The Lifecycle of an Identity Attack

Introduction: From Account Creation to Data Exfiltration 

As organizations scale across hybrid and multi-cloud environments, each new identity—whether human, machine, or API—represents a potential attack vector. While many cybersecurity professionals have historically focused on network intrusions or endpoint threats, identity-based attacks have quietly, yet decisively, emerged as the #1 initial access vector leveraged by threat actors. 

Drawing upon recent threat analysis from Hydden and public case studies, we’ll dissect the lifecycle of a typical identity attack and identify common Tactics, Techniques, and Procedures (TTPs). 

The Stages of an Identity-Based Attack: A Common Blueprint 

While specific TTPs vary, most identity-driven attacks follow a discernible pattern. Understanding these stages is crucial for effective prevention and detection. 

Stage 1: Initial Access – The Front Door 

Attackers gain their initial entry by exploiting weaknesses in how identities are managed or secured. These are the top identity oriented methods we observe actors leverage to gain initial access: 

• Compromised Credentials: This remains a leading cause. Attackers leverage credentials stolen from previous breaches (available on dark web marketplaces), conduct credential stuffing attacks (testing stolen passwords across multiple services), or use brute-force techniques against weak passwords. Prevalence: “Valid account abuse was responsible for 35% of cloud-related incidents, reflecting attackers’ growing focus on identity compromise as a gateway to broader enterprise environments” – Crowdstrike 2025 Global Threat Report 
• Phishing & Social Engineering: Tricking users into divulging credentials or executing malicious code. One successful method convinces victims to reset their password by navigating to a (fake) attacker controlled SSO portal, in which their credentials are captured and then later replayed by attackers in the organizations legitimate SSO portal. We frequently observe spear phishing attacks with a wide scope, or the actors narrowly target specific individuals at an organization. Example: Scattered Spider and other threat actor groups lean heavily into exploiting ‘people’ and abusing the trust of employees at organizations through use of voice phishing and downgrading the MFA type available on existing accounts 
• Exploitation of Vulnerabilities: Targeting unpatched software or misconfigurations in public-facing applications that lead to direct account creation events for lateral movement, or enable identity enumeration and credential theft. Example: CVE-2025-29824 – Threat actors with links to the Play Ransomware leveraged a public-facing Cisco Adaptive Security Appliance (ASA) to gain initial access through an undetermined method to move to another Windows machine on the target network. They then exploited CVE-2025-29824 and began creating accounts and adding that account to privileged groups to be used for malicious purpose 
• Misconfigured Cloud Services: Publicly exposed S3 buckets, unsecured APIs, or default credentials in cloud environments can offer an easy entry point. 

Stage 2: Establishing Foothold – Getting Situated 

Once inside, actors test access, map the organization’s network, and in some cases install tools to support their mission. This often involves: 

• Basic Reconnaissance: Identifying the local system, user privileges, and immediate network environment. Attackers aim to understand group memberships, administrative roles, service account dependencies, and trust relationships between systems. 
• Discovering Identity Stores: Locating and querying Active Directory, Entra ID (Azure AD), LDAP, or other identity repositories 
• Tool Installation: Actors may begin installing additional tools to support their operations. In many cases, we’ve observed legitimate remote access tools installed and use of Living-off-the-land binaries (LOLBins) 

Stage 3: Privilege Escalation & Lateral Movement – Expanding Control 

The initial compromised identity often has limited privileges. The attacker’s next goal is to escalate these privileges and move laterally across the network to access more valuable assets or identities. Key TTPs include: 

• Identifying Key Assets & Privileged Accounts: Pinpointing domain controllers, database servers, critical application owners, domain admin accounts, cloud IAM roles with broad permissions, and unmonitored privileged accounts. 
  • Technique: Attackers often parse AD for group memberships (e.g., “Domain Admins,” “Enterprise Admins”) or search for service accounts with names indicating high privilege (e.g., “sql_admin,” “backup_svc”) 
  • Technique: Attackers often target privileged access management (PAM) systems to widen their foothold and access 
  • Technique: There have been many documented instances where actors pivot from on premises to cloud resources or vice versa during the lateral movement stage to further expand their reach 
• Credential Dumping: Validating other stolen credentials and attempting to dump or acquire additional credentials to enable lateral movement and privilege escalation, compromising more systems and applications in the target environment 
• Exploiting Over-Permissioned Accounts: Finding and compromising service accounts, user accounts, or machine identities with excessive or unnecessary privileges.  
• Exploiting Misconfigurations: Leveraging misconfigured identity providers or exploiting vulnerabilities in internal systems. 
• Pass-the-Hash/Ticket: Using stolen NTLM hashes or Kerberos tickets to authenticate to other systems without needing the plaintext password. 
  • Insight: While this is more relevant to organizations with Microsoft infrastructure, we mention this because the prevalence observed is high  

Stage 4: Establishing Persistence & Maintaining Presence – Ensuring Long-Term Access 

To ensure they can regain access even if their initial entry point is discovered, attackers establish persistence mechanisms: 

• Creating Backdoor Accounts: Adding new user accounts (often disguised as legitimate service accounts) or modifying existing ones. 
• Deploying Malware/Webshells: Installing persistent malware or webshells on compromised servers. 
• OAuth Token Abuse & Application Impersonation: Injecting malicious OAuth applications or stealing refresh tokens in cloud environments to maintain access to SaaS applications or APIs. 
• Modifying System Configurations: Creating scheduled tasks, modifying startup scripts, or altering security configurations. 

Stage 5: Objective Achievement – Data Access, Exfiltration, or Impact 

This is the culmination of the attack, where the adversary achieves their ultimate goal: 

• Data Access & Staging: Accessing sensitive data from databases, file shares (SharePoint, S3 buckets), email systems, or CRM platforms. Data is often aggregated in a staging area before exfiltration. 
• Data Exfiltration: Transferring stolen data to attacker-controlled infrastructure. This can be done slowly to avoid detection or in large bursts. 
• Ransomware Deployment: Encrypting critical systems and demanding a ransom, often after exfiltrating data for double extortion. 
• Disruption/Sabotage: Causing operational disruption, deleting data, or sabotaging systems.   

Controversial Truths for Modern Identity Security 

Understanding the lifecycle is one thing; internalizing its implications for your security strategy is another. 

1. Controversial Truth: Your IAM solution, meticulously configured and passing all audits, might still be a ‘paper shield.’ Traditional identity tools are designed to manage known identities and enforce policies based on assumed states. They often lack the deep, continuous discovery and contextual awareness to see the full picture. Attackers thrive in these blind spots: the shadow admin accounts created by a rogue script, the misconfigured service principal in a forgotten dev environment, the toxic combination of seemingly innocuous permissions that grants god-mode access. Without IASM’s ability to see the entire identity battlefield and its actual state, IAM policies risk being well-intentioned guesses applied to an incomplete map. 
2. Controversial Truth: Machine identities are the rapidly expanding, poorly understood soft underbelly of enterprise security. While user behavior analytics and human identity hygiene get significant attention, the proliferation of machine identities (service accounts, API keys, CI/CD pipeline tokens, IoT device credentials) often outpaces governance. These identities frequently have high privileges, long-lived credentials, and operate outside traditional user-centric security controls. Attackers increasingly target these to compromise DevOps pipelines, abuse cloud APIs, and move laterally with stealth. IASM is critical for bringing these non-human identities out of the shadows. 
3. Controversial Truth: Zero Trust architecture is an aspiration, not a reality, without incorporating Identity Attack Surface Management. The core principle of Zero Trust is “never trust, always verify.” But how can you verify what you can’t see or don’t know exists? Organizations investing heavily in Zero Trust frameworks (network segmentation, micro-perimeters, strong authentication) while lacking real-time, comprehensive visibility into their entire identity attack surface are operating under a potentially false sense of security. Identity is a core pillar of Zero Trust, let’s make sure your organization has holistic visibility. IASM provides the foundational identity intelligence and continuous risk assessment crucial for making Zero Trust principles truly effective. 

Recommendations for Proactive Defense 

For CISOs & Identity Leaders:

• Mandate Continuous, Universal Identity Discovery: Shift from periodic manual audits (which are outdated by the time they’re complete) to tools like Hydden that provide real-time, comprehensive insight into all identity types across all environments (on-prem, hybrid, multi-cloud, SaaS). 
• Champion an Identity Data Unification Strategy: Break down the silos between IAM, PAM, IGA, SIEM, and other security tools. An IASM platform can serve as a common identity data layer, enriching other systems with crucial context. 
• Scrutinize Account Creation & Lifecycle Anomalies: Implement robust monitoring for all account creation pathways, privilege changes, and deletion patterns. Anomalous identity lifecycle events are often the earliest indicators of compromise. 

For Security Practitioners:

• Correlate Identity Telemetry with Vulnerability Data: Don’t treat vulnerabilities and identity attacks as separate problems. Many exploits directly lead to credential theft or account creation. Integrate insights to see the full attack path. 
• Prioritize Protection for Non-Human Identities: Implement strict credential rotation, vaulting, Just-in-Time (JIT) access, and least-privilege principles for all service accounts, API keys, and machine identities. 
• Conduct Regular Identity-Focused Attack Simulations: Red-team your identity infrastructure. Test for common identity attack paths, MFA bypass techniques, and privilege escalation routes, not just network vulnerabilities. 

Conclusion 

Identity-based attacks are no longer a niche threat; they are the new frontline of cyber warfare. As attackers increasingly exploit mismanaged, misconfigured, or simply unknown identities as their primary access vector, security teams must evolve from reactive identity governance to proactive identity threat detection and response. Understanding the full lifecycle of an identity attack—from the subtle initial compromise to the devastating final impact—is the first critical step. With a robust Identity Attack Surface Management strategy, you don’t just manage identities; you actively secure them, transforming your identity infrastructure from your biggest liability into your strongest defense.