The “retro” way
“The thing about the old days is… they are the old days” – Slim Charles, The Wire
Protecting a specified network perimeter was the main focus of enterprise security strategy for several decades. Businesses made significant investments in firewalls, intrusion detection systems, endpoint security and segmentation controls, all of which were built on the premise that an organization would stay safe if attackers were prevented from accessing the network.
In a time when users, infrastructure and applications were mostly confined within well-defined borders, that assumption made sense but in today’s world, that environment no longer exists.
The proliferation of cloud computing, SaaS usage, hybrid work practices, microservices and API-driven connections have fundamentally transformed the structure of enterprise IT. Critical systems are now located outside conventional data centers and employees now authenticate outside trusted networks in BYOD scenarios. Vendors also integrate directly into internal systems, which means that identity is the most important control plane in modern settings.
Modern threat actors are no longer primarily burrowing through hidden technical flaws or circumventing perimeter measures in dramatic fashion; those were the old days. In recent times, they log in with stolen credentials, replayed session tokens or misused access grants. The ensuing breach may resemble legitimate user behavior because, from a system perspective, that is exactly what it is – “a legitimate user trying to sign in to carry out legitimate activities“.
This modern reality necessitates a rethinking of how cybersecurity leaders perceive risk.
The dissolution of the perimeter
As organizational workloads moved to the cloud, authentication became the key to accessing practically everything important: financial systems, collaboration platforms, customer data, intellectual property and administrative controls. Access is mediated less by network location than by identity assertions and authorization regulations, particularly in highly federated contexts. If an attacker successfully impersonates a trusted identity, many traditional safeguards offer minimal resistance with single sign-on systems that span several authentication planes.
Security programs that continue to prioritize perimeter resilience without making equal investments in identity integrity are effectively defending yesterday’s threat model and will get left behind. This is because there has been a shift from asking questions about if threat actors can reach a network to asking if they can steal, manipulate or abuse identities that the system typically trusts.
What modern day breaches actually exploit
Consistent themes emerge from an examination of contemporary breach patterns. Initial access often results from credential stuffing attacks using previously used passwords, OAuth consent phishing that offers application-level permissions, adversary-in-the-middle frameworks that intercept authentication flows, or phishing efforts that harvest credentials. These attack methods do not use zero-day exploits nor sophisticated malware in many cases as they exploit weaknesses in how identities are verified and how sessions are managed.
Once in the environment, attackers use poorly monitored service accounts, excessive privileges or incorrectly configured role assignments to advance laterally after authentication. Opportunities for persistence are created by service accounts with broad permissions, but little control and sessions can also be replayed, no thanks to token sessions that are independent of device context.
Here, breaches occur as a result of manipulation of trust relationships ingrained in identity systems.
MFA limitations
An essential and significant advancement in enterprise security was made with the broad use of multi-factor authentication. The idea that multi-factor authentication (MFA) has definitively resolved identity compromise, however, is more a reflection of overconfidence than of reality.
In reality, protection offered and authentication strength depends heavily on implementation details and type. Push-based MFA can be manipulated through MFA fatigue tactics, in which repeated prompts pressure users into approving malicious requests. Adversary-in-the-middle kits proxy authentication flows in real time, capturing session cookies after successful MFA validation with some phishing kits like Starkiller using live pages in recent times as against static ones which can easily be detected.
OAuth-based phishing circumvents password-centric safeguards altogether by convincing users to provide application authorization and users can be socially engineered to go through with this.
Privilege as the multiplier of damage
Initial access does not always result in disastrous consequences as what the identity that has been compromised is permitted to do determines how serious a breach is. Regrettably, many businesses have a big permission debt that has been built up over years of convenience-driven choices. Some practices are typically seen in IT environments; broadly assigned privileged roles which are infrequently reviewed, temporary access granted for operational expediency may never be revoked and service accounts sometimes retain expansive rights without adequate monitoring as mentioned above.
These practices create environments in which a single compromised credential can expose sensitive data, disrupt operations or enable financial fraud.
The principle of least privilege (POLP) is widely endorsed across the industry, yet it remains unevenly implemented in practice. Establishing just-in-time access models, enforcing approval-based privilege elevation and conducting continuous access reviews demand sustained coordination between security teams, IT operations and business stakeholders, which can be operationally complex and “politically” sensitive. However, without this discipline, a single compromised identity can carry far greater impact than necessary. Identity security therefore extends well beyond authentication mechanics and must be treated as a governance issue rooted in deliberate, consistently enforced privilege management.
Elevating identity monitoring to a core security function
With Extended Detection and Response (EDR) solutions, many companies have advanced their endpoint detection and network monitoring capabilities; yet, identity-related telemetry frequently receives relatively less attention, and it is becoming more and more difficult to defend this disparity.
Early indicators of compromise such as anomalous login behavior, impossible or atypical travel patterns, suspicious mailbox rules, unusual OAuth grants and rapid privilege escalations frequently provide early indicators of compromise. Understandably, organizations are focused on ransomware attacks, data exfiltration and leakages, however, these identity-based signals must be collected, correlated and acted upon with the same seriousness and deftness as malware detections. If thresholds are misconfigured or alerts are treated as secondary noise, identity-based attacks can persist undetected while appearing operationally normal.
Given that valid credentials are now central to many breach scenarios, identity logs should be treated as primary forensic evidence rather than supplementary context. Security operations centers that elevate identity monitoring to a strategic priority are better positioned to detect and contain misuse before it escalates.
Realigning security investment around identity risk
The allocation of resources and executive supervision are affected when identity is identified as the main attack surface. Since they constitute the fundamental defensive architecture of a cloud-first enterprise, investments in more robust authentication techniques, hardware-backed credentials, conditional access policies that take contextual risk signals into account, and strict privilege management frameworks should not be seen as incremental enhancements.
The congruence of business procedures and security controls is equally significant. Identity compromise must be seen as a possibility in financial workflows, administrative approvals and vendor integrations. Processes that are designed with enforced verification, separation of duties and anomaly detection in mind further reduce the possibility that a single credential will cause disproportionate harm
Conclusion
To conclude, where risk lies has been subtly reshaped by the development of enterprise IT and the use of cloud and hybrid environments. Decisions about authorization and authentication now have to be taken on a daily basis to safeguard the most important assets. When those choices are subject to manipulation or abuse, the repercussions affect not just individual accounts but spill over across the enterprise.
Exploiting the trust that businesses have built into identity systems is more common in modern breaches than dramatic technical intrusions as previously discussed. Operationally, identity must be treated as the main attack surface and companies who acknowledge this reality and design their environments appropriately will be more equipped to handle the current threat landscape, rather than the one they initially intended to protect.
This article is published as part of the Foundry Expert Contributor Network.
Want to join?