How Hybrid Environments Fuel Identity-First Attacks

This shift has elevated identity to one of the most critical battlegrounds in cybersecurity, as ransomware, data breaches and insider threats now frequently begin with the misuse of legitimate accounts. Securing companies against these identity-first attackers requires an identity-first solution. 

Yet, many organizations still do not treat identity as a security discipline. The problem isn’t a lack of effort. Many teams have invested in tools and policies, but most were designed before the rise of identity-first attackers. The recent cyberattacks on major U.S. and U.K. retailers — such as M&S, Adidas and Harrods — show how easily attackers exploit known vulnerabilities and use stolen credentials to quietly weave their way inside any network. These incidents are a prime example of why traditional defenses are no longer enough.

How has the landscape changed? 

Today’s enterprise environment vastly differs from what it was five years ago. The boundaries of the network have changed, visibility is harder, environments are more dynamic and attackers are faster than ever before. Three things have changed in this new era of defending against identity-first attackers:   

1. Enterprises have never been more complex. The rise of hybrid architectures across data centres and the public cloud has fundamentally changed the nature of enterprise security. And organizations can no longer rely on the high walls of their network for protection. Cloud computing, Bring Your Own Device (BYOD) and SaaS have broken down the boundaries of the enterprise. Meanwhile, getting visibility of what’s happening everywhere in a hybrid environment is more difficult than ever.
   
   
2. Every identity is a risk. Human identities, non-human identities (NHIs), privileged, unprivileged — the old methods of protecting only the most critical accounts are outdated and leave significant space for identity-first attackers to compromise accounts protected only by usernames and passwords. When selective identity protection is initiated, it’s focused on a small minority of accounts and systems, allowing attackers to exploit those that are less protected.
   
   
3. There is an evolving trend towards automated attacks. Breakout times are reducing, and selective high walls of identity protection are an "if" statement for attackers seeking the weak link of protection. This means that the industry-standard approach of detecting and responding is in the process of breaking down, and this trend is only likely to accelerate over time. 

What does this mean for enterprise security? 

Historically, the network has been the backbone of enterprise security. But in today’s hybrid world, the network has become a business enabler. On the other hand, identity has historically been a discipline of business enablement — getting employees up and running with the access needed to do their jobs. Their roles are now reversing. As the network shifts toward enabling the business, identity must become the primary method of securing it.  

However, the tools traditionally used to secure identities, such as privileged access management (PAM) or identity governance and administration (IGA), are optimized for management, not security. They help create processes around identities but don’t actively protect the identity itself. 

The complex and incremental onboarding processes required to integrate with this generation of technologies put defenders in the slow lane to success; identities are vulnerable until onboarded, with no alternative in the interim. And even then, these tools are largely passive; they’re good for removing excessive access or disabling dormant accounts but can’t prevent legitimate accounts from exploitation by identity-first attackers. The result is an endless cycle of chasing your environment to apply protection and finding and fixing vulnerabilities. 

What can an organization do about it? 

Organizations must start building integrity and protecting identities in a way that can’t be evaded, is consistently applied everywhere, and is protection-first (rather than detect-and-respond). Just as you wouldn’t accept a network without firewalls, organizations shouldn’t accept identity without built-in security. This is the essence of identity security — preventing the misuse of otherwise valid identities — and must be the key focus of a threat-led identity program.  

So, where do you begin? Start by building your organization's identity security floor, or foundation. 

Implementing a universal floor of protection without gaps or inconsistencies is now a top priority. Every account matters to attackers, whether human or NHI. Detection and response are essential, but no longer sufficient given the speed of today’s attacks. Applying MFA, just-in-time access and limiting non-human accounts based on historical access patterns drastically reduces the risk of account compromise. 

Most companies are better protected externally than internally. Organizations should assume that account compromise is inevitable and external defenses will be breached. That means they must protect everything—every server, database, PaaS service. Infrastructures are where ransomware paralyses companies and where data is exfiltrated. They must be protected without exception. To do that, organizations must select products that work with the complexity of their hybrid environment and provide scalable, policy-based levers to enforce protection everywhere.  

This foundation of protection — the identity security floor — means you can move from reactive onboarding in response to new risks to proactive protection. With every account challenged for MFA before logging onto a server and protection actively stopping attempted compromises, you can confidently demonstrate your security posture and ROI. 

Once this foundation is in place, defenders gain the space and time to raise the protection ceiling — whether moving to zero standing privilege or ephemeral non-human accounts — and they’ll be able to proceed with confidence, supported by a solid security foundation.