Executive Summary
In 2026, identity-based attacks have emerged as the predominant cyber threat, with 67% of incidents involving compromised credentials, session tokens, or other forms of digital identity. Attackers increasingly exploit legitimate access methods, bypassing traditional security measures to infiltrate systems undetected. This shift underscores the critical need for organizations to enhance identity security protocols and adopt continuous monitoring strategies to detect and mitigate unauthorized access.
The rise of identity-driven intrusions is further exacerbated by the integration of AI technologies, which enable adversaries to automate and scale their attacks more effectively. As a result, businesses must prioritize robust identity governance and implement advanced detection mechanisms to safeguard against these evolving threats.
Why This Matters Now
The surge in identity-based attacks, now accounting for 67% of cyber incidents, highlights an urgent need for organizations to strengthen identity security measures and adopt continuous monitoring to detect unauthorized access promptly.
Attack Path Analysis
The adversary initiated the attack by gathering victim identity information through phishing and social engineering, leading to the acquisition of valid credentials. Utilizing these credentials, they accessed the cloud environment and escalated privileges by modifying authentication processes. Subsequently, they moved laterally within the network by exploiting valid accounts and abusing elevation control mechanisms. The adversary established command and control channels using alternate authentication materials to maintain persistent access. They exfiltrated sensitive data by leveraging valid accounts and modifying authentication processes. Finally, the adversary impacted the organization by removing account access and manipulating domain policies to disrupt operations.
Kill Chain Progression
Initial Compromise
Description
The adversary initiated the attack by gathering victim identity information through phishing and social engineering, leading to the acquisition of valid credentials.
Related CVEs
CVE-2026-20047
CVSS 4.8A cross-site scripting (XSS) vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) and Cisco ISE Passive Identity Connector (ISE-PIC) allows an authenticated, remote attacker to execute arbitrary script code or access sensitive information.
Affected Products:
Cisco Identity Services Engine – 3.2.0 patch7, 3.3.0 patch4, 3.3.0 patch5, 3.4.0 patch1, 3.3.0 patch6, 3.4.0 patch2, 3.4.0 patch3, 3.3.0 patch7
Exploit Status:
no public exploitCVE-2026-28500
CVSS 9.1A security control bypass in ONNX up to version 1.20.1 allows remote attackers to execute arbitrary code via the onnx.hub.load() function with the silent=True parameter, potentially leading to zero-interaction supply-chain attacks.
Affected Products:
Linux Foundation ONNX – up to 1.20.1
Exploit Status:
proof of concept
MITRE ATT&CK® Techniques
Valid Accounts
Gather Victim Identity Information
Account Manipulation
Account Discovery
Account Access Removal
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Multi-Factor Authentication
Control ID: 8.2.4
NYDFS 23 NYCRR 500 – Multi-Factor Authentication
Control ID: 500.12
DORA – ICT Risk Management Framework
Control ID: Article 6
CISA ZTMM 2.0 – Identity Management and Access Control
Control ID: Identity Pillar
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Information Technology/IT
Critical exposure to identity-based attacks targeting service accounts, APIs, and AI agents with extensive lateral movement risks across cloud infrastructure and development pipelines.
Computer Software/Engineering
High-risk supply chain vulnerabilities through compromised developer accounts, malicious code injection in repositories, and automated identity exploitation in CI/CD workflows.
Banking/Mortgage
Severe regulatory compliance risks from identity paradox affecting HIPAA, PCI-DSS requirements with potential data exfiltration through legitimate credential abuse patterns.
Health Care / Life Sciences
Complex identity surface spanning SaaS platforms creates significant HIPAA compliance gaps while enabling privilege escalation and unauthorized access to sensitive patient data.
Sources
- The Identity Paradox: The Hidden Risks in Your Valid Credentialshttps://www.sentinelone.com/blog/the-identity-paradox-the-hidden-risks-in-your-valid-credentials/Verified
- CVE-2026-20047 Detailhttps://nvd.nist.gov/vuln/detail/CVE-2026-20047Verified
- CVE-2026-28500 Detailhttps://nvd.nist.gov/vuln/detail/CVE-2026-28500Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust Cloud Native Security Fabric (CNSF) is pertinent to this incident as it embeds security directly into the cloud infrastructure, potentially limiting the adversary's ability to exploit implicit trust between workloads and reducing the blast radius of their activities.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: By embedding security controls directly into the cloud fabric, CNSF could limit the adversary's ability to exploit implicit trust between workloads, thereby reducing the blast radius of their activities.
Control: Zero Trust Segmentation
Mitigation: Zero Trust Segmentation could limit the adversary's ability to escalate privileges by enforcing strict access controls and reducing the scope of accessible resources.
Control: East-West Traffic Security
Mitigation: East-West Traffic Security could limit the adversary's lateral movement by monitoring and controlling internal traffic, thereby reducing the risk of unauthorized access to other systems.
Control: Multicloud Visibility & Control
Mitigation: Multicloud Visibility & Control could limit the adversary's ability to establish and maintain command and control channels by providing comprehensive monitoring and control over cloud environments.
Control: Egress Security & Policy Enforcement
Mitigation: Egress Security & Policy Enforcement could limit the adversary's ability to exfiltrate sensitive data by controlling outbound traffic and enforcing strict egress policies.
While CNSF may not prevent all impacts, its embedded security controls could limit the adversary's ability to manipulate domain policies and disrupt operations, thereby reducing the overall impact on the organization.
Impact at a Glance
Affected Business Functions
- Identity and Access Management
- Software Development
- Cloud Infrastructure Management
Estimated downtime: 7 days
Estimated loss: $500,000
Potential exposure of sensitive user credentials and proprietary code repositories.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to enforce least privilege access and limit lateral movement.
- • Deploy East-West Traffic Security to monitor and control internal traffic, detecting unauthorized movements.
- • Utilize Multicloud Visibility & Control to gain comprehensive insights across cloud environments and detect anomalies.
- • Enforce Egress Security & Policy Enforcement to prevent unauthorized data exfiltration and access to malicious destinations.
- • Establish Threat Detection & Anomaly Response mechanisms to identify and respond to suspicious activities promptly.
