The Attacker Is Already Inside — and They Have a Badge
Organizations invest heavily in hardened perimeters, vigilant security operations centers, and next-generation firewalls. Yet a growing class of adversaries bypasses all of it entirely — not by exploiting a zero-day vulnerability, but simply by logging in with a stolen username and password. According to research cited by Jeanette Miller-Osborn, Field Cyber Intelligence Officer at Dataminr, nearly one in three cyber intrusions now involve valid employee credentials, making credential theft one of the most prevalent attack vectors in today's threat landscape.
This is no longer a niche problem. It represents a structural shift in how breaches unfold. When an attacker authenticates with real credentials, they look — at least initially — indistinguishable from a legitimate employee going about their workday. Traditional alarms often stay silent because nothing appears technically malicious. The attacker is not breaking in; they are walking through the front door.
AI Has Industrialized Credential Theft
Credential theft itself is not a new concept. What has changed dramatically is the scale and velocity at which these attacks can be executed, largely due to artificial intelligence. Phishing campaigns that once demanded genuine technical expertise can now be generated at volume in minutes. Stolen credentials can be tested and deployed across multiple platforms automatically, without human intervention at each step.
The volume of information-stealing malware — the primary mechanism by which credentials are harvested in the first place — has surged 84% over the last year, according to research referenced by Miller-Osborn. With more credentials being stolen and AI making weaponization trivially easy, the blind spot for security teams is expanding rapidly.
AI-assisted tooling can now generate convincing behavioral patterns and mimic normal user activity once an attacker is inside a network. Tasks that previously demanded advanced tradecraft and custom tools — moving laterally without triggering alerts, blending into normal traffic — can now be accomplished by less sophisticated actors. Whether executing a mass credential-spraying attack or a targeted intrusion, threat actors can operate at a velocity that traditional defenses were simply not designed to stop.
A Professionalized Underground Economy
Security teams frequently underestimate how organized the credential-theft ecosystem has become. Threat actors have constructed full business models around discovering, validating, and reselling stolen credentials. The buyers of this access are not limited to financially motivated cybercriminals. Nation-state actors are purchasing credentials from Dark Web forums to launch intrusion campaigns that are deliberately engineered to resemble standard cybercrime — a tactic designed to frustrate attribution efforts.
This professionalization makes the supply chain a particularly dangerous target. In an environment of interrelated dependencies, a single set of credentials can function as a master key, unlocking far more than the account it was originally stolen from. Attackers understand this network effect thoroughly. They collaborate, share scripts, and sell access to one another, maximizing profit while minimizing personal risk.
Defenders, by contrast, are often hampered by siloed vendor frameworks and a lingering culture that discourages transparency about incidents. While attackers operate with the efficiency of a professional enterprise, security teams frequently lack the cross-organizational communication needed to recognize emerging patterns. Attackers are collaborating to get in, while defenders remain too isolated to notice the signals.
Six Fundamental Shifts in Detection and Response
Closing this gap requires more than incremental improvements to existing tooling. It demands a fundamental rethinking of the detection model itself. Miller-Osborn outlines six priority areas for practitioners:
- Move identity monitoring upstream. Dark Web and underground forum monitoring must be integrated into active response workflows — not relegated to monthly reports. The moment a compromised credential surfaces externally, it should trigger automated credential rotation and mandatory multifactor authentication (MFA) before that credential ever reaches a production environment.
- Implement phish-resistant MFA. Traditional SMS-based or push notification MFA can no longer reliably stop modern adversary-in-the-middle attacks. Organizations should migrate toward FIDO2-compliant hardware keys or certificate-based authentication. If the "something you have" factor can be intercepted by a proxy, it no longer qualifies as a secure second factor.
- Treat authentication as a continuous process. The binary login model — in which a user is trusted indefinitely after one successful MFA prompt — is no longer sufficient. Organizations should adopt Continuous Adaptive Trust frameworks that re-evaluate risk in real time based on behavioral signals, including sudden changes in typing cadence, unusual file access patterns, or impossible travel scenarios involving logins from geographically distant locations in a short time window.
- Harden the help desk against AI social engineering. AI-generated voice cloning has turned the routine "forgot my password" call into a significant vulnerability. Organizations need out-of-band verification processes for help desk tickets — for example, requiring a video call with a known supervisor or presentation of a physical token — to ensure that the person requesting a credential reset is not an AI-powered impersonator.
- Audit for identity sprawl. Third-party integrations and service accounts frequently rely on static credentials that bypass MFA entirely and are rarely if ever rotated. Organizations should enforce the principle of least privilege rigorously and ensure that every service account carries a defined expiration date and a designated human owner accountable for its lifecycle.
- Elevate credential compromise as a priority signal. When a compromised credential is identified, the response must be immediate and holistic. This means not only changing the affected password but also conducting a retrospective review: What did this identity access in the 48 hours prior to the alert? A valid login alert deserves the same urgency as a malware detection event.
Identity Is Not a Gate — It's a Signal
The accelerating shift toward credential-based intrusions is a calculated choice by adversaries who recognize the path of least resistance: low operational risk, high automation potential, and a proven ability to bypass even the most hardened perimeters. These attacks succeed not because defenders lack technology, but because the underlying detection philosophy has not kept pace with how attackers actually operate.
Miller-Osborn, who co-created the MITRE ATT&CK framework, has testified before the U.S. Senate on cyber defense, and has spent two decades across organizations including the U.S. Air Force, MITRE, and Unit 42, argues that the industry must stop viewing identity as a static gate to be checked once at login. Identity must instead be treated as a continuous, high-priority signal — one that demands ongoing scrutiny long after initial authentication.
If organizations fail to evolve their verification models to reflect this reality, they risk ignoring the warning signs of a breach until the financial and reputational costs make them impossible to dismiss. The keys are already in the ignition. The question is whether defenders will act before an attacker turns them.
Source: Dark Reading