1. Credential theft, often via phishing: The heist begins most often with phishing campaigns. Hackers craft emails or messages mimicking legitimate sources, implanting harmful links and attachments or tricking users into entering login details on fake websites. Malware like keyloggers might also be deployed to steal credentials directly from user devices. With these stolen logins, attackers circumvent security protocols and gain unauthorized access to enter company systems, pilfer sensitive data, or execute additional attacks.
   
   
2. Elevated access and control of further accounts: Once initial access is gained, hackers escalate their privileges. This might involve exploiting vulnerabilities, using stolen credentials to access other accounts (due to password reuse), executing commands, or tricking users into granting them more access (social engineering). The goal is to reach administrative accounts or servers for broader control. A strong IAM strategy on privilege access is essential at this point.
   
   
3. Lateral movement within the network: Upon gaining heightened access, the hackers move laterally within the network, seeking more valuable data or systems that grant them greater control over IT infrastructure. They exploit trust relationships between systems to access other machines, steal additional credentials, or manipulate network protocols such as SMB or RDP for remote control. This allows them to spread unnoticed, expand their reach and gradually capture critical resources.
   
   
4. Supplier networks compromise (Supply Chain Attack) through trusted channels: Attackers may target less secure networks of vendors that are part of the supply chain. By compromising vulnerable vendors, attackers leverage their trusted status to circumvent security measures implemented by larger targets. Using shared access points, vendor credentials or software dependencies, they penetrate more fortified networks, such as those of larger corporations, critical infrastructure or government entities. Thus, they open the gateway for injecting malicious codes, extracting information, causing infrastructure damage and disturbances and destroying the reputation and trustworthiness of the partner. IAM is therefore one of the critical elements in vendor security assessments.

Data exfiltration

Data is one of the most valuable assets of an organisation. Attackers often go after sensitive data such as intellectual property, customer information, or employee data, which can be sold on the black market, used for further attacks, or in ransomware schemes.

Deployment of malware or ransomware

Hackers might deploy malware to maintain persistence within the network, allowing continued access. Ransomware can be used to encrypt data and systems, demanding payment for the decryption key.

Establishing backdoors

Installing backdoors allows criminals to re-enter the network at a later moment, even if the original security holes are patched.

Internal reconnaissance

Further reconnaissance within the compromised network may be conducted to identify additional targets or to understand the network topology for broader attacks.

Privilege escalation

Even with elevated access, attackers will seek to expand their privileges further, often aiming for domain admin rights which allow unrestricted access to all systems.

Destruction of logs

To cover their tracks, attackers often delete or tamper with logs that could reveal their activities, making it more difficult for cybersecurity personnel to track and understand the breach.

Creation of insider threat

In some cases, attackers may create new accounts with high privileges for themselves, essentially becoming an “insider” and making it very difficult to distinguish between legitimate and malicious user activity.

Escalating attacks on partners or clients

Finally, with the access and data obtained, they might target further clients or partners connected to the compromised network and repeat the infiltration cycle again with new victims.

Understanding the fraudulent tactics of credentials theft and pathways within the company is crucial for devising effective IAM and defense strategies against identity-based cyber threats. A robust IAM strategy, however, goes beyond simply preventing and reacting to breaches. Effectively countering the multi-layered infiltration attempts requires a comprehensive IAM strategy that encompasses a number of activities and technologies to proactively safeguard the organization.