Recently, a report was released from Unit 42, a threat intelligence and incident response arm of Palo Alto Networks detailing an investigation of approximately 750 breaches between 2024 and 2025.
Their findings indicate that "identity weaknesses" were present in about 89% of investigated cases. Additionally, in 65% of these cases, it seems that attackers were able to gain initial access with compromised credentials rather than other means like exploiting software weaknesses.
Another striking aspect of the report findings is that attackers seem to be moving quicker than ever, often with AI assistance. Unfortunately, AI can compress the attack lifecycle in several ways. In many cases, attackers were able to progress from deployment to meaningful impact in just a matter of hours. The fastest 25% of breaches in 2025 were able to reach exfiltration in about 72 minutes, which is down from 285 minutes in the previous year.
(Source: Palo Alto Networks)
The findings in this report indicate that modern intrusions are based around speed, automation, and authentication in order to take advantage of weak identity controls, misconfigured privileges, or trusted relationships already present in an environment instead of relying on other avenues like zero-day exploits or sophisticated malware.
If "identity weakness" is playing a role in a majority of recent cyberattacks, then it will be important to understand exactly what this weakness entails moving forward.
We can begin with a very common pattern indicating an identity weakness which is stolen credentials. Earlier, we mentioned that 65% of the cases in Unit 42's report began with stolen credentials, which is a desirable position to be in for an attacker since being able to log in to a system with valid credentials bypasses other potentially laborious or noisy techniques. Phishing and MFA bypass are two common starting points for compromising credentials. We can see in the chart below that many of the cases investigated for this report incorporated the use of valid accounts.
(Source: Palo Alto Networks)
Another aspect of identity management worth looking into is the idea of over-permissioned accounts. That is to say, sometimes users or even admins have more access than they require. Unit 42 found that 99% of cloud users, roles, and services had excessive permissions. Gaining access to over-permissioned accounts could allow attackers to move deeper into systems. Machine-linked accounts, like API keys or other types of service accounts can sometimes be poorly monitored, relative to other accounts, which means that attackers gaining access to such accounts could potentially have quieter, more long-term access to resources.
And lastly, it will also be important to monitor for old accounts, like those that might belong to former employees, or otherwise inactive accounts, such as those belonging to dormant third-party vendors.
Ultimately, exploiting any kind of identity weakness allows attackers to enter and spread throughout and environment without the need for malware or unpatched exploits.
Perhaps the primary takeaway from Unit 42's findings is that "identity" is becoming the primary attack surface, particularly in enterprise environments. In a certain sense, compromised identities can be seen as handing the keys to an infrastructure over to an attacker. Even though this recent report shows that most breaches are now stemming from compromised or mismanaged identities, traditional security strategies are more focused on patching vulnerabilities or detecting malware.
With all of this in mind, it will be important to prioritize identity hygiene as a core security practice. That is to say, it could be useful to re-evaluate legacy authentication methods and incorporate more modern techniques like phishing-resistant authentication, such as hardware-backed MFA or FIDO2. Of course, moving to this sort of implementation comes with its own set of problems, like determining what systems may or may support this kind of authentication, or dealing with the impracticality of deploying this kind of implementation to a higher number of users at once.
It will also be important to perform regular privilege reviews on user accounts and ensure that machine identities are held to the same standards as any of the others
This article is shared at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators-of-compromise information via a notification service (RedXray) or an analysis service (CTAC). For questions, comments, or assistance, please contact the office directly at 1-844-492-7225 or feedback@redskyalliance.com
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5207428251321676122
[1]: https://www.paloaltonetworks.com/resources/research/unit-42-incident-response-report
[2]: https://www.scworld.com/news/unit42-identity-abuse-drives-nearly-two-thirds-of-all-breaches
Comments