Threatonomics

Understanding identity-based attacks and how to defend against them

Defend against identity-based attacks.

by Emma McGowan , Senior Writer
Published

How to create secure systems that employees will actually use.

Breaches used to be primarily carried out via software vulnerabilities: Companies would announce a flaw, take a while to fix it, and attackers would find their way into the system using those exploits. From there they might not only steal information and assets from their primary target, but would also use their access to jump to a new host.  

But as a greater number of organizations have gotten increasingly better at threat remediation, the technical holes where threat actors could creep in have dwindled. That meant shifting tactics to a new entry point: Humans. Or, in other words, using social engineering to carry out identity-based attacks.

What are identity-based attacks?

Identity-based attacks are when a threat actor logs in as a legitimate user of a system and then utilizes that entry point to steal valuable information, which can include anything from bank info to additional logins to contact with other individuals with greater access. According to Tyler Boire, Resilience Senior Intelligence Analyst, identity-based attacks are particularly difficult to detect because the access appears to be coming from a legitimate user. 

“When I was working as a pentester, that was primarily how I did most of my attacks,” Boire says. “Once you get onto a machine through some kind of phishing or if you can get an exploit done, your primary goal is to start going after identity stores. This is done through gathering credentials off the machine that you land on or trying to attack their domain controller, which is typically what does authentication across a network.”

If you’re having trouble envisioning how this works, a common example is when you get an email that purports to be from a contractor and asks you to download an “invoice.” Once you do, your device becomes infected, giving the attacker access to your (and your business’) systems and data.

What’s the best way to protect my organization?

Unfortunately there’s no such thing as one-size-fits-all security, Boire says. However, there is a set of best practices that any organization can implement, with varying degrees of intensity based on how valuable their data is to criminals, how sensitive the information is, and whether any regulations exist to protect that data from exposure. 

Remember: Your employees aren’t the adversary; cyber criminals are. That means you need to figure out a way to work with employees on the common goal of protecting your data from identity-based attacks. By creating systems that are secure for computers while also being comprehensible for humans, you’re ultimately making everything more air tight.

Defense in depth

“Defense in depth” is essentially layers of security measures around your data. The number and type of layers needed depends on the information you’re trying to protect. 

So, for example, say your company uses Twilio as your main platform. You also use other web-based software, like Google Workspace, Figma, and Asana, but Twilio is where your customers’ PII (personal identifiable information) is stored. 

According to Boire, if you’re taking a defense in depth approach, you’ll want to make sure that those ancillary programs (Google Workspace, Figma, Asana) have solid multi-factor authentication (MFA), like a password and an authentication tool. However, your main platform (Twilio) will need additional protection. Perhaps you only allow employees to access it via company-owned devices that have built-in antivirus, firewalls, and other protections. That way, people need not only the standard sign-in stuff (password, MFA, etc.), but also have to be accessing it from a secured environment.

“Your ‘crown jewels’—like deal IDs, customer contact information, and payment details—are absolutely critical to protect,” Boire says. “We prioritize security above all, even if it means making access slightly more challenging for users. These assets shouldn’t be easily accessible or exposed.”

To safeguard them, you have to implement layers of protection by limiting access based on job roles and specifying approved devices for accessing sensitive systems. 

“This also has the added benefit of helping limit ‘insider threats,’ who may be legitimate employees wanting to steal data for financial or ideological reasons,” Boire says. “By limiting data to users who need that for their job functions, you help constrain areas where data may be leaked.”

For instance, our hypothetical company would not allow access to Twilio from personal mobile phones. Instead, they would ensure that only company-issued and hardened PCs—equipped with antivirus software and other security measures—could be used. These devices would be treated as trusted endpoints, requiring usernames, passwords, and MFA for access.

“It’s not just about identity management; it’s about a holistic approach to security,” Boire adds. “Every layer we add strengthens our ability to protect the most sensitive and valuable data.”

Those layers also, Boire adds, allow defenders to have more chances to detect abnormalities that could indicate an attacker is in their network. By forcing users through well-defined and monitored network locations, defenders can more easily watch for odd actions that may oust an attack. In other words, you have a much smaller haystack in which to find the needle.

Usable security

But while you want to ensure your systems are as secure as possible, you also want to make sure that they aren’t too difficult for your employees to actually use. 

“It’s always going to be a balance of the most secure identity process versus the usability for an end user,” Boire says. “If you make every login super hard and complex, you’re going to get people writing them down. You’re going to get people using simple passwords. You’re going to get people trying to circumvent your security, right?”

With that in mind, Boire advocates for a “usable security” approach rather than a “perfect” security approach. That means finding the right combination of security measures to adequately protect your data, without creating unnecessary hurdles for people to jump through. 

For example, rather than requiring long passwords with a combination of numbers, letters, and symbols (which are difficult to remember). ask for a long (20+ character) pass phrase. Encourage users to come up with a sentence that’s easy for them to remember, but that would be hard for someone else to guess; something like “cats love ravens outside their boxes.” The length protects them against computers trying to guess, while the specificity protects them against humans. 

Usable security levels depend entirely on the specifics of your organization. For example, if you have a small website and you’re providing all of your info for free, you probably don’t need much beyond a login and MFA—easy stuff for the end user. But if you’re a defense industrial base doing R&D for the military and you’re handling state secrets to do that, keeping the confidentiality of that data is going to be more important than ease of use for your end user. In that case, it’s worth making access more difficult, even if it causes friction for the user. 

Security is a balancing act—one that requires understanding not just the threats, but also the humans who interact with your systems. As identity-based attacks grow more sophisticated, the challenge isn’t just about building higher walls or deeper moats; it’s about designing systems that seamlessly integrate security and usability. How can you create an environment where your defenses are formidable, yet your employees feel empowered, not burdened? That’s the question every organization must answer to truly stay one step ahead.

About the Author
Emma McGowan , Senior Writer

Emma McGowan is the Senior Writer for industry-leading cyber risk company Resilience. She has been a full-time writer and editor for over 10 years, focused on technology and women’s health. Tech-fluent and highly motivated, Emma brings holistic experience leading brands in the delivery of high-quality, high-impact, multimedia digital content supported by strategy, planning, and performance analysis.

You might also like

The Security Squeeze

One of the most important features of the Resilience SaaS platform is our Quantified Cyber Action Plan. It supports CISOs making decisions under risk and uncertainty by providing a prioritization for which cyber controls should be implemented, based on their ROI. The power of this approach lies in the fact that it guides the most […]

How Scattered Spider’s vertical-focused strategy creates industry-wide security emergencies

This post is based on a threat intelligence report by Resilience Director of Threat Intelligence Andrew Bayers. Scattered Spider has emerged as a sophisticated threat actor whose advanced social engineering tactics blur the lines between common cybercrime and nation-state tradecraft. Their tendency to tackle specific verticals at a time – as they did in the […]

The essential guide to cyber incident response leadership and decision making

When 43% of UK businesses report experiencing a cyber breach or attack in just the past year, the question isn’t whether your organization will face a cyber incident—it’s how well you’ll respond when it happens.  This stark reality was at the center of a recent webinar hosted by Resilience, featuring insights from Scott Tenenbaum, Head […]

Navigating the growing personal liability facing CISOs

Let’s not mince words: The threat of personal liability and potential criminal charges for CISOs has become a legitimate concern. At a recent “CISOs Off the Record” panel hosted by Resilience at the 2025 RSA Conference, three experienced CISOs talked about the growing trend of CISOs being found personally liable for actions they take at […]

Does the proposed UK ransomware payment ban take things too far?

Cowritten with Henry Westwood, Resilience Cyber Underwriting Manager Simon West, Resilience Head of Customer Engagement The UK government recently launched a consultation on legislative proposals to combat ransomware attacks, one of the most significant cyber threats facing organisations today. As cybersecurity professionals working with organisations across various sectors, we’ve carefully examined these proposals and offered […]

North Korea is targeting the job interview process to infiltrate US companies

This post is based on threat intelligence compiled by Resilience Intelligence Analyst Steph Barnes, published May 8, 2025. North Korean hackers have turned the interview chair into a staging ground for cyberattacks. Two sophisticated campaigns—Contagious Interview and WageMole—are actively targeting job seekers and employers alike, with a clear endgame: funneling money back to the North […]