Identity security is crucial in cybersecurity as it ensures every identity is verified, authorized, and monitored to prevent unauthorized access to sensitive data, applications, and networks. So, if organizations don't implement identity security correctly, they are left vulnerable to cyberattacks because identity failures are governance failures.

This blog will explore the common cyberattacks that exploit identity, the problems faced with managing identity and data, and solutions for organizations to build and implement strong identity security controls.

How are Identity and Data Interconnected?

We've seen a rise in cyberattacks using identity compromise tactics. Hema Mohan, Senior Director, Product Management at Rubrik, stated in a RSACTM 2025 Conference presentation, "The nature of cyberattacks has evolved from being malware-centric to identity-centric." Since it now takes less than 72 minutes for attackers to get data, they are using compromised identities to gain access to the environment. Once they're in, they quickly make their way to sensitive data such as intellectual property, healthcare records, customer records, and more.

Managing the massive growth in identities has become increasingly complex in fragmented, hybrid, and multi-cloud environments. Mohan's co-speaker, Joe Hladik, Head of Rubrik Zero Labs at Rubrik, explained that it's hard to monitor all identities and track what they are using. In fact, an astounding 98% of organizations reportedly say they have significant data visibility challenges.

One of the main challenges with managing identity is that organizations often treat data and identity separately. However, as Hladik, stated, "Identity and data are deeply interconnected; both are under attack because in order to access data you need an identity to do so, so we need to stop treating them as isolated issues." With so many identities and so much data, organizations need to automate and monitor how their data is being used to make sure they are accessing only what is permissioned. Automating this process decreases volume and brings the actual threats, not false positive, to a human to investigate and respond to.

What are Common Identity Attack Techniques?

Cybercriminals employ various techniques to gain unauthorized access to a user's identity, which is often the first and most critical step in compromising an organization's data.

While factors like unauthorized data sharing and unintentional data leakage due to misconfiguration or accidental sharing are serious security concerns, they are typically the results of a security failure, not the initial attack techniques used by criminals to gain initial access.

The most common and dangerous attack techniques for initial access focus on stealing, exploiting, or abusing legitimate user credentials.

Philippe Langlois, DBIR Author, Verizon Business stated in an RSAC 2025  presentation,  that cybercriminals primarily use three steps to gain initial access to an organization’s network, often targeting user identity as the entry point:

1. Credential Abuse: This technique accounts for approximately 30% of breaches dating back to 2018. This step occurs when attackers use stolen or compromised login credentials (e.g., usernames and passwords) to gain unauthorized access, effectively bypassing standard perimeter defenses.

2. Phishing: Accounting for roughly 26% of breaches over the last five years, phishing remains a highly successful tactic. With the rise of AI, attackers are increasingly using generative models to craft sophisticated malware, highly convincing phishing emails, and complex social engineering schemes.

3. Exploitation of Vulnerabilities: This accounts for about 15% of all breaches in the last five years. This type of attack is caused by a weakness in a system’s design, implementation, configuration, or operation that can be actively exploited by an attacker to gain unauthorized access or execute malicious code.

Langlois highlighted the top access points associated with stolen credentials, revealing where attackers are most successful in gaining entry: Web Applications were found to be the leading vector, accounting for an estimated 72% of breaches over the last five years. This category includes VPNs as a key initial access point, representing approximately 5% of breaches. For a full breakdown of common vectors, see figure 1.

Figure 1. RSAC 2025 Presentation

It’s crucial for organizations to understand the threat landscape and how attackers leverage hacking techniques to compromise an identity and access their data, platforms, and systems.

How can Organizations Protect and Secure Identities?

A good starting point for organizations to manage identities and track user activity is the AAA framework: Authentication, Authorization, and Accounting.

• Authentication validates the user's identity (e.g., verifying a password or biometric scan).
• Authorization enforces permissions based on the principle of least privilege (meaning users are granted only the minimum access necessary to perform their job).
• Accounting logs all user actions and resource consumption for auditing and tracking purposes.

This framework should eventually be automated to reduce the workload for cybersecurity teams, allowing them to focus on higher-level tasks. If anything strange or suspicious occurs, the AI automation tool can flag the activity to a human for further investigation.

With the increased adoption of cloud and remote work, organizations can no longer rely on securing identities using old logic--by verifying and authorizing access based solely on legacy logic such as location, IP address, and device.

We need to move toward a Hybrid Active Directory (AD) to better verify and monitor identities. As Vivin Sathyan, Chief Technology Consultant at ManageEngine stated in an RSAC 2025 presentation, “As companies embark on application and data modernization, they should consider using a hybrid AD as it balances the application and data workload across both platforms.”

A Hybrid Active Directory combines the strengths of both environments:

• Cloud (Public AD): Offers innovation, speed, vast storage, and scalability.
• On-Premises (Traditional AD): Provides existing regulatory compliance, high performance, and manages data gravity (data that is difficult or expensive to move).

Organizations should proactively perform identity risk assessments of their AD environment to mitigate potential security breaches.

For continuous identity security, organizations should implement the following automated practices as Sathyan stated:

• Access Certification Campaigns: Periodically use these campaigns to attest to or revoke privileges. This process should be automated to ensure timely cleanup and enforcement of the principle of least privilege.
• HR System Integration: Integrate Human Capital Management (HCM) and employee databases with an organization’s identity platform for automated onboarding, offboarding, and account cleanup. This ensures that access is provisioned and revoked immediately when an employee's status changes.

Finally, organizations should also implement a Zero Trust strategy. By using the best practices mentioned above and beyond, organizations can effectively manage their identities and data. To learn more about securing identity and implementing these strategies, we invite you to visit our library.