TL;DR: Identity-based attacks now rely on valid credentials in three out of four breaches, while phishing, credential stuffing, AiTM, and exposed secrets continue to widen the entry surface, according to Zero Networks and cited breach research. The core issue is not only access loss but the assumption that identities remain stable long enough for reactive controls to matter.
NHIMG editorial — based on content published by Zero Networks: Identity Based Attacks: Tactics, Trends, and Identity Security Best Practices
By the numbers:
- the median time to remediate exposed credentials on a GitHub repository is 94 days
- machine identities like service accounts and API tokens now make up over 70% of networked identities
Questions worth separating out
Q: How should security teams reduce breach risk from stolen credentials?
A: Security teams should reduce credential lifetime, remove stale secrets from code and tooling, and make access revocation faster than attacker reuse.
Q: Why do machine identities create more risk than human identities in some environments?
A: Machine identities are often numerous, long-lived, and embedded in code or infrastructure.
Q: What do security teams get wrong about Zero Trust and identity governance?
A: They often treat Zero Trust as an integration label rather than a continuous operating requirement.
Practitioner guidance
- Reduce credential exposure windows Prioritise the removal of long-lived secrets from code, configuration files, and collaboration tools, then rotate exposed credentials faster than your current review cycle allows.
- Segment identity reach by allowed logon path Constrain each human and non-human identity to the specific protocols, hosts, and logon types it actually needs.
- Apply just-in-time controls to privileged access Make privileged access conditional on current context, not on standing entitlement.
What's in the full article
Zero Networks' full article covers the operational detail this post intentionally leaves for the source:
- The article walks through specific identity attack patterns, including phishing, credential stuffing, AiTM, Kerberoasting, pass-the-ticket, and pass-the-hash.
- It includes implementation guidance for network-layer MFA, identity segmentation, microsegmentation, and adaptive access policies.
- The source also expands on machine identity exposure, infostealer trends, and the operational logic behind blocking lateral movement.
- It adds practitioner context from the vendor's field perspective on how identity controls are enforced across users, service accounts, and applications.
👉 Read Zero Networks' analysis of identity based attacks and identity security best practices →
Identity based attacks: are your controls keeping up?
Explore further
Identity-based attack defence has become an identity governance problem, not just a detection problem. Once attackers are operating with valid credentials, the failure is usually upstream of the alert. Identity scope, privilege breadth, and access duration are what determine whether a breach stalls or spreads, so IAM, PAM, and NHI governance now carry direct containment value. Practitioners should treat identity control as the boundary itself, not as a supporting layer.
A few things that frame the scale:
- 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, according to Ultimate Guide to NHIs.
- 97% of NHIs carry excessive privileges, according to Ultimate Guide to NHIs.
A question worth separating out:
Q: Who is accountable when a third-party credential is misused?
A: Accountability sits with the organisation that issued or retained the credential, even when a third party held it. That means supplier review, permission scoping, and offboarding discipline must be built into the contract and the IAM process. If the secret can still work, the governance failure is still yours.
👉 Read our full editorial: Identity based attacks expose the limits of legacy IAM controls