Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Identity-based intrusion chains: are your controls catching stealthy access?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 11936
Topic starter  

TL;DR: Identity-based attacks remain effective because intruders can steal administrative credentials, use pass-the-hash over NTLM, and move laterally with minimal engagement, according to SentinelOne’s analysis of Sandman APT. Early detection and identity-focused deception change the defender’s odds, but only if credential discovery and lateral movement are treated as identity problems, not endpoint anomalies.

NHIMG editorial — based on content published by SentinelOne: identity-based TTPs used by Sandman APT

By the numbers:

Questions worth separating out

Q: What breaks when attackers can reuse stolen identity material on a network?

A: When stolen identity material can be replayed, the attacker no longer needs a fresh exploit for every step.

Q: Why do identity-based attacks create more risk than simple endpoint compromise?

A: Identity-based attacks matter because they convert a technical foothold into trusted access.

Q: How do security teams know if lateral movement defences are actually working?

A: Teams should test whether one compromised identity can reach adjacent systems, SaaS apps, or production zones that it should not access.

Practitioner guidance

  • Hunt for credential theft on endpoints and directory assets Prioritise telemetry that shows local credential discovery, AD enumeration, and suspicious access to privileged group metadata, because those are the behaviours that precede hash replay and lateral movement.
  • Reduce NTLM replay opportunity wherever possible Review where NTLM is still accepted, where password hashes can be harvested, and where legacy authentication paths create reusable identity artefacts that attackers can abuse after a foothold.
  • Place deceptive identity assets near crown-jewel systems Deploy believable decoys and lure credentials adjacent to production segments so attacker reconnaissance and lateral movement generate alerts before the intruder reaches sensitive systems.

What's in the full article

SentinelOne's full analysis covers the operational detail this post intentionally leaves for the source:

  • How Singularity Identity conceals endpoint and AD credential data to disrupt local reconnaissance.
  • How Singularity Hologram deploys decoys that absorb pass-the-hash activity and record attacker behaviour.
  • How the deception stack maps to targeted workstation movement and alternate authentication abuse.
  • How the solution differentiates alerting on credential discovery from alerting on lateral movement attempts.

👉 Read SentinelOne’s analysis of Sandman APT and identity-based intrusion tactics →

Identity-based intrusion chains: are your controls catching stealthy access?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11491
 

Identity-based intrusion is now a detection problem before it is a malware problem. Sandman shows that attackers can achieve meaningful access using legitimate credentials, then move with minimal engagement to stay below alert thresholds. That means the security gap is not just endpoint visibility, but the organisation’s ability to recognise when authentication itself has become the attack path. Practitioners should treat identity telemetry as primary evidence, not supporting context.

A few things that frame the scale:

A question worth separating out:

Q: Who is accountable when stolen credentials are used for stealthy internal movement?

A: Accountability should sit with the owners of identity, endpoint, and directory controls because the failure crosses all three domains. If stolen credentials can be replayed and lateral movement is not detected, that is a governance gap, not just a security event. Frameworks such as NIST CSF and PAM governance should define clear ownership for containment and review.

👉 Read our full editorial: Identity-based intrusion chains expose gaps in early detection



   
ReplyQuote
Share: