Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Identity attack surfaces are outpacing controls, so what should teams do?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 11936
Topic starter  

TL;DR: Identity-based attacks still move fastest when attackers can abuse legitimate infrastructure, with phishing, compromised credentials, and Active Directory misuse driving privilege escalation and lateral movement across enterprise networks, according to SentinelOne. The practical lesson is that identity controls must be designed around attack surface reduction, not just detection after compromise.

NHIMG editorial — based on content published by SentinelOne: 2022 cyber threat trends across endpoints, cloud, and identity

By the numbers:

  • $236 million., are attacks from this year alone totaled over $236 million.

Questions worth separating out

Q: How should security teams reduce the attack surface of identity systems?

A: Security teams should reduce identity attack surface by removing standing privilege, closing unnecessary trust paths, tightening authentication controls, and continuously monitoring directory changes.

Q: Why do compromised credentials and Active Directory remain such high-risk entry points?

A: Because they let an attacker operate inside the trust relationships the organisation already uses.

Q: What do security teams get wrong about MFA in identity attacks?

A: They often assume MFA ends the problem once the code is entered.

Practitioner guidance

  • Map the identity attack surface end to end Inventory directories, access management paths, privileged accounts, federation points, browser extension exposure, and adjacent systems that can preserve attacker access after login.
  • Harden Active Directory as a privileged control plane Prioritise monitoring for anomalous enumeration, delegation abuse, privilege changes, and unexpected administrative reach.
  • Review MFA abuse paths and rule exceptions Look for ways attackers can exploit prompts, recovery flows, or conditional access exceptions to preserve access after initial entry.

What's in the full article

SentinelOne's full article covers the operational detail this post intentionally leaves for the source:

  • How the vendor breaks down endpoint, cloud, and identity attack surfaces into practical defensive priorities
  • Specific examples of how Active Directory abuse supports enumeration, privilege escalation, and lateral movement
  • Guidance on MFA abuse, browser extension risk, and unpatched software as attack vectors
  • Product-level context for Singularity Identity, Ranger AD Assessor, and Hologram in the detection and response flow

👉 Read SentinelOne's analysis of identity attack surfaces and cyber threat trends →

Identity attack surfaces are outpacing controls, so what should teams do?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11491
 

Identity compromise is now an infrastructure problem, not a login problem. The article shows that attackers do not need to defeat every perimeter control if they can weaponise the trusted identity plane already in place. That is why Active Directory, access management, and related administration paths remain disproportionately attractive. For practitioners, the lesson is to govern identity as part of attack-surface reduction, not as a standalone authentication layer.

A few things that frame the scale:

A question worth separating out:

Q: Who is accountable when compromised credentials are used to trigger ransomware?

A: Accountability usually spans identity, infrastructure, and security operations because the failure chain includes authentication design, network trust boundaries, and detection gaps. Frameworks such as NIST CSF and Zero Trust Architecture place responsibility on governance that limits blast radius, not only on the team that owns the portal.

👉 Read our full editorial: Identity attack surfaces are outpacing enterprise security controls



   
ReplyQuote
Share: