Single Compromised Credential: The Domino Effect on Enterprise Security

Identity-Based Attacks: A Growing Concern in Modern Intrusions

A single compromised credential can be all it takes for attackers to gain a foothold in an organization’s systems, allowing them to move laterally and exploit vulnerabilities. This is a common pattern observed in over 750 incident response engagements analyzed in a recent report.

Identity-Based Techniques: The Leading Attack Vector

The report highlights the dominant role of identity-based attacks in modern intrusions. In nearly 90% of cases, identity weaknesses played a material role in the investigation, with initial access often gained through phishing, stolen credentials, brute force attempts, or insider activity. Identity-based techniques were used in 65% of cases to gain initial access, making it the leading attack vector.

Top Initial Access Vectors

Phishing and vulnerability exploitation were tied as the top initial access vectors, each accounting for 22% of cases. Credential misuse and brute force attempts remained significant, with previously compromised credentials used in 13% of cases and brute force attempts used in 8%. Social engineering tactics beyond phishing continued to grow, reaching 11% of cases.

The Changing Nature of Enterprise Environments

The increasing dominance of identity attacks reflects the changing nature of enterprise environments, which have become more complex and sprawling. The rapid expansion of software-as-a-service (SaaS) adoption, cloud infrastructure, and machine identities has created new opportunities for attackers to gain access through legitimate pathways.

Browser-Based Activity and AI-Enabled Attacks

Browser-based activity played a significant role in 48% of investigations, with many attacks beginning with users visiting malicious websites or clicking on spoofed links. In some cases, attackers used search engine optimization (SEO) poisoning to redirect users to malicious sites.

The report also notes that artificial intelligence (AI) is being used by attackers to accelerate intrusion timelines. AI is being used to speed up reconnaissance, write social engineering messages, and generate scripts used during ransomware deployment. This has led to a shrinking time window for defenders, with the fastest 25% of intrusions reaching data exfiltration in just 72 minutes.

Supply Chain Risk and Open Source Dependency Sprawl

Supply chain risk continues to be a significant concern, with SaaS integrations, remote management tools, and vendor platforms providing paths for downstream compromise. OAuth apps and API integrations often hold broad permissions that remain active even after employees leave or workflows change, creating hidden access paths that many organizations fail to monitor.

The report also notes that open source dependency sprawl continues to increase risk in build pipelines, with more than 60% of vulnerabilities in cloud-native applications residing in transitive dependencies. Attackers have also injected malicious code into upstream packages that execute during installation, giving them access to build environments before deployment.

Extortion Tactics and Ransom Demands

Extortion tactics are shifting, with encryption appearing in 78% of extortion incidents, down from above 90% in prior years. Data theft remained steady, appearing in more than half of cases year over year. Median ransom demands increased from $1.25 million to $1.5 million, while median payments increased from $267,500 to $500,000. Organizations that negotiated achieved a median reduction of 61% between the initial demand and final payment.

About Author

Vaibhav

See author's posts