Identity protection and session security in the infostealer era

At a glance

What this is: This is a CrowdStrike analysis of how infostealers and exposed credentials undermine identity protection and session security.

Why it matters: It matters because IAM and NHI teams must treat session theft and valid-account abuse as primary access risks, not secondary cleanup issues.

By the numbers:

• 442% between the first and second half of, ween the first and second half of 2024 as groups like CURLY SPIDER trick employees into handing over login details.
• Access broker activity was up nearly 50% in 2024, reflecting the growing market for illicit access.
• 52% of observed vulnerabilities in 2024 were tied

👉 Read CrowdStrike's analysis of identity protection and session security

Context

Identity security fails when attackers can reuse valid credentials or steal active sessions instead of breaking authentication directly. That is the core NHI governance problem here: service accounts, tokens, API keys, and user sessions all become high-value access paths once infostealers or social engineering enter the picture.

CrowdStrike frames this through identity protection and session defense across hybrid environments, where compromise can start with an endpoint, a browser, or a cloud login and then persist as legitimate access. For IAM teams, this is a reminder that authentication alone does not equal control, especially when session material outlives the original login.

The article's starting point is typical for modern enterprise risk: attackers increasingly prefer valid access over noisy exploitation because it is faster, cheaper, and harder to detect.

Key questions

Q: How should security teams protect sessions from infostealer-based attacks?

A: Security teams should shorten session duration, bind sessions to device or context, and require reauthentication for sensitive actions. They also need monitoring for token replay, anomalous session use, and suspicious browser or endpoint behavior. Session controls matter because attackers often steal what is already trusted rather than breaking authentication directly.

Q: Why are valid credentials so dangerous in identity attacks?

A: Valid credentials are dangerous because they inherit existing trust, roles, and access paths, which makes them harder to distinguish from normal activity. Attackers prefer them because they reduce noise and can bypass many exploit-based detections. In NHI environments, long-lived tokens and service accounts create the same problem at machine scale.

Q: What is the difference between password theft and session theft?

A: Password theft gives an attacker a way to authenticate later, while session theft can provide immediate access through already established trust material such as cookies or tokens. Session theft is often harder to spot because the login has already happened. Both require fast revocation, but session theft usually demands stronger runtime controls.

Q: How can organisations reduce the blast radius of stolen identities?

A: Organisations reduce blast radius by removing standing privilege, limiting role scope, segmenting high-risk access, and enforcing contextual checks before sensitive actions. They should also treat machine identities the same way, because service accounts and API keys can spread compromise quickly when over-permissioned. Least privilege only works when it is actively enforced.

Technical breakdown

How infostealers turn sessions into reusable access

Infostealers do not need to crack passwords if they can collect browser cookies, tokens, cached credentials, or authentication artifacts already present on a device. Once harvested, that material can replay an existing session or bypass parts of the login flow, especially where session binding and device checks are weak. This is why identity risk now extends beyond the account to the session itself. In NHI environments, similar patterns appear when tokens and API keys are stored too broadly or remain valid too long, creating the same reuse problem in machine-to-machine access paths.

Practical implication: reduce session lifetime, bind sessions more tightly to device and context, and inventory where non-human secrets can be replayed.

Why valid credentials are more dangerous than malware

Attackers increasingly use valid credentials because they blend into normal traffic and can inherit existing trust, roles, and entitlements. That means detection must focus on behavior, privilege, and access patterns rather than only on file-based indicators. In identity systems, the danger compounds when standing privilege, broad roles, or weak conditional access allow a stolen credential to reach multiple services. For NHI governance, the same logic applies to service accounts and API keys: once valid, they often skip the scrutiny given to interactive human logins.

Practical implication: apply behavior-based controls and least privilege to every identity type, including service accounts and automation tokens.

Where inline identity controls change the defensive model

Inline identity controls sit in the authentication path and can grant, block, or step up access based on risk signals such as location, device posture, user risk, and unusual access patterns. That is different from post-event detection, which often arrives after a token or session has already been abused. For NHI programs, the architecture lesson is clear: controls must evaluate access at the moment of use, not only during account creation or periodic review. Without runtime enforcement, rotating credentials alone will not stop session hijacking or token replay.

Practical implication: move critical identity decisions into the access path and pair them with continuous review of machine credentials.

Threat narrative

Attacker objective: The attacker wants durable, low-noise access that looks legitimate enough to reach cloud, SaaS, or internal resources without triggering obvious alarms.

1. Entry occurs when an attacker uses infostealers, social engineering, or access-brokered credentials to obtain valid identity material.
2. Escalation follows when the stolen session or credential is reused against cloud or SaaS identity providers and inherits normal trust.
3. Impact occurs when the attacker performs unauthorized actions from a legitimate identity context, making detection slower and response more difficult.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• IOS app secrets leakage report — iOS apps leaking hardcoded secrets and credentials endangering user privacy.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Session theft is now an identity governance problem, not just an endpoint problem. When attackers can reuse cookies, tokens, or cached credentials, the trust boundary shifts from login success to session integrity. That means IAM controls that stop at authentication are incomplete for both human and non-human identities. Practitioners should treat session protection as part of access governance, not a separate endpoint hygiene task.

Valid credentials create the shortest path from compromise to impact. Attackers prefer them because they bypass noisy exploitation and inherit whatever privilege the identity already has. In NHI environments, the same pattern appears when API keys, service accounts, or automation tokens are over-scoped and long-lived. Practitioners should assume that every valid credential is a potential escalation path until proven otherwise.

Privilege design determines whether stolen identity material becomes a contained event or a broad compromise. Broad roles, weak conditional access, and standing privilege turn a single session theft into a multi-system incident. That is why zero standing privilege and tighter role design matter as much as detection. Practitioners should shrink the blast radius before focusing on faster alerts.

Identity runtime controls are becoming the decisive layer for both human and machine access. Static policy reviews cannot keep pace with ephemeral sessions, mobile endpoints, and autonomous workflows. The field is moving toward decisioning at the moment of access, where context and risk determine whether trust is granted. Practitioners should prepare for a model where runtime authorization matters more than periodic attestation.

Ephemeral credential trust debt: the more short-lived credentials and sessions spread across cloud, SaaS, and automation, the more hidden trust accumulates if revocation and binding are weak. That debt eventually surfaces as unexplained access paths and slow cleanup. Practitioners should measure it before attackers do.

From our research:

• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to the Ultimate Guide to NHIs.
• From our research: Only 5.7% of organisations have full visibility into their service accounts, according to the Ultimate Guide to NHIs.
• To go deeper on lifecycle control, Ultimate Guide to NHIs , Regulatory and Audit Perspectives helps teams translate identity risk into audit-ready governance.

What this signals

Session trust is becoming a control plane for identity risk. As more access is mediated by browsers, tokens, and cloud sessions, practitioners need to assume that authentication success may not equal legitimate intent. The governance question is no longer whether an account is valid, but whether the current session still deserves trust under changing conditions.

With 91.6% of secrets still valid five days after notification, according to our Ultimate Guide to NHIs, revocation speed remains a structural weakness across both human and machine identities. That finding points to a larger programme issue: incident response cannot rely on manual cleanup when stolen access may already be reusable.

Runtime access review: teams should expect attackers to move toward the weakest decision point in the authentication flow. That is why identity policy, device posture, and session binding need to be treated as a single operating model rather than separate controls. The reader takeaway is simple: if access can be replayed, it can be abused.

For practitioners

• Implement session-hardening controls Shorten session lifetime, require reauthentication for sensitive actions, and bind sessions to device and context where possible. This reduces the value of stolen browser state and makes replay harder across cloud and SaaS systems.
• Inventory reusable identity material Identify where cookies, refresh tokens, API keys, and service account credentials are stored, cached, or exported. Prioritize any location where valid credentials can be replayed without a fresh control check.
• Apply least privilege to non-human identities Reduce role scope, remove standing access, and review automation accounts for permissions they never exercise. A stolen machine identity should not be able to move laterally across multiple services by default.
• Move high-risk access decisions inline Use risk-based authentication and conditional checks at the moment of access for sensitive applications, administrative paths, and machine-to-machine workflows. Post-event review is too late when sessions are already active.
• Link identity alerts to response playbooks Ensure detection of compromised passwords, anomalous logins, or suspicious session use can trigger reset, revocation, and containment actions without delay. Response speed matters because stolen access is often usable immediately.

Key takeaways

• Infostealers and valid credential abuse shift identity security from password control to session and runtime control.
• Non-human identities face the same blast-radius problem as human accounts when secrets are over-scoped and long-lived.
• Practitioners should harden sessions, reduce standing privilege, and move access decisions closer to the moment of use.

Key terms

• Session Theft: Session theft is the reuse of an already authenticated access context, usually through stolen cookies, tokens, or browser artifacts. It is dangerous because the attacker may not need to know the password at all. For IAM and NHI governance, it means authentication success cannot be treated as proof of legitimate intent.
• Valid Account Abuse: Valid account abuse occurs when attackers use legitimate credentials or tokens to enter systems and blend in with normal traffic. It is a preferred tactic because it sidesteps many exploit-based controls and inherits existing privilege. In NHI programmes, service accounts and API keys are common abuse paths when scope and rotation are weak.
• Runtime Access Control: Runtime access control is the practice of deciding whether access should be granted at the moment it is requested, using context such as device posture, location, and risk. It matters because static reviews cannot keep up with ephemeral sessions or autonomous workflows. For NHI security, runtime control helps limit replay and lateral movement.

Deepen your knowledge

Identity protection and session governance are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If your environment is already dealing with valid-account abuse or over-permissioned machine access, it is worth exploring.

This post draws on content published by CrowdStrike: How to Protect Identities and Sessions from Infostealers. Read the original.