From Hacking

to Infiltration

Identity and Access Management (IAM) gets critical for cyber security



Download IAM Guidelines


IAMs crucial stand against escalating identity-based attacks

In the dynamic realm of cybersecurity, criminals constantly shift their focus to ensure more efficient attacks. This perpetual evolution underscores the urgent need for a comprehensive, multi-layered security strategy. In today’s defense paradigm, Identity and access management (IAM) is one of the critical aspects that rapidly moves into the spotlight.

IAM forms the cornerstone of digital interactions within the organization as well as with customers and partners by defining digital experiences, facilitating seamless interaction, transactions, and navigation in the online realm.

At the same time, IAM’s security role is to safeguard that only authorized persons are granted access to relevant resources in strict accordance with the specified eligibility requirements, purposes, devices and context. From device logins to financial transactions, the secure management of identities is paramount for both individual users and entire organizations in mitigating cyber threats. Regrettably, malicious actors are also well aware of this fact.





The trend

Cyber criminals are shifting their focus from hacking to legitimately logging into accounts

In its 2024 X-Force Threat Intelligence Index, IBM reports a 71% spike in cyberattacks resulting from identity fraud. "Identity is being used against enterprises time and time again, a problem that will worsen as adversaries invest in AI to optimize the tactic." says Charles Henderson, Global Managing Partner, IBM Consulting, and Head of IBM X-Force. In 2023, cybercriminals found their ways into corporate networks more often by logging into valid accounts than with traditional hacking methods, IBM reports.
Over the past year, IBM furthermore observed a 266% surge in infostealing malware designed to grab personal details like logins and banking information. These stolen credentials, readily available on darknet, provide attackers with pre-authorized access, making breaches harder to detect and more expensive to resolve. This vulnerability poses a huge challenge to IAM, as detecting unauthorized access via legitimate accounts proves more intricate and costs security teams about 200% more resources, as per IBM.
On a positive note, organizations seem to have already recognized identity theft as an escalating attack vector. According to a Gartner report, more and more companies are prioritizing IAM and adopting an “identity-first” approach to strengthen their defenses. However, to ensure IAM capabilities are best positioned to support the breadth of the overall security program, Gartner recommends reinforcing fundamental security practices while leveraging advanced identity threat detection and response.


Download DIGITALLs "Guidelines for building a resilient IAM"

This step-by-step guide, developed by our Cyber Security experts, outlines how to build a robust and resilient Identity Access Management (IAM) strategy designed to safeguard against identity-based attacks.

Download IAM Guidelines

THE mechanics

How cybercriminals use stolen identities to navigate corporate infrastructure


With the escalation of identity-based attacks, security managers face the need to re-evaluate their IAM strategy and strengthen access policies and protection mechanisms. Understanding how hackers exploit stolen identities to infiltrate organizations is therefore crucial for building a resilient IAM. The following section details the modus operandi and typical pathways used by attackers.
  1. Credential theft, often via phishing: The heist begins most often with phishing campaigns. Hackers craft emails or messages mimicking legitimate sources, implanting harmful links and attachments or tricking users into entering login details on fake websites. Malware like keyloggers might also be deployed to steal credentials directly from user devices. With these stolen logins, attackers circumvent security protocols and gain unauthorized access to enter company systems, pilfer sensitive data, or execute additional attacks.

  2. Elevated access and control of further accounts: Once initial access is gained, hackers escalate their privileges. This might involve exploiting vulnerabilities, using stolen credentials to access other accounts (due to password reuse), executing commands, or tricking users into granting them more access (social engineering). The goal is to reach administrative accounts or servers for broader control. A strong IAM strategy on privilege access is essential at this point.

  3. Lateral movement within the network: Upon gaining heightened access, the hackers move laterally within the network, seeking more valuable data or systems that grant them greater control over IT infrastructure. They exploit trust relationships between systems to access other machines, steal additional credentials, or manipulate network protocols such as SMB or RDP for remote control. This allows them to spread unnoticed, expand their reach and gradually capture critical resources.

  4. Supplier networks compromise (Supply Chain Attack) through trusted channels: Attackers may target less secure networks of vendors that are part of the supply chain. By compromising vulnerable vendors, attackers leverage their trusted status to circumvent security measures implemented by larger targets. Using shared access points, vendor credentials or software dependencies, they penetrate more fortified networks, such as those of larger corporations, critical infrastructure or government entities. Thus, they open the gateway for injecting malicious codes, extracting information, causing infrastructure damage and disturbances and destroying the reputation and trustworthiness of the partner. IAM is therefore one of the critical elements in vendor security assessments.

Typical malicious activities of hackers inside the network


Data exfiltration

Data is one of the most valuable assets of an organisation. Attackers often go after sensitive data such as intellectual property, customer information, or employee data, which can be sold on the black market, used for further attacks, or in ransomware schemes.

Deployment of malware or ransomware

Hackers might deploy malware to maintain persistence within the network, allowing continued access. Ransomware can be used to encrypt data and systems, demanding payment for the decryption key.

Establishing backdoors

Installing backdoors allows criminals to re-enter the network at a later moment, even if the original security holes are patched.

Internal reconnaissance

Further reconnaissance within the compromised network may be conducted to identify additional targets or to understand the network topology for broader attacks.

Privilege escalation

Even with elevated access, attackers will seek to expand their privileges further, often aiming for domain admin rights which allow unrestricted access to all systems.

Destruction of logs

To cover their tracks, attackers often delete or tamper with logs that could reveal their activities, making it more difficult for cybersecurity personnel to track and understand the breach.

Creation of insider threat

In some cases, attackers may create new accounts with high privileges for themselves, essentially becoming an “insider” and making it very difficult to distinguish between legitimate and malicious user activity.

Escalating attacks on partners or clients

Finally, with the access and data obtained, they might target further clients or partners connected to the compromised network and repeat the infiltration cycle again with new victims.

Understanding the fraudulent tactics of credentials theft and pathways within the company is crucial for devising effective IAM and defense strategies against identity-based cyber threats. A robust IAM strategy, however, goes beyond simply preventing and reacting to breaches. Effectively countering the multi-layered infiltration attempts requires a comprehensive IAM strategy that encompasses a number of activities and technologies to proactively safeguard the organization.

Download our "Guidelines for building a resilient IAM"

Download PDF


Want to meet up or ask a question? 

Write us to set up a free consultation meeting, a demo presentation, a tender or a question. 


Contact us