Identity Attacks and Defenses: How Attackers Exploit Identity and How to Stop Them

Title

CISSP Lens: Pick answers that align business risk, governance intent, and practical control execution.

Identity Attacks and Defenses: How Attackers Exploit Identity and How to Stop Them

Hook / Why this matters

Attackers increasingly prefer to log in rather than break in. Stolen credentials and abused identity infrastructure sit at the center of many modern breaches. If you understand how these attacks work, you can build defenses that stop them before they turn into full compromise.

Core concept explained simply

Identity attacks focus on authenticating as someone else or abusing weaknesses in authentication protocols and infrastructure.

Credential stuffing and password spraying

• Credential stuffing uses username and password pairs from previous breaches and tries them against other services. It relies on password reuse.
• Password spraying takes a few common passwords and tries them across many accounts, staying under lockout thresholds.

Both exploit weak password practices and lack of multi factor authentication.

Phishing and social engineering for credentials

Phishing emails, fake login pages, and voice calls trick users into revealing passwords or approving malicious MFA prompts.

Attackers may:

• Clone corporate login pages
• Use man in the middle proxy tools to capture credentials and session tokens
• Bombard users with push notifications until they approve one out of fatigue

Pass the hash and pass the ticket

In Windows and Active Directory environments, attackers focus on authentication tokens that are already present.

• Pass the hash: Stealing password hash values from memory or disk and using them to authenticate to other systems without knowing the original password.
• Pass the ticket: Stealing Kerberos tickets, particularly service tickets, and reusing them to access resources.

These techniques enable lateral movement after an initial foothold.

Kerberoasting and golden tickets

Kerberoasting targets service accounts:

• Attackers request Kerberos service tickets for accounts with Service Principal Names
• They extract the encrypted portion of the ticket and perform offline cracking to recover the service account password

Golden ticket attacks are even more severe:

• If attackers compromise the KRBTGT account hash, they can forge Ticket Granting Tickets for any user, granting themselves any privilege in the domain

Session hijacking and token theft

Modern web apps use session cookies and tokens. Attackers can:

• Steal tokens via cross site scripting or insecure storage
• Capture tokens on the wire when encryption is weak or missing
• Use token replay to impersonate users without needing credentials

CISSP lens

For the exam, focus on mapping each attack to defenses.

• Credential stuffing and password spraying are mitigated by unique passwords, MFA, and monitoring for failed login patterns.
• Pass the hash and pass the ticket are mitigated by hardening endpoints and domain controllers, limiting lateral movement, and using modern authentication methods.
• Kerberoasting and golden tickets highlight the need to protect service accounts and the KRBTGT account.
• Session hijacking calls for strong encryption, secure cookie flags, short token lifetimes, and careful client storage.

Many questions describe the symptoms of these attacks and ask which control is most effective. Choose answers that address root causes, not just surface symptoms.

Real world scenario

A company exposed a VPN portal to the internet that authenticated with usernames and passwords only. Attackers obtained a list of leaked credentials from several breaches and launched a credential stuffing campaign.

Several reused passwords worked. The attackers logged in as normal users, then:

• Used internal tools to discover servers and shares
• Found a misconfigured system where local administrator passwords were the same everywhere
• Used pass the hash to move laterally and eventually compromised a domain admin account

From there, they exfiltrated sensitive data and created backdoor accounts.

A comprehensive fix required multiple layers:

• Enforcing MFA on VPN and privileged systems
• Implementing breach password checks and forcing resets for reused passwords
• Randomizing and managing local administrator passwords with a dedicated tool
• Hardening domain controllers and monitoring for lateral movement patterns

Common mistakes and misconceptions

• Thinking that strong passwords alone are enough. Without MFA, stolen credentials still work.
• Enabling MFA only for remote access while leaving internal administrative interfaces unprotected.
• Ignoring service accounts that have weak passwords, high privileges, and visible Service Principal Names.
• Relying solely on perimeter defenses while neglecting monitoring inside the network for lateral movement.
• Assuming that encryption alone prevents token theft, while leaving applications vulnerable to cross site scripting or insecure client storage.

Actionable checklist

• Require MFA for all remote access, administrative access, and cloud console logins.
• Check user passwords against known breach corpuses during creation and reset, and force changes for any matches.
• Harden service accounts by using long, random passwords or managed service accounts, and limit where they can log in.
• Deploy endpoint detection and response tools capable of spotting pass the hash and other lateral movement behavior.
• Monitor authentication logs for patterns of credential stuffing and password spraying, and implement lockout and throttling policies.
• Protect web application tokens with secure cookie flags, HTTPS everywhere, content security policies, and minimal token lifetimes.

Key takeaways

• Identity is a primary attack surface. Modern attackers focus on logging in as valid users, not just exploiting software bugs.
• Multi factor authentication and unique passwords dramatically reduce the effectiveness of credential stuffing and phishing.
• Pass the hash, Kerberoasting, and golden ticket attacks exploit weaknesses in identity infrastructure, especially Active Directory.
• Defense in depth for identity combines strong authentication, hardening of endpoints and domain controllers, and active monitoring for abnormal behavior.
• Protecting tokens and sessions is as important as protecting credentials.

Optional exam style reflection question

Question: An attacker steals the KRBTGT account hash in an Active Directory domain. What type of attack does this enable, and why is it so severe

Answer: It enables a golden ticket attack. With the KRBTGT hash, the attacker can forge valid Ticket Granting Tickets for any user and assign any group memberships or privileges. This effectively gives them long term, domain wide control until the KRBTGT password is reset twice and all forged tickets are invalidated.