Full Report
Palo Alto Network’s incident response firm said identity-based attacks are exploding as poor security controls stretch across a widening mosaic of integrated tools and systems. The post Unit 42: Nearly two-thirds of breaches now start with identity abuse appeared first on CyberScoop.
Analysis Summary
# Tool/Technique: Identity Abuse & Social Engineering
## Overview
Identity abuse has become the primary vector for initial network access, characterized by the exploitation of compromised credentials and human vulnerabilities to bypass traditional security perimeters. According to Unit 42, these techniques account for nearly two-thirds of all initial intrusions and play a role in 90% of the entire attack lifecycle.
## Technical Details
- **Type**: Technique / Initial Access Vector
- **Platform**: Multi-platform (Cloud, SaaS, On-premise, Legacy systems)
- **Capabilities**: Credential harvesting, multi-factor authentication (MFA) bypass, lateral movement across integrated systems, and privilege escalation via over-permissioned accounts.
- **First Seen**: Persistent; highlighted as the dominant 2024-2025 trend.
## MITRE ATT&CK Mapping
- **[TA0001 - Initial Access]**
- [T1566 - Phishing]
- [T1078 - Valid Accounts]
- [T1110 - Brute Force]
- **[TA0003 - Persistence]**
- [T1136 - Create Account]
- **[TA0004 - Privilege Escalation]**
- [T1078.004 - Valid Accounts: Cloud Accounts]
- **[TA0008 - Lateral Movement]**
- [T1213.003 - Data from Information Repositories: SaaS]
## Functionality
### Core Capabilities
- **Social Engineering:** Manipulating human targets to divulge credentials or execute malicious actions (leading cause of access at 33%).
- **Credential Reuse:** Using leaked or purchased passwords across disparate integrated systems.
- **Exploitation of Over-Permissioning:** Leveraging identity policies that grant "God-mode" or excessive administrative rights by default.
- **API/SaaS Integration Abuse:** Hopping between interconnected third-party tools (e.g., Salesloft Drift) to reach secondary targets.
### Advanced Features
- **Machine Identity/AI Agent Exploitation:** Targeting non-human identities and automated bots that possess high privileges.
- **Cross-Surface Pivoting:** Transitioning fluidly from successful endpoint compromises to cloud-based service environments.
- **Blast Radius Extension:** Moving from branch or secondary offices to corporate headquarters by exploiting weak internal segmentation.
## Indicators of Compromise
*Note: Identity-based attacks are difficult to detect via traditional IOVs as they utilize "legitimate" credentials.*
- **Behavioral Indicators:**
- Logins from atypical geographic locations or at unusual hours.
- Multiple MFA push denials (MFA fatigue/bombing).
- Rapid "hopping" between unrelated SaaS applications.
- Sudden creation of new administrative accounts or API keys.
- Authentic users accessing systems to which they have permissions but no business requirement (signal vs. noise).
## Associated Threat Actors
- **Financially Motivated Actors:** Responsible for the majority of incidents investigated, often leading to ransomware/exfiltration.
- **Supply Chain Actors:** Groups targeting SaaS integrations to move laterally across diverse customer bases.
- **State-Sponsored Hackers:** Using AI-augmented social engineering to enhance credential harvesting.
## Detection Methods
- **Behavioral Detection:** Implementing User and Entity Behavior Analytics (UEBA) to identify deviations from normal authenticated activity.
- **Anomaly Detection:** Monitoring for high-volume API requests or unusual SaaS-to-SaaS data transfers.
- **Identity Provider (IdP) Logging:** Correlating IdP logs with endpoint activity to detect session hijacking or unauthorized token usage.
## Mitigation Strategies
- **Least Privilege Access:** Auditing and stripping excessive permissions; implementing Zero Trust Network Access (ZTNA).
- **Hardening Identity Controls:** Moving beyond basic MFA to phishing-resistant hardware keys.
- **Network Segmentation:** Enforcing strict boundaries between branch offices, data centers, and cloud environments to limit the blast radius.
- **SaaS Governance:** Regularly reviewing third-party integrations and API access keys.
## Related Tools/Techniques
- **MFA Fatigue/Push Bombing**
- **SaaS-to-SaaS Attacks**
- **Token Theft / Session Hijacking**
- **Brute-Force Attack Tools**