Data Reveals Identity-Based Attacks Now Dominate Cybercrime

Cyberattacks are evolving, and the latest data suggests they are moving away from malware-based methods toward identity exploitation. According to the CrowdStrike 2024 Global Threat Report, three out of every four attacks now rely on valid credentials rather than malicious software.

This shift is being driven by an evolving cybercrime economy, where stolen identities are as valuable as—if not more than—exploitable vulnerabilities. A growing underground market for credentials, combined with the rise of automated phishing and AI-driven deception, is making traditional security models increasingly obsolete.

“You may have really locked down environments for untrusted external threats, but as soon as you look like a legitimate user, you’ve got the keys to the kingdom,” said Elia Zaitsev, CTO at CrowdStrike, when I spoke with him about the insights from the report.

This shift underscores a major challenge for companies: If an attacker doesn’t need malware or an exploit to break in, how do you stop them?

Adversaries Are Moving Faster Than Defenders

Another troubling finding in the CrowdStrike report is just how quickly attackers can escalate once inside a network. The fastest recorded eCrime breakout time—the time it takes an attacker to move laterally after gaining initial access—was just 2 minutes and 7 seconds.

Traditional security approaches, which rely on detecting malware or waiting for security analysts to manually investigate alerts, are struggling to keep pace. In an identity-driven attack, there are no malicious payloads to scan for—just an adversary masquerading as an authorized user.

This shift has fueled a rise in living-off-the-land techniques, where attackers use built-in system tools to evade detection. Instead of deploying custom malware, they use legitimate credentials and remote monitoring tools to blend into normal network traffic.

The Rise of Cross-Domain Attacks

A significant challenge highlighted in the 2024 Global Threat Report is that identity attacks are no longer confined to a single environment. Attackers are now leveraging valid credentials to move laterally across on-prem, cloud, and SaaS environments, making them much harder to detect.

I also spoke with Jim Guinn, a cybersecurity leader with EY. He described this tactic as part of a growing trend. “You have to get in, and you have to be able to laterally move throughout the network, which means you have some level of access. And access requires identity.”

He added that nation-state actors are particularly focused on pre-positioning themselves within networks, gaining access months or even years before launching an attack.

For organizations that still treat endpoint security, cloud security, and identity protection as separate disciplines, this poses a major problem. Attackers are increasingly pivoting between these environments to shake off detection and maintain persistent access.

“The moment that man created AI, he also created a way for bad actors to use AI against you,” Guinn noted. “They’re creating a quicker way to get to a set of targets that cybercriminals can use, and they’re creating code bases and ways to manipulate users’ credentials faster than the human can think about it.”

How Companies Are Adapting to Identity-Driven Threats

As identity-based attacks outpace traditional security models, organizations are being forced to rethink their cybersecurity strategies.

One of the most critical shifts is the move toward continuous identity verification. Traditionally, authentication has been treated as a one-time event—users log in once and are then trusted indefinitely. But with attackers now impersonating legitimate users, more companies are adopting real-time behavioral monitoring to detect anomalies.

Another major change is the adoption of just-in-time privileges. Instead of giving employees permanent administrative access, organizations are limiting high-risk permissions to the exact moment they’re needed—then revoking them immediately afterward.

“We’re bringing all that to bear,” Zaitsev explained. “We are taking that cross-domain, multi-domain visibility approach, unifying it all, and then, of course, also focusing heavily on continuous detection, prevention and response.”

Guinn shared a revealing anecdote from a company that emphasizes the importance of strong identity controls. “One of their senior executives said, ‘I think the only reason we haven’t really had breach—like a significant breach—is because we have multi-factor authentication for our user credentials.’”

The Future of Cybersecurity Is Identity-Centric

If the CrowdStrike 2024 Global Threat Report makes one thing clear, it’s that identity—not malware—is now the primary battlefield in cybersecurity.

Attackers no longer need custom exploits or backdoors when they can simply buy access credentials online, phish an employee, or trick an AI-driven authentication system.

Put bluntly, the stakes are clear: Without access—which requires a user’s identity—threat actors can’t really do a whole lot. Identity is the epicenter of an effective cybersecurity strategy.

As security teams work to adapt to this new reality, one thing is certain: If organizations continue treating identity security as an afterthought, they risk being left defenseless against attackers who no longer need to break in—because they already have the keys.