestrictionsDomain Controller Access InconsistenciesTenable is also able to provide graphical representations of relationships between identity objects in the attack paths.Stage 4: Persistence and evasionAnother key goal of lateral movement is for attackers to get themselves in a position where they can gain persistent access to the environment and avoid being detected. Given the complexity and requirements of identity solutions like Active Directory there are a number of backdooring techniques that can be utilized. One of the lesser-known of these is the exploitation of the AdminSDHolder container. Once an identity is added to this container, which is hidden by default in Active Directory, it will then periodically be granted access to highly privileged groups such as domain administrators. This access is granted through the SDProp process that, by default, is scheduled to run every 60 minutes. So even when the access is removed directly from the privileged groups, it is re-granted one hour later through the SDProp process when AdminSDHolder access is granted. Tenable Identity Exposure has the following indicator providing continuous visibility into AdminSDHolder membership:Ensure SDProp ConsistencyThere are a number of security tools on the market that can run point-in-time assessments to show weaknesses that need to be addressed; this data is often provided in a single report with no filterable history. Given the dynamic nature of identities, point-in-time assessments leave gaps in visibility for security teams. Attackers can take advantage of these gaps by making the changes in the environment to facilitate their activities and then undoing them before the next point-in-time assessment is performed, leaving security teams none the wiser. To be most effective, identity configuration monitoring should be continuous and have a filterable and referencable record of all changes.Tenable Identity Exposure continually monitors Active Directory and the indicator below provides a trail flow for this very purpose:Trail FlowStage 5: DeploymentFinally, we have the deployment of the payload, such as malicious code, malware or ransomware. Chances are an attacker will need to run some sort of script or installer — such as PowerShell scripts — to achieve this. Putting a restriction in place through security policies to prevent these running can dramatically reduce risk.Tenable Identity Exposure provides the following indicator, specifically related to ransomware, to help security teams gain visibility into those places in the environment where the ability to run PowerShell scripts and access AppLocker could be restricted:.Insufficient Hardening Against RansomwareThe bigger pictureIn summary, we can see how identity is at the heart of each of these five stages of a cyber attack. While the above examples are focused around on-prem Active Directory, hybrid environments are also a target for attackers, such as the 2024 attack by Storm-0501. Tenable Identity Exposure, available in the Tenable One Exposure Management Platform, provides visibility into both Active Directory and Entra ID. Tenable Cloud Security also provides a comprehensive view into identity entitlement within public cloud providers and identity providers (IdPs), such as Ping Identity and Okta.Identity security is fundamental to a proactive exposure management program. To achieve effective exposure management, organizations need a comprehensive view of their entire attack surface. This means pulling together all available data from across their security tools, including those for identity, applications, cloud, operational technology (OT), endpoint, asset inventories, configuration management data bases (CMDBs), threat intelligence feeds and more. By combining insights from these diverse data sources, security teams can see the bigger picture, connecting the dots between assets, vulnerabilities, misconfigurations and existing compensating controls across multiple environments. The Tenable One Exposure Management Platform gives you a single, prioritized view of risk. By breaking down data silos and integrating insights from multiple security tools, organizations can reduce the likelihood of a breach and minimize risk exposure across the attack surface. Instead of viewing risks in isolation, security teams can connect the dots — understanding how attackers see their environment and taking smarter, more proactive action to reduce exposure.Learn more2024 Gartner® Prioritize IAM Hygiene for Robust Identity-First Security ReportFrom Managing Vulnerabilities to Managing Exposure: The Critical Shift You Can’t IgnoreA Unified Approach to Exposure Management: Introducing Tenable One Connectors and Customized Risk Dashboards
Analysis Summary
# Best Practices: Identity and Exposure Management Integration
## Overview
These practices focus on leveraging comprehensive data integration, particularly from identity security sources, to build a robust, proactive Cyber Exposure Management program designed to reduce overall organizational risk and prevent breaches by connecting assets, vulnerabilities, misconfigurations, and existing controls across the entire attack surface.
## Key Recommendations
### Immediate Actions
1. **Inventory Critical Assets:** Establish a baseline inventory of all critical assets across corporate environments (endpoints, cloud, OT/IoT) to serve as the foundation for subsequent risk analysis.
2. **Integrate Identity Data Sources:** Immediately begin integrating existing identity data (e.g., from Identity and Access Management systems) with existing vulnerability management feeds.
3. **Prioritize IAM Hygiene Review:** Based on industry reports (e.g., Gartner recommendations), prioritize an immediate review of Identity and Access Management (IAM) hygiene to identify and remediate obvious, high-risk permission issues or excessive access rights.
### Short-term Improvements (1-3 months)
1. **Establish Unified Data Streams:** Implement technology (like platform connectors mentioned) to break down security data silos by pulling data from diverse sources including CMDBs, threat intelligence, application security tools, and OT security tools into a central platform.
2. **Develop Cross-Domain Risk Correlation:** Configure the central platform to correlate identity exposures (e.g., over-privileged accounts) with known vulnerabilities and asset criticality to create context-aware risk scores.
3. **Implement Targeted Remediation Streams:** Create and track distinct remediation workflows based on the correlated risk, focusing first on critical assets exposed by excessive identity entitlements or critical vulnerabilities.
### Long-term Strategy (3+ months)
1. **Achieve Attack Surface Visibility:** Strive for a comprehensive, single, prioritized view of cyber risk across the entire attack surface, moving beyond isolated vulnerability scanning to holistic exposure management.
2. **Embed Risk Communication:** Regularly communicate the prioritized cyber risk metrics (derived from integrated data) to business stakeholders to align security investments with business performance objectives.
3. **Refine Proactive Defense:** Utilize the integrated exposure analytics (including GenAI capabilities, if available) to simulate attack paths and proactively adjust identity controls, configurations, and patching priorities to prevent likely attacks, rather than simply reacting to past findings.
## Implementation Guidance
### For Small Organizations
- **Focus on Foundational Tools:** Adopt a unified platform approach (even a scaled-down version) that naturally pulls in configuration and asset data alongside basic vulnerability scanning.
- **Manual Entitlement Audits:** If automated identity integration is cost-prohibitive, mandate short-cycle, manual audits of administrative and service accounts accessing the most critical assets.
### For Medium Organizations
- **Adopt Connectors:** Utilize integration connectors to seamlessly feed data from existing, best-of-breed tools (like existing IAM or CMDB systems) into an exposure management platform.
- **Pilot Identity-Driven Prioritization:** Pilot an initiative where vulnerability remediation is prioritized based on whether the vulnerable asset is accessible by an over-privileged or compromised identity.
### For Large Enterprises
- **Mandate Full Attack Surface Integration:** Require full integration across all security domains (Cloud Security Posture Management (CSPM), Vulnerability Management, OT Security, Identity Exposure Management (CIEM)) into a single exposure management framework.
- **Establish Continuous Exposure Analytics:** Implement continuous monitoring and analytics to track changes in exposure posture and ensure newly configured infrastructure or identity entitlements do not introduce unforeseen risk pathways.
## Configuration Examples
*No specific technical configuration syntax was provided in the context, but the conceptual configuration focus should be:*
- **Data Source Configuration:** Configuring connectors to ingest data streams from IAM systems, CMDBs, Cloud Security tools (CNAPP), and Vulnerability Scanners into a central Exposure Management Platform.
- **Prioritization Rules Example:** Set configuration rules where finding severity is multiplied by an "Identity Risk Factor" if the associated user account has Domain Admin privileges or access to production environment keys, instantly elevating the finding to critical status.
## Compliance Alignment
- **NIST CSF:** Aligns heavily with **Identify (ID)** functions (Asset Management, Risk Assessment) and **Protect (PR)** functions (Identity, Credential, and Access Management).
- **ISO 27001:** Supports controls related to access control (A.9) and asset management (A.8) by providing detailed evidence of exposure risk linked to access rights.
- **Best Practice Alignment:** Closely aligns with modern cybersecurity guidance emphasizing proactive **Exposure Management** over traditional, siloed vulnerability management.
## Common Pitfalls to Avoid
- **Data Silo Entrenchment:** Do not allow vulnerability, cloud, and identity data to remain separate; this prevents accurate risk correlation.
- **Ignoring Identity as the Primary Attack Vector:** Failing to prioritize remediation efforts based on the identity contexts linked to vulnerabilities (e.g., overlooking a low-severity vulnerability if it is directly accessible by a highly privileged "dormant" account).
- **Focusing Only on Known Vulnerabilities:** Moving only from vulnerability scanning to patch management without incorporating misconfigurations and over-permissive identities leaves significant gaps in exposure reduction.
## Resources
- **Gartner Report:** Refer to the "2024 Gartner® Prioritize IAM Hygiene for Robust Identity-First Security Report" for detailed IAM security guidance.
- **Framework Documentation:** Review **Exposure Management** principles as a shift from traditional vulnerability management methodologies.
- **Platform Documentation:** Consult documentation for solutions emphasizing integrated **Exposure Management Platforms** to understand required data integration steps.