When attackers infiltrate your environment, the first signs are rarely glaring red alarms — they’re whispers in the noise. A stale account springs to life. A privileged session lasts a little longer than usual or begins at a strange time of the day. A machine identity with excessive permissions is created out of band with no clear owner.
These subtle shifts may be the early warning signs an attacker has begun carrying out their mission in your environment — and if you’re not looking in the right places, you won’t catch them until it’s too late.
Continuous Identity Security is Not Optional
More than 80% of breaches now involve some form of identity compromise. Threat actors are shifting tactics and simply logging in. They’re exploiting the very trust fabric that organizations rely on to operate: identities.
In 2023 and 2024, several of the most critical CVEs analyzed by Hydden’s Threat Research Team — including CVE-2023-34362 and CVE-2024-29973 — proved that even when systems are targeted for exploitation – attackers quickly shift focus to compromise identities. In those examples, exploitation of those devices directly led to account creation, credential dumping, or impersonation of trusted identities (e.g., mimicking KRBTGT accounts). This often allows the attacker to operate below the radar for days or weeks.
The Earliest Signs You Might Be Compromised
Here are the earliest red flag signals — which are often invisible to your existing IAM and PAM tools — that may indicate identity compromise:
- Anomalous Account Creation or Role Changes: Threat actors often create new accounts to establish persistence in an organization, or they modify an existing account and grant it higher privileges in one or more systems
🚩 Unexpected creation of new accounts or rapid modifications to group or role changes on existing accounts. - Dormant Accounts Springing to Life: An identity accessing a resource suddenly – e.g., after a long period of inactivity – is often a high risk event that security teams can easily overlook. This may often indicate that one or more employees have had their credentials compromised and a threat actor has purchased these credentials from the dark web.
🚩 A user account that hasn’t logged in for 90+ days suddenly accesses sensitive systems or resources. - Bypassing or Failing MFA Attempts: Multiple failed MFA prompts, MFA bombing, downgrade of MFA types, or repetitive use of a fallback MFA method being used from the same identity could indicate that credential theft has occurred or a phishing campaign is currently underway.
🚩 A valid user identity triggering unusual or repeated MFA challenges. Accounts have additional devices registering MFA or MFA on an account is changed to a less secure MFA type such as SMS or Email. - Misuse of Machine Identities: With 50-80x more machine identities than human ones, attackers exploit poor visibility and governance over them. Tokens, service accounts, and certificates often go unmonitored.
🚩 A machine identity being used in ways inconsistent with its role (e.g., attempted access of other systems, unexpected role or privilege changes). - Privileged Access Without Audit Trails: Privileged sessions without recorded evidence or from unusual devices/locations should be treated with extreme suspicion.
🚩 A session to your PAM vault that isn’t tied to a ticket, just-in-time access, or privileged approval workflow.
The Invisible Epidemic: Shadow Accounts and Credential Sprawl
What makes these signs hard to detect? Identity visibility gaps. Legacy IAM systems, static PAM discovery jobs, and siloed IGA deployments create “false peaks” — illusions of control where many identities remain invisible and undiscovered.
Identity blind spots — such as cloud admin accounts outside governance, API tokens in GitHub, and “local” system accounts — are now prime targets. Attackers will opportunistically compromise systems that have inadequate monitoring or defensive controls to remain undetected and persist longer within your organization.
Controversial but Critical: Rethinking Identity “Ownership”
Here’s the uncomfortable truth: You probably don’t know who owns all your identities.
Many organizations rely on HR systems or AD as their “source of truth” — but attackers exploit identities that are not being closely monitored or managed by these systems. They create accounts that don’t link back to any employee or escalate privileges of existing accounts where ownership may be murky, or monitoring is challenging. You need to track identity usage — not just existence. Identity ownership should be continuously evaluated, especially when multiple sources of truth – multiple HR and Identity systems – exist in complex enviornments.
What Real-World Threat Actors Teach Us
Threat groups like LAPSUS$, UNC3944, and APT28 have perfected identity-focused attacks:
- LAPSUS$ paid insiders for credentials and used SIM swapping to hijack sessions.
- UNC3944 continues to leverage a wide range of identity oriented attack techniques to successfully infiltrate organizations
- APT28 used authentication bypass techniques and forged SAML tokens to infiltrate sensitive environments.
Across these attacks, the initial vector may differ, but identity compromise always exists in the majority of cyberattacks.
Recommendations: Building a Real-Time Identity Early Warning System
- Implement Continuous Discovery: Traditional point-in-time scans are not sufficient. Quarterly access reviews, often obligatory for regulatory adherence, often creates a false sense of security. Use platforms like Hydden to continuously identify human and machine identities, monitor their activities, and detect anomalies.
- Integrate Identity and Vulnerability Insights: Exploited systems often lead to identity risk. Tools should correlate CVE information with any relevant identity context so that defenders can understand that your vulnerability management and identity management teams must work together.
- Establish Behavior-Based Identity Monitoring: Move beyond role-based models to behavior-based analytics. Monitor identity behavior over time — including frequency, time of access, and resource usage — to build baselines and detect drift.
- Enforce Strong MFA Everywhere: Especially on local accounts and legacy systems. Use adaptive authentication techniques and avoid SMS-based MFA or other weak ‘fallback’ MFA types.
- Audit for Shadow and Orphan Accounts: Combine discovery with event driven telemetry to eliminate accounts that may not be needed, or to identify accounts that should be managed by a PAM or IGA solution.
Key Takeaway
Threat actors are opportunistic and are increasingly compromising organizations based on identity hygiene neglect. These attacks often start with a successful login event, but many of these attacks can be prevented.
If you’re serious about defending your identity perimeter, the real question isn’t “Are we under attack?” It’s: How fast can we detect and respond when it starts?
