Key Takeaways
- Identity exploit vectors (IEVs) are common escalation pathways enabled by systemic issues and hidden weaknesses in organizations’ identity fabrics that allow attackers to routinely and consistently execute effective attacks.
- IEVs frequently involve weak security controls on human or non-human identities, overprivileged accounts, system misconfigurations, and/or software vulnerabilities that grant access to attackers and make it possible for bad actors to move deeper into systems while avoiding detection.
- Keys to remediating IEVs include comprehensive identity mapping, stricter access provisioning practices, and the development and application of appropriate privileged access management controls for all human and non-human privileged accounts.
- Taking a static approach to business identity theft protection is one of the biggest mistakes companies can make when it comes to shutting down IEVs. Defenses must be ongoing and continuously evolving to keep pace with the evolving threat landscape.
The role of IEVs in the digital black market:
How bad actors get where they are going.
Identity exploit vectors are the escalation pathways bad actors use to successfully gain unauthorized access to systems or data. According to IBM’s 2024 Cost of a Data Breach report, stolen identity credentials represent the number one initial attack vector. Once attackers get their hands on a set of identity credentials (human or otherwise) through schemes such as phishing, man-in-the-middle attacks, sessions hijacking, or some other cyberattack method, they then search for and find security gaps in their targets’ identity ecosystems. These include weak identity authentication controls, federation misconfigurations, or other flaws that allow attackers to successfully leverage the stolen or compromised credentials to get inside.
At this point, attackers accelerate their efforts, looking for additional weaknesses and vulnerabilities that provide opportunities to move even deeper into systems. This is where companies pay a high price for lax security practices, such as weak authentication controls, skipped system patching/ updates, and over-permissioning, all of which aid and abet the bad actors lurking within their environments. Unfortunately, the criminals often have plenty of time to find the weak points and move through undetected: The IBM report shows that attacks using compromised credentials are not only the most common; they also last the longest, giving bad actors an average of 10 months to do their damage before victims identify and contain the attacks.
Understanding Common IEVs:
Know the paths most traveled.
In most cases, IEVs are not one-off vulnerabilities within a specific company. Instead, they represent common systemic issues and hidden weaknesses in organizations’ identity fabric that attackers can routinely and consistently exploit across organizations. As a result, security attacks are more common—and more repeated—than many organizations realize.
Below are examples of some of the most common IEVs attackers are using today.
Compromised Human Credentials:
In these scenarios, a criminal obtains login credentials through social engineering (phishing or similar means) and uses those credentials to gain remote access to a company’s systems. If the company lacks the proper dynamic access controls or authentication processes to detect anomalous behavior—such as a user trying to log in from unknown location, from an unrecognized device, or at an odd time—the bad actor can easily enter the environment. Depending on what permissions the particular account happens to have, the bad actor can move around undetected, stealing customer or employee data or intellectual property that can then be sold or ransomed. Attackers may even be able to access operational technology systems to disrupt a company’s daily business operations and wreak untold havoc.
The Colonial Pipeline ransomware attack of 2021 provides a case in point. In this event, an Eastern European cybercriminal group successfully exploited a compromised password for an inactive VPN account that lacked multi-factor authentication. The attackers gained access to the oil pipeline company’s business network, including billing systems and internal business files. Even though the attackers did not directly breach the operational systems controlling the flow of fuel, Colonial Pipeline paid the approximately $4.4 million ransom within hours of the attack. The company also elected to halt operations to contain the breach, leading to a six-day shutdown and widespread fuel shortages in the Eastern U.S. that ultimately disrupted air travel, incited panic, and resulted in former U.S. President Biden declaring a state of emergency.
More recently, Change Healthcare, a subsidiary of UnitedHealth Group, fell victim to a ransomware group that used stolen credentials to access a portal that lacked multi-factor authentication. The 2024 breach compromised sensitive information, including health insurance member IDs, medical records, billing data, and personal identifiers like Social Security numbers, and it caused widespread disruption to healthcare billing and prescription systems across the U.S.
Exploited Non-Human Identities:
All companies maintain multiple service accounts or API tokens that enable integrations between systems. These machine-to-machine non-human identities each have their own set of identity credentials and permissions. Today, in the age of agentic AI, the number of non-human identities operating within any organization’s environment has increased exponentially, and it is common for four or five separate AI agents to do the work of one previous system administrator. Each of these agents has an identity with underlying access, multiplying the number of threat vectors just waiting to be exploited.
Criminals are well aware of the situation. They also know that companies often fail to protect their non-human identities in the same ways they safeguard human identity credentials. In many cases, these identities, and agentic AI identities in particular, have privileged permissions, making them even more alluring to bad actors. The non-human identities also often can be obtained through third parties, which may have weaker security practices overall than the target company.
For example, imagine a bad actor gains access to the credentials of an employee of a third-party cloud services provider. If this employee happens to be the admin of a system with a service account attached to it, and the service account has privileged permission to the target company’s cloud environment, then the criminal can easily gain access to the sensitive data and systems stored in the cloud without ever having to tap into the target company’s systems directly.
The 2021 Microsoft Exchange ProxyShell attack offers a real-world example. In this case, criminals exploited a chain of three vulnerabilities that allowed attackers to gain unauthenticated remote access to Exchange servers. The flaws let attackers bypass authentication, escalate privileges, and execute remote code. After Microsoft patched the bugs in mid-2021, threat actors quickly began scanning for and exploiting unpatched servers. Many organizations were caught off-guard, pointing to the critical need for timely patching and better Exchange server hygiene.
In another incident involving non-human identities, the October 2024 Cisco DevHub incident, a threat actor exploited a misconfiguration in Cisco’s public-facing DevHub portal to make sensitive files publicly accessible. The breach led to the leak of approximately 4.5 GB of data, including internal source code, API tokens, certificates, Docker containers, cloud storage links, and documentation. Cisco promptly disabled the portal, investigated the issue, and confirmed its internal systems were not compromised, but much damage was already done.
Federation Misconfigurations:
Anyone who has ever logged into a website, application, or service using their Google or Microsoft account has benefited from federated identity capabilities. The practice makes life much easier for users by linking identity across multiple systems or organizations, allowing for the use of a single set of credentials for access to all the linked systems.
However, it’s easy to see how federated identity can lead to security vulnerabilities, especially between organizations that might not have the same security standards. Common misconfigurations, such as improper token validation, overly broad trust relationships, or poor integration with SSO providers, can let attackers easily bypass login flows and/or elevate privileges to quickly gain unauthorized access to sensitive systems and information.
In the case of Toyota’s Global Supply Chain and Partner Management System, a misconfigured federated authentication integration allowed unauthorized access based solely on email addresses without requiring passwords or multi-factor authentication. A security researcher discovered the issue and thus was able to impersonate any Toyota employee or supplier, including administrative accounts, by crafting a simple HTTP request. Once inside, the researcher could access and manipulate sensitive customer data, such as names, phone numbers, and vehicle information. While Toyota addressed the issue by securing the API endpoints and implementing stricter authentication protocols, this breach underscores the critical importance of properly configuring federated authentication systems from the beginning and proactively considering every possibility for unauthorized access.
Secrets Vault Breaches:
Secrets vaults, such as HashiCorp Vault, AWS Secrets Manager, Azure Key Vault, and CyberArk, to name a few, hold the keys to the castle, including database usernames and passwords, API keys and access tokens, encryption keys, and certificates. Across organizations, various applications, scripts, and DevOps pipelines interact with the information stored in these vaults every day to authenticate with other systems or cloud services.
While secrets vaults are designed with security top of mind, vulnerabilities can and do exist. Attackers know how to find and exploit those weak points and gain access to the information they need to essentially open the gates to anything and everything stored within an organization’s systems. The most frequent security issues with these secrets vaults include hardcoding secrets, overly broad access permissions, lack of credential rotation, and poor audit logging.
The 2022 LastPass breach is the perfect example of what can go wrong with a secrets vault. In this case, attackers exploited a vulnerability in a third-party media software package on a DevOps engineer’s home computer to install keylogger malware. This move enabled the bad actors to capture the engineer’s master password, granting access to the corporate secrets vault. With this access, the attackers exported sensitive data, including decryption keys for cloud storage, which they used to access and exfiltrate encrypted customer vault data from LastPass’s cloud storage. While the encrypted fields remained secure, the breach could aid future phishing attacks and other malicious activities. In the aftermath, in addition to enhancing its own security measures, LastPass advised its users to change their master passwords and evaluate the strength of their stored passwords.
IEV remediation strategies:
Put up roadblocks with identity best practices.
In many ways, identity exploit vectors are simpler today than they have ever been and thus easier for bad actors to exploit. In large part, this is because legitimate users expect to be able to access resources from anywhere, and most of us don’t like our work being slowed down by added security measures. As a result, attackers with limited expertise and know-how can (and do) successfully traverse IEVs and walk away with valuable data and assets virtually every day, leaving companies scrambling to recover.
Paradoxically, wherever identity is exploited as a vulnerability, better and consistent identity practices are also the best solution. Organizations can start with these three key best practices that will help close entry points and make it more difficult to access sensitive information and systems.
- Conduct identity mapping. First, organizations need to get a handle on all the types of identities that exist within their environment. While most organizations can fairly easily map human identities, non-human identities are a little tricker and take some discovery work. Human or non-human, every identity must ultimately be mapped back to a living and breathing owner. For each identity, best practice includes documenting the person who initially deployed the identity, the identity’s purpose, and the responsible (human) party. The process of mapping identities and keeping the map up to date helps organizations find and eliminate any orphaned or shadow identities and to generally have a better picture of exactly who and what can access its systems and data.
- Employ least privileged model and dynamic vs. static access. Once an organization has an accurate map of identities, it’s time to check the permissions for each identity. Ideally, companies will routinely limit permissions to only those exact permissions needed for the person or non-human agent to do its job, for only the necessary amount of time. As job roles evolve, permissions can be dynamically added through a structured request and approval process. In the same way, permissions should be removed once the need for access expires, eliminating ongoing static access and helping to limit the potential for expansion and damage should a breach occur. Implementing stricter provisioning processes when setting up new identities and intermittently evaluating and cleaning up access for existing identities are relatively simple steps organizations can take to dramatically improve security. The goal is always to strike the ideal balance between enabling legitimate work and preventing potentially devastating breaches.
- Classify and protect identities with appropriate controls. The identity mapping and access provisioning processes allow companies to easily group identities into different classifications and distinguish regular access from privileged access accounts. Again, non-human identities are a common weak link for companies in this area. AI agents in particular often have privileged permissions, but companies may not yet be thinking about them in this way. Categorizing all accounts—human and non-human—allows companies to establish and enforce the appropriate control sets and safeguards, based on assigned classifications, to all identities. Organizations that already have a mature security posture and robust controls for their privileged human accounts simply need to define processes for applying those same controls to their non-human identities. Other organizations may have some additional upfront work to develop appropriate privileged access management controls for all their privileged access accounts.
The importance of a dynamic and comprehensive approach:
Identity security and access management are never one-and-done endeavors.
One of the biggest mistake companies can make when working to improve business identity theft protection and remediate identity exploit vectors is to believe the work is a one-time effort and thus adopt a static approach to a dynamic problem. Bad actors are always working to reinvent attack styles and find new ways to get through defenses and into systems and databases. Companies must remain vigilant about continuously monitoring and auditing the threat landscape. At the same time, they must continuously improve their own security posture and strategies. By taking a comprehensive approach where multiple identity strategies work in conjunction to cover more ground and reduce the number and size of holes in the net, companies can remain proactive about securing their environments and assets. And they can consistently put up their best defense against the ever-evolving reality of identity credential theft.
