Thursday, August 28th, 2025
Why Identity Management Is Now Core to Cyber Security
In the evolving world of cyber security, identity has become the new battleground. Hackers are no longer breaking in, they are logging in. This shift means identity itself has become a critical part of the modern attack surface organisations must manage. With cloud-first infrastructures, hybrid working, and increasingly sophisticated attack methods, digital identity has emerged as both the greatest vulnerability and the foundation of resilience.
Recently, Smarttech247 hosted a webinar with Edward Scrabba, Global Director of Threat Intelligence at Smarttech247, and Alex Bachik, Systems Engineer at CrowdStrike. Together, they explored why identity is now central to cyber defence, the challenges organisations face, and the practical steps required to build resilience.
“Security isn’t a product, it’s a process.”
– Edward Scrabba, Global Director of Threat Intelligence at Smarttech247
This article distils and expands on those insights, providing a comprehensive guide to the current identity threat landscape.
What Exactly Is Digital Identity?
At its core, identity is the digital representation of an entity in cyberspace. That entity could be a user, a device, a group of users, an application, or a service. These identities are used to authenticate who you are and authorise what you are allowed to do.
Over time, identity has evolved from basic usernames and passwords to more complex models involving multi-factor authentication (MFA), certificates, tokens, and single sign-on (SSO). However, this very complexity has also created new weaknesses. Although these systems are designed to protect us, in practice, misconfigurations, poor user behaviour, and legacy infrastructure often open fresh doors for attackers.
Why Identities Are Prime Targets
Both Smarttech247 and CrowdStrike see the same trend: attackers are increasingly targeting identity because it is both easier and more effective than traditional intrusion methods. One metric highlights the urgency: breakout time.
CrowdStrike defines this as the period between an attacker gaining a foothold and beginning lateral movement inside a network. In 2023, the average was 62 minutes. In 2024, it fell to 48 minutes. The fastest recorded was under one minute. Valid credentials accelerate this. Why waste time exploiting vulnerabilities when attackers can simply walk through the front door?
This is further fuelled by the rise of access brokers. These criminals harvest and sell stolen identities on underground markets. Sometimes these are standard user accounts, but often they are privileged logins. Access to critical infrastructure or regulated industries commands a higher price. The end result is that any organisation, from a small supplier to a major enterprise, can have its accounts available for purchase without even knowing it.
Common Weaknesses in Identity Management
The speakers highlighted a series of recurring weaknesses that organisations should urgently address.
1. Password Reuse and Weak Patterns
One of the most persistent identity weaknesses is password misuse. Employees often recycle the same credentials across corporate systems and third-party platforms. Even when required to create “complex” passwords, users tend to follow predictable patterns — for example, simply updating Company2024! to Company2025!. Attackers know this behaviour well and use automated dictionaries to crack these variations. Penetration testers report they can compromise 70–80% of supposedly complex enterprise passwords, showing just how ineffective these practices are.
2. Over-Reliance on MFA
While multi-factor authentication (MFA) is a vital security measure, it is far from unbreakable. Attackers have developed a range of bypass techniques, including MFA bombing (spamming users with prompts until they approve one), SIM swapping, and real-time phishing proxies that capture MFA codes. Even convenience features such as “remember me” functions can backfire, since stolen tokens allow attackers to log in without re-triggering MFA. Over-reliance on MFA without proper safeguards creates a dangerous false sense of security.
3. Privilege Misuse
Excessive use of privileged accounts is another widespread issue. Domain administrator credentials should be used sparingly and only for directory management. In practice, however, many IT admins use these powerful accounts for daily tasks. In one case, a multifunction printer was configured with domain admin credentials to scan to a network share — a single misconfiguration that allowed a complete Active Directory compromise in less than a day. When privileged accounts are misused, attackers gain an express route to full control of the environment.
4. Third-Party and Federated Identity Risks
Modern organisations rely on partners, vendors, and contractors, but this introduces additional risk through third-party and federated identities. Access provided to external parties often becomes a weak link, especially if managed outside the organisation’s security controls. In one incident, a managed service provider used personal email-linked accounts to access a client’s AWS environment, creating a backdoor that attackers could exploit. These cases show how federated and third-party access must be tightly monitored and controlled.
Real-World Attack Tactics
The panel shared several examples that highlight how attackers exploit identity in practice.
For example, in one case, a threat actor created persistent privileged accounts in AWS regions that the client never used — and therefore never monitored. Similarly, in another case, attackers chained a VPN vulnerability with weaknesses in a cloud identity provider, ultimately gaining access to the control plane of a SaaS environment. Moreover, not all exploits are sophisticated. In fact, the printer credential compromise case showed that attackers don’t always need advanced malware. Instead, they often succeed simply by exploiting everyday misconfigurations.
Beyond these direct exploits, the world of leaked credentials is also highly problematic. Indeed, threat intelligence teams see hundreds of databases advertised daily. Although many are fake, stitched together from older leaks or even fabricated data, attackers only need one valid credential to gain a foothold.
The Noise Problem – Why Detection Is Hard
A major challenge is distinguishing legitimate user behaviour from malicious activity. In particular, smaller organisations often worry that advanced monitoring will overwhelm them with alerts.
The reality, however, is that there will always be noise. Nevertheless, ignoring the problem simply creates blind spots that attackers are quick to exploit.
The best response is layered detection. This involves several complementary steps:
- First, establish a single source of truth for identity to avoid fragmented views.
- Next, apply behavioural baselining that learns what normal activity looks like and spots anomalies.
- In addition, use user and entity behaviour analytics (UEBA) to flag unusual logins, privilege escalations, or first-time use of tools such as RDP.
- Finally, leverage AI and automation to correlate signals across endpoints, cloud, and identity platforms, filtering out the noise and surfacing the true risks.
Building Identity Resilience – Best Practices
The experts recommended a layered approach to identity resilience.
1. Adopt Stronger Authentication
Organisations should move beyond simple passwords and basic MFA to adopt FIDO2-compliant hardware keys, certificate-based methods, and biometrics. These approaches provide cryptographic proof of identity, making them far harder to phish or bypass. At the same time, fallback mechanisms such as email resets or SMS codes should be removed, as they reintroduce weaknesses. Token lifetimes should also be shortened to hours or days, limiting the window of opportunity if credentials are stolen.
2. Enforce the Principle of Least Privilege
Not every user needs wide-ranging access. By applying the principle of least privilege, accounts are limited to the exact resources necessary for their role and nothing more. This reduces the blast radius if an account is compromised. Privileged accounts, in particular, should be closely monitored and used only for their intended purpose, not for everyday tasks.
3. Strengthen Password Strategy
Passwords remain a weak spot in many organisations. Overly complex rotation policies, reuse across services, and predictable patterns continue to expose businesses to unnecessary risk. A modern password strategy should include encouraging passphrases, deploying password managers, and exploring passwordless authentication options. These steps raise the baseline security level across the board.
4. Test Defences Continuously
Security is never “done.” Penetration testing helps uncover technical vulnerabilities, but more advanced exercises such as red and purple teaming simulate the tactics of real attackers. These scenarios test not only your defences but also your detection and response processes, showing whether your security measures stand up under pressure.
5. Invest in Behaviour-Based Monitoring
Traditional tools focus on detecting malware or known signatures, but attackers increasingly use valid credentials to blend in. Behaviour-based monitoring fills this gap by analysing activity patterns and spotting anomalies that suggest misuse. Techniques such as user and entity behaviour analytics (UEBA) provide the visibility required to stop identity-based attacks in progress before they escalate.
Looking Ahead: The Future of Identity Management
The next 12–18 months will see attackers continue to exploit the human factor through social engineering, phishing, and access brokers. Hybrid identity environments — combining Active Directory, Azure AD, SaaS apps, and federated accounts — will remain complex and vulnerable.
Defenders will push towards passwordless authentication and cryptographic protocols. But as Edward Scrabba noted, cyber security is a cat-and-mouse game. Attackers will adapt, requiring constant vigilance and improvement.
Common Myths of Identity Management
“Complex passwords are enough.”
Reality: attackers crack most “complex” passwords with rule-based dictionaries.
“MFA makes me safe.”
Reality: MFA can be bypassed. Treat it as one layer, not a silver bullet.
“Our directory is clean.”
Reality: no identity store is ever static. Dormant accounts, contractors, and misconfigurations are always present.
“Firewalls will protect us.”
Reality: with 95% of network traffic now encrypted, firewalls have been “demoted.” Identity is the new perimeter.
Key Takeaways & Final Thoughts
Identity is the new frontline in cyber defence.
MFA is vital, but it is not a silver bullet.
Least privilege and Active Directory hygiene are essential.
Security is a process, not a product — testing and monitoring must be continuous.
Identity now sits at the heart of that process. Firewalls and antivirus still matter, but without identity resilience, attackers can simply log in with stolen credentials.
Read More from Our Latest News:
- Data Discovery Principles for Security Leaders
Learn why data discovery is vital for cybersecurity. Reduce blind spots, manage insider threats, secure the cloud, and stay compliant with Smarttech247. - Data Breach Definition & Prevention Strategies
Discover what a data breach is, how it happens, and the impact it can have on organisations. Learn about real-world examples, common causes, and best practices to prevent sensitive data from being exposed. - What Is Ransomware and How It Really Works
Learn what ransomware is, the true ransomware meaning, and how ransomware attacks work — plus practical steps to defend your organisation.
Contact Us
The data you supply here will not be added to any mailing list or given to any third party providers without further consent. View our Privacy Policy for more information.