Identity-Based Attacks Now Fuel Two-Thirds of Security Incidents, New Research Shows

In a striking revelation that underscores the evolving landscape of cyber threats, a new report from Sophos has found that 67 percent of all security incidents investigated by its Incident Response (IR) and Managed Detection and Response (MDR) teams in the past year were rooted in identity-related attacks. The findings paint a stark picture of how modern attackers are bypassing traditional defenses by targeting the very foundation of enterprise security: user identities.

The report, which analyzed hundreds of real-world security incidents, highlights a disturbing trend — cybercriminals are increasingly exploiting compromised credentials, bypassing or ignoring multifactor authentication (MFA), and taking advantage of poorly protected identity systems. What makes this particularly concerning is that these attacks often succeed without requiring sophisticated new tools or techniques, relying instead on the exploitation of human error, weak policies, and legacy systems.

The Shift from Vulnerabilities to Stolen Credentials

One of the most significant shifts identified in the Sophos report is the move away from exploiting software vulnerabilities toward the abuse of stolen or weak credentials. For years, vulnerability exploitation dominated the initial access phase of cyberattacks. However, the data now shows that brute-force activity accounts for 15.6 percent of initial access attempts, nearly matching the 16 percent attributed to vulnerability exploitation.

This near-parity between brute-force attacks and vulnerability exploitation signals a critical change in attacker behavior. Rather than spending time and resources finding and exploiting unpatched systems, many attackers are now opting for the “path of least resistance” — trying to guess or steal passwords, reuse credentials from previous breaches, or exploit weak authentication practices.

Dwell Time Drops, But Not for the Right Reasons

Another notable finding from the report is the dramatic reduction in median dwell time — the period attackers remain undetected within a network. According to Sophos, the median dwell time has fallen to just three days. At first glance, this might seem like a positive development, suggesting that security teams are getting better at detecting intrusions. However, the report cautions that this decline is not necessarily due to improved detection capabilities.

Instead, the shortened dwell time is likely driven by several factors, including the increased use of ransomware-as-a-service (RaaS) models, where affiliates move quickly to deploy ransomware once inside a network, and the growing prevalence of “hands-on-keyboard” attacks, where adversaries actively engage with compromised systems rather than lying dormant.

Why Identity Is the New Battlefield

The dominance of identity-based attacks reflects a broader shift in the cybersecurity landscape. As organizations have strengthened their perimeter defenses and patched critical vulnerabilities, attackers have adapted by focusing on the weakest link: people and their credentials. With the rise of remote work, cloud adoption, and the proliferation of SaaS applications, the attack surface for identity-based threats has expanded dramatically.

Compromised credentials are particularly dangerous because they grant attackers legitimate access to systems, making their activities harder to detect. Once inside, attackers can move laterally, escalate privileges, and access sensitive data without triggering traditional security alerts. The absence or weakness of MFA further compounds the problem, as it allows attackers to bypass one of the most effective layers of defense.

The Role of Poor Identity Hygiene

The Sophos report also highlights the role of poor identity hygiene in facilitating these attacks. Common issues include the use of weak or reused passwords, failure to rotate credentials after a breach, excessive user privileges, and the lack of centralized identity management. In many cases, organizations simply do not have visibility into who has access to what, making it difficult to detect and respond to anomalous behavior.

Furthermore, the report notes that many identity systems themselves are poorly protected. Default configurations, unpatched identity management software, and insufficient monitoring can all be exploited by determined attackers. In some cases, attackers have even targeted the identity infrastructure itself, compromising directory services or identity providers to gain widespread access across an organization.

Implications for Organizations

The findings of the Sophos report carry significant implications for organizations of all sizes. First and foremost, they underscore the need to treat identity as a critical security perimeter. This means implementing strong authentication practices, such as MFA, but also going beyond that to adopt a zero-trust approach — never assuming trust, always verifying.

Organizations should also invest in identity governance and administration (IGA) solutions to gain better visibility and control over user access. Regular audits of privileged accounts, automated provisioning and deprovisioning, and the principle of least privilege are all essential components of a robust identity security strategy.

Additionally, the report highlights the importance of continuous monitoring and behavioral analytics. By establishing baselines for normal user behavior, organizations can more easily detect anomalies that may indicate a compromised account. Integration with Security Information and Event Management (SIEM) systems and the use of AI-driven threat detection can further enhance an organization’s ability to respond to identity-based threats.

The Human Factor

While technology plays a crucial role in defending against identity-based attacks, the human factor cannot be ignored. Security awareness training remains a vital component of any defense strategy. Employees must be educated about the risks of phishing, credential reuse, and social engineering, and encouraged to adopt strong password practices.

Moreover, organizations should foster a culture of security, where employees feel empowered to report suspicious activity and where identity security is seen as everyone’s responsibility. This cultural shift, combined with the right technology and processes, can significantly reduce the risk of identity-based attacks.

Looking Ahead

As the cybersecurity landscape continues to evolve, it is clear that identity will remain a prime target for attackers. The Sophos report serves as a wake-up call for organizations to reassess their identity security posture and take proactive steps to mitigate risk.

In the coming years, we can expect to see further innovation in identity and access management (IAM) technologies, including the broader adoption of passwordless authentication, biometric verification, and decentralized identity models. However, technology alone will not be enough. Organizations must also address the underlying issues of poor identity hygiene, lack of visibility, and insufficient monitoring.

Ultimately, the fight against identity-based attacks will require a holistic approach — one that combines strong technology, effective processes, and a security-conscious culture. Only by addressing all three can organizations hope to stay ahead of the ever-evolving threat landscape.

Tags: identity attacks, security incidents, compromised credentials, MFA bypass, brute-force attacks, dwell time, cyber threats, identity management, zero trust, phishing, social engineering, ransomware, Sophos report, cybersecurity trends, passwordless authentication, privileged access, identity governance, behavioral analytics, SIEM, AI-driven threat detection, security awareness training, decentralized identity, IAM, vulnerability exploitation, cloud security, SaaS security, remote work security, identity hygiene, security culture

Viral Sentences:

• “67% of security incidents now stem from identity-based attacks — your password is the new battleground.”
• “Attackers are skipping the front door and walking right in with stolen keys.”
• “MFA bypass and brute-force attacks are now neck-and-neck with vulnerability exploitation.”
• “Three days: the new average time attackers lurk before striking.”
• “Your identity is the weakest link — and the most valuable target.”
• “Zero trust isn’t optional anymore — it’s survival.”
• “Poor identity hygiene is the open door attackers can’t resist.”
• “The future of security is passwordless, but are you ready?”
• “Human error + weak credentials = cyber disaster waiting to happen.”
• “Behavioral analytics: your best defense against the invisible intruder.”
• “Security awareness training: because technology can’t fix stupid passwords.”
• “Decentralized identity: the next frontier in the fight against cybercrime.”

,