Identity-related attack patterns are exposing IAM modernization gaps

At a glance

What this is: This is an analysis of seven common identity-related attack types and the operational IAM gaps that let them succeed.

Why it matters: It matters because NHI and IAM teams have to treat service accounts, tickets, and credentials as active attack surfaces, not background plumbing.

By the numbers:

• Almost 50% of organizations are not adequately staffed or funded for new IAM projects or IAM modernization efforts.
• In 2024, UnitedHealth experienced an attack and was forced to release a $22M payment to the criminals.
• AT&T alone has 242M customers for its U.S. wireless mobility services.

👉 Read Twine Security's analysis of seven identity-related attack types

Context

Identity-related attacks succeed when organisations treat authentication as a single control instead of a chain of trust across users, service accounts, tickets, devices, and privileged sessions. In NHI governance terms, that means the attack surface includes credentials, tokens, Kerberos artifacts, and the administrative pathways that connect them.

Twine Security uses seven attack patterns to show how compromise often begins with a valid identity artifact rather than a malware payload. That framing is typical for modern enterprise environments, where access paths are more valuable to attackers than noisy exploits and where IAM weak points become NHI weak points quickly.

Key questions

Q: How should organisations reduce the risk of identity-based attacks?

A: Organisations should combine MFA, rate limiting, password hygiene, and continuous privilege review with strong identity lifecycle controls. The goal is to make stolen credentials less useful and to remove access quickly when it is no longer needed. That approach reduces both initial compromise and the chance that an attacker can expand access after entry.

Q: What is the difference between phishing and credential stuffing from an IAM perspective?

A: Phishing tricks a user into revealing or approving access, while credential stuffing reuses stolen credentials from other breaches against your systems. Both succeed because identities are trusted too easily. IAM teams should counter them with MFA, anomaly detection, and controls that limit how much access any one credential can unlock.

Q: Why do service accounts create more risk than many teams expect?

A: Service accounts often have long-lived credentials, broad permissions, and weak ownership, which makes them attractive targets for escalation. If they are not rotated, monitored, and offboarded properly, they can outlive the systems or staff that created them. In practice, that turns a machine identity into a durable attack path.

Q: Should security teams prioritise MFA or privilege cleanup first?

A: Security teams should do both, but privilege cleanup usually reduces blast radius faster. MFA helps at the entry point, yet over-privileged and stale accounts still create pathways to sensitive systems. The best sequence is to harden authentication, then remove unnecessary access and fix dormant or orphaned identities.

Technical breakdown

Why credential abuse beats perimeter controls

Credential stuffing, password spraying, and phishing all exploit a basic failure mode: systems still trust authentication events more than behavioural context. When attackers reuse stolen passwords or trick users into approving access, they inherit the access posture already attached to that identity. MFA reduces risk, but it does not fix exposure from reused credentials, weak session binding, or poor detection of anomalous login patterns. In NHI environments, the same logic applies to API keys, tokens, and certificates that are valid long after they should have been revoked.

Practical implication: Treat authentication signals as only one layer and add behavioural checks, rate limits, and rapid revocation for both human and non-human credentials.

How Kerberos attacks turn service accounts into escalation paths

Golden Ticket, Kerberoasting, and Silver Ticket techniques all abuse the Kerberos trust model inside Active Directory. Once an attacker gets a foothold, they can request service tickets, extract hashes, crack weak passwords, or forge tickets that impersonate higher privilege. The key issue is not Kerberos itself, but the combination of long-lived credentials, excessive permissions, and limited visibility into service account usage. These are classic NHI problems because service accounts often outlive their owners and accumulate permissions over time.

Practical implication: Prioritise service account inventory, strict privilege scoping, and ticket monitoring before attackers turn one low-level account into domain-wide access.

What orphaned and over-privileged accounts do to blast radius

Insider misuse, delayed deprovisioning, and incomplete offboarding create identities that remain valid after the business relationship ends. Those accounts become silent persistence mechanisms because they are still trusted by downstream systems. Over-privileged accounts magnify the blast radius, especially when administrative roles are reused across applications or environments. From an NHI perspective, this is the same failure pattern as stale API keys or tokens that were never rotated. The technical problem is lifecycle control, not just authentication strength.

Practical implication: Build revocation, offboarding, and privilege review into the identity lifecycle so stale access cannot survive normal personnel changes.

Threat narrative

Attacker objective: The attacker aims to turn a single compromised identity into durable, high-privilege access across the enterprise.

1. Entry via phishing, credential stuffing, or password spraying that gives the attacker a valid starting identity.
2. Escalation through service account abuse, Kerberos ticket forgery, or privilege increase to administrator-level access.
3. Impact through access to sensitive systems, data exfiltration, malware placement, or broader domain control.

Breaches seen in the wild

• Salesloft OAuth token breach — hackers stole OAuth tokens to access Salesforce data via Salesloft.
• MongoBleed breach — MongoBleed exposed secrets across 87K MongoDB servers.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Identity attack types are now lifecycle failures, not just authentication failures. The source article shows the same pattern across phishing, spraying, Kerberoasting, and ticket forgery: attackers succeed when identities remain usable beyond their intended scope. That is a governance problem as much as a technical one. Organisations need to manage creation, access, rotation, and revocation as a single control plane, not separate tasks.

Service accounts are the hidden bridge between IAM weakness and NHI risk. Golden Ticket, Kerberoasting, and Silver Ticket abuse all depend on accounts that were created for systems but are governed like exceptions. That is why NHI programmes cannot stay focused on human logins only. The most reliable path to escalation often runs through machine identities with old passwords, broad permissions, and poor monitoring.

Attack volume is less important than access quality. Phishing and password spraying remain effective because one valid credential can unlock many systems, and one service account can expose far more than a single user. That shifts the security question from blocking all attempts to reducing the value of any one compromise. Practitioners should measure identity blast radius, because that is what determines whether a breach stays local or spreads.

Residual access is the real governance debt. The article’s mitigation list points to controls such as MFA, rate limiting, account lockout, and privilege restriction, but those measures only reduce one part of the problem. Persistent access created by poor deprovisioning, idle accounts, and weak service account governance keeps the risk alive after the first incident. The practical conclusion is simple: if lifecycle control is weak, attackers can wait for the next authentication event.

Attack taxonomy should drive control priorities. A security team that treats every identity attack as the same problem will over-invest in front-door controls and under-invest in service account inventory, ticket monitoring, and offboarding discipline. The better model is to map each attack family to the identity object it abuses, then assign controls accordingly. That is how practitioners reduce both compromise probability and post-compromise spread.

From our research:

• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to Ultimate Guide to NHIs.
• Only 20% of organisations have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
• For a deeper control model, review Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs for provisioning, rotation, and offboarding patterns.

What this signals

Identity control programmes need to move from login protection to exposure reduction. The practical signal from this article is that identity attacks exploit the gap between authentication and access governance. When organisations still cannot see or govern every service account, they will keep fighting the same incidents at different points in the chain.

Ephemeral access only helps when the underlying entitlement model is disciplined. The attack patterns here show that valid credentials, not exotic exploits, remain the easiest route into enterprise systems. That makes revocation speed, privilege scoping, and account ownership the programme priorities that will matter most over the next planning cycle.

For practitioners

• Inventory all service accounts and privileged identities Create a current register of human and non-human identities, including service accounts, ticket-based access paths, and orphaned accounts. Classify each by ownership, purpose, privilege, and last rotation date so you can spot hidden escalation paths.
• Enforce MFA and rate limiting on all interactive access Require MFA for remote access, administrative access, and any login path exposed to the internet. Pair it with rate limiting and lockout controls to reduce the value of credential stuffing and password spraying against corporate entry points.
• Tighten service account privilege and password hygiene Remove unnecessary permissions from service accounts, replace shared secrets with unique credentials where possible, and rotate passwords on a fixed schedule. Review Kerberos ticket exposure for accounts that support critical systems.
• Automate offboarding and stale-access removal Link HR, IAM, and application administration workflows so user terminations, role changes, and project endings trigger immediate revocation. Include dormant accounts and unused credentials in the same cleanup process, not as a separate audit task.
• Monitor for anomalous identity behaviour Alert on unusual login velocity, impossible travel, unusual ticket requests, and privilege changes that do not match normal job function. Use those signals to detect both human account abuse and non-human identity misuse before escalation succeeds.

Key takeaways

• Identity-based attacks succeed because valid credentials and tickets often remain trusted long after they should have been removed.
• Service accounts, Kerberos artifacts, and stale access create the escalation paths that turn a low-level compromise into domain-wide impact.
• Teams should focus on lifecycle control, privilege reduction, and monitoring that makes each identity less valuable to attackers.

Key terms

• Credential Stuffing: Credential stuffing is the reuse of stolen username and password pairs against unrelated systems. It succeeds when organisations allow credential reuse, weak detection, or unbounded login attempts, and it becomes especially dangerous when one password unlocks multiple applications or administrative paths.
• Kerberoasting: Kerberoasting is an Active Directory attack that targets service accounts by requesting Kerberos tickets and attempting to crack the underlying password offline. It is dangerous because weak service account passwords and excessive permissions can turn one ticket into elevated access across critical systems.
• Golden Ticket Attack: A Golden Ticket attack forges a Kerberos ticket after an attacker obtains the KRBTGT hash in Active Directory. It can grant broad, durable access because the forged ticket is treated as trustworthy by the domain, making it a classic high-impact identity compromise.
• Non-Human Identity: A non-human identity is any credentialed digital entity that authenticates without a person directly present, including service accounts, API keys, tokens, certificates, bots, and AI agents. These identities need lifecycle governance because they often persist, spread, and accumulate privilege faster than human accounts.

Deepen your knowledge

Identity attack patterns and NHI lifecycle governance are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building a programme to reduce credential abuse and privilege sprawl, it is worth exploring.

This post draws on content published by Twine Security: 7 Critical Identity-Related Attack Types. Read the original.