Credential access and lateral movement: what IAM teams need now

TL;DR: Credential access lets attackers use legitimate usernames, passwords, tokens, or MFA factors to hide inside normal system activity, making detection and lateral movement much harder, according to 1Kosmos. The core governance problem is that once credentials are stolen, many IAM controls assume a trustworthy session that no longer exists.

NHIMG editorial — based on content published by 1Kosmos: Credential access and identity security analysis

By the numbers:

• When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes , and as quickly as 9 minutes in some cases.

Questions worth separating out

Q: What breaks when attackers steal valid credentials?

A: When attackers steal valid credentials, authentication no longer reveals the threat because the session looks legitimate.

Q: Why do stolen credentials make lateral movement easier?

A: Stolen credentials make lateral movement easier because they let an attacker reuse approved access across systems without triggering exploit-based alarms.

Q: How can organisations reduce the damage from credential theft?

A: Organisations reduce damage by shrinking credential lifetime, enforcing phishing-resistant authentication, and limiting what each identity can reach.

Practitioner guidance

• Reduce credential reuse windows Shorten the usable life of passwords, tokens, and MFA artefacts so a stolen credential has less time to be replayed across systems.
• Harden phishing-resistant authentication Prefer authentication methods that do not expose reusable secrets during transmission, especially for high-value users and admin paths.
• Restrict lateral movement paths Map which identities can reach multiple systems and remove unnecessary cross-system access, especially for privileged and service accounts.

What's in the full article

1Kosmos's full article covers the operational detail this post intentionally leaves for the source:

• Concrete examples of password guessing, credential dumping, phishing, and MFA interception as entry methods
• Practical password rotation guidance and where it fits alongside least privilege and passwordless authentication
• The vendor's identity proofing and passwordless implementation detail for teams comparing control patterns
• Platform integration detail for readers who need implementation context rather than governance framing

👉 Read 1Kosmos's analysis of credential access, lateral movement, and identity defence →

Credential access and lateral movement: what IAM teams need now?

Explore further

View Full Forum →  |  NHI Foundation Course →