Security Magazine logo
  • Sign In
  • Create Account
  • Sign Out
  • My Account
  • NEWS
  • MANAGEMENT
  • PHYSICAL
  • CYBER
  • BLOG
  • COLUMNS
  • EXCLUSIVES
  • SECTORS
  • EVENTS
  • MEDIA
  • MORE
  • EMAG
  • SIGN UP!
cart
facebook twitter linkedin youtube
  • NEWS
  • Security Newswire
  • Technologies & Solutions
  • MANAGEMENT
  • Leadership Management
  • Enterprise Services
  • Security Education & Training
  • Logical Security
  • Security & Business Resilience
  • Profiles in Excellence
  • PHYSICAL
  • Access Management
  • Fire & Life Safety
  • Identity Management
  • Physical Security
  • Video Surveillance
  • Case Studies (Physical)
  • CYBER
  • Cybersecurity News
  • More
  • COLUMNS
  • Cyber Tactics
  • Leadership & Management
  • Security Talk
  • Career Intelligence
  • Leader to Leader
  • Cybersecurity Education & Training
  • EXCLUSIVES
  • Annual Guarding Report
  • Most Influential People in Security
  • The Security Benchmark Report
  • The Security Leadership Issue
  • Top Guard and Security Officer Companies
  • Top Cybersecurity Leaders
  • Women in Security
  • SECTORS
  • Arenas / Stadiums / Leagues / Entertainment
  • Banking/Finance/Insurance
  • Construction, Real Estate, Property Management
  • Education: K-12
  • Education: University
  • Government: Federal, State and Local
  • Hospitality & Casinos
  • Hospitals & Medical Centers
  • Infrastructure:Electric,Gas & Water
  • Ports: Sea, Land, & Air
  • Retail/Restaurants/Convenience
  • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
  • Industry Events
  • Webinars
  • Solutions by Sector
  • Security 500 Conference
  • MEDIA
  • Videos
  • Podcasts
  • Polls
  • Photo Galleries
  • Videos
  • Cybersecurity & Geopolitical Discussion
  • Ask Me Anything (AMA) Series
  • MORE
  • Call for Entries
  • Classifieds & Job Listings
  • Continuing Education
  • Newsletter
  • Sponsor Insights
  • Store
  • White Papers
  • EMAG
  • eMagazine
  • This Month's Content
  • Advertise
Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • The Security Leadership Issue
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
CybersecurityManagementSecurity NewswireSecurity Enterprise ServicesSecurity Leadership and ManagementLogical SecurityAccess ManagementCybersecurity News

When bad things happen to good credentials

By Gunnar Peterson
identity-cyber-freepik1170x658v6.jpg

Image by jcomp via Freepik

October 25, 2022

By now, most people know that identity and access management (IAM) is a framework of policies and technologies that are designed so that the right users have the appropriate access to the technology resources that they need. IAM is all about using a set of known, good information like passwords and multi-factor authentication (MFA) codes that match what is expected for the accounts on an organization’s network. This has been a fundamental security touchstone for as long as information security has been around. It is codified in every book, standard, policy and product since time immemorial.

Unfortunately, it is not good enough anymore.

Security is not a static thing. Adversaries evolve, and hundreds of billions of more in e-commerce transactions means more opportunity for attackers to take advantage of online accounts. Threat actors are now specifically targeting IAM protections like authentication, account management and even MFA.

The uptick in these attacks is unmissable. The recent Roasting Oktapus attacks on 130 organizations are a good example of why the Federal Bureau of Investigation (FBI) and Australian authorities issued a warning on credential-stuffing incidents. 

What does this mean to security teams and what should defenders do?

 

The Importance of Threat Modeling IAM Systems 

First, defenders should focus on recognizing the limits of IAM solutions. They are fundamental, but they are not everything. To see the limits of the IAM systems in place, security teams should include them in their threat modeling exercises. Threat modeling is the practice of optimizing application, system or business processes’ security by identifying any objectives or vulnerabilities. 

Once defenders threat model their IAM system, it is highly likely that there are impersonation, spoofing, redirection, and other opportunities for an attacker to discover. The types of threats we see now assume there is a mostly effective IAM system in place, and the attackers try to predict what it will do and then target users and behaviors accordingly. For example, if an organization has MFA in place, an attacker can get around this by what is known as an adversary-in-the-middle (AiTM) attack. With this, hackers combine a phishing attack with a proxy server between the victim and the website. By doing so, adversaries can steal the password and session cookie/token that has the additional level of authentication they can use to exploit, like an email. The user is unaware and is able to just log into their account as normal. 

To put it bluntly, Mike Tyson said, “everyone has a plan until they get hit in the face.” IAM systems are companies' plans of how access should work, but attackers are now punching them square in the eye. The dividing line between what is good and allowable behavior versus malicious abuse will not hold by a set of access protocols alone, it needs ongoing monitoring for malice.

Ratcheting up identity and access protections are evergreen activities. But they leave an undefended flank, how is the system being attacked and what are attackers doing on the system right now with stolen, phished and impersonated credentials? This threat vector cannot be defended by identity protections alone. 

Let’s look at how we can fill in the gaps. 

 

Filling the Gaps 

The consequence of new IAM-focused attacks is that most companies have a missing defense-in-depth layer, specifically a monitoring system of what is happening on the IAM system and how it is being targeted and abused. Luckily, there is hope for security professionals. Decision systems provide ongoing monitoring and offer runtime decisions to look for malice.

Identity graphs are a type of decision system that goes beyond the access control matrix, pictured below. 

 

https://lh3.googleusercontent.com/CoIgBwW6HpEEwzsOnacBqmPUXhEMnKoGML1IOZBexMfCxMLpWV4uOo_VAwdCxDLvYUo_dBoVjXp7G-I8Cqh2Lu2HGF-p5JEHryStNC1G0zKeh7-AD1JUi_iReIlQyq3dqCoCGrmOQGkLOo8-zf5ytOjxwhYr7A1eY_nSQtB2SX2CcPtJD7sxMj0uxA

Image courtesy of Forter

These tools inspect user behavior for tactics like token tampering, forgery and more that can adversely impact networks with account takeovers and lateral movements. This takes IAM beyond just monitoring for policy compliance, but also for known malicious behaviors. 

Organizations need to think of access less like a static wall, and more like a dynamic flywheel. Identity and access systems excel at defining what should happen in a system. When things go to plan that is all you need. But when your identity access system is the thing being targeted, you need a system that goes beyond what should happen and to what is happening. Identity graphs fill in those gaps so that when bad things happen to good credentials, companies are prepared.

KEYWORDS: cyber security defense in depth identity (ID) management

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Gunnar Peterson is the Chief Information Security Officer (CISO) at Forter.

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Cybersecurity
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Columns
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    New Security Technology
    By: Charles Denyer
Subscribe For Free!
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

The Money Laundering Machine: Inside the global crime epidemic - Episode 24

The Money Laundering Machine: Inside the global crime epidemic - Episode 24

Security’s Top 5 – 2024 Year in Review

Security’s Top 5 – 2024 Year in Review

Middle East Escalation, Humanitarian Law and Disinformation – Episode 25

Middle East Escalation, Humanitarian Law and Disinformation – Episode 25

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

  • Duty of Care
    Sponsored byAMAROK

    Integrating Technology and Physical Security to Advance Duty of Care

Popular Stories

White post office truck

Department of Labor Sues USPS Over Texas Whistleblower Termination

Internal computer parts

Critical Software Vulnerabilities Rose 37% in 2024

Coding

AI Emerges as the Top Concern for Security Leaders

Keyboard

Marks & Spencer Hackers Tricked IT Workers Into Resetting Passwords

Person working on laptop

Governance in the Age of Citizen Developers and AI

2025 Security Benchmark banner

Events

June 24, 2025

Inside a Modern GSOC: How Anthropic Benchmarks Risk Detection Tools for Speed and Accuracy

For today's security teams, making informed decisions in the first moments of a crisis is critical.

September 29, 2025

Global Security Exchange (GSX)

 

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • Outsourcing Data: Don't Take a Fairytale Approach

    The good, the bad and the ugly: Standard contractual clauses after Schrems II

    See More
  • sound-waves-freepik.jpg

    Good sound versus bad sound and why it matters

    See More
  • password1-900px.jpg

    Report Analyzes Bad and Good Online Security Habits

    See More
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing

Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • The Security Leadership Issue
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!