How Identity Plays a Part in 5 Stages of a Cyber Attack

While credential abuse is a primary initial access vector, identity compromise plays a key role in most stages of a cyber attack. Here’s what you need to know — and how Tenable can help.

Identity compromise plays a pivotal role in how attackers move laterally through an organization. Credential abuse is the top initial access vector, implicated in 22% of breaches, according to the 2025 Verizon Data Breach Investigations Report, followed closely by vulnerability exploitation (20%). But identity compromise doesn’t stop after initial access. It plays a key role in five stages of a cyber attack.

Understanding the following stages of an attack helps illuminate where identity becomes a threat vector:

1. Initial access
2. Reconnaissance
3. Lateral movement and privilege escalation
4. Persistence and detection evasion
5. Deployment

Below, we explore actions security teams can take to protect identities in each of these stages. While the guidance we share here is based on protecting on-premises Microsoft Active Directory environments, it’s worth considering how credential compromise can affect Microsoft Entra ID and hybrid identity infrastructure. We also discuss how Tenable Identity Exposure, available in the Tenable One Exposure Management Platform, can be used at each stage to provide security teams with valuable insights to help them proactively reduce their exposure to cyber attacks.

Stage 1: Initial access

Attackers need a foothold and credential abuse enables them to get one. To prevent credentials from being abused by attackers, organizations need to proactively make sure their users have a strong password accompanied with two-factor (2FA) or multi-factor authentication (MFA). This is done by enforcing policies for password complexity, length, reuse and change frequency to which an organization’s users have to adhere. Even so, having full visibility into identities can be challenging for the security teams tasked with enforcing these policies.

Tenable Identity Exposure provides the following indicators that security teams can use to gain visibility into areas where weaknesses may exist.

• Password Policy Weakness
• Cleartext Passwords in Use
• Detection of Password Weaknesses

Stage 2: Reconnaissance

Once attackers have access to an environment they need to understand what it looks like and how they can exploit configurations and/or vulnerabilities to move onto the next step of lateral movement and privilege escalation. There are a number of legitimate security tools available that attackers can use to gain visibility into the environment. When these are used against an environment maliciously, they give away key secrets that can then be leveraged for movement across the environment.

Tenable Identity Exposure provides indicators of attack to give security teams visibility into behavior that looks like these security tools are being run in your environment, which could be malicious if not expected. These indicators include:

• Massive Computer Enumeration
• Administrative Account Scanning

Stage 3: Lateral movement and privilege escalation

Once they’ve completed their reconnaissance, attackers will try to use their findings to move between your environment objects to gain access to the privileged assets required to further their attack. How do they do this? Exploitation of relationships. To do so, they may try to access a system that is caching privileged user credentials, or they may try to reset the password on another identity in the environment. To protect against such activity you need to enforce policies restricting who is allowed to log onto certain system types, prevent password caching where possible and remove unnecessary relationships between objects. Tenable Identity Exposure provides indicators that can help security teams manage restrictions and spot inconsistencies, including:

• Administrative Logon Restrictions
• Domain Controller Access Inconsistencies

Tenable is also able to provide graphical representations of relationships between identity objects in the attack paths.

Stage 4: Persistence and evasion

Another key goal of lateral movement is for attackers to get themselves in a position where they can gain persistent access to the environment and avoid being detected. Given the complexity and requirements of identity solutions like Active Directory there are a number of backdooring techniques that can be utilized. One of the lesser-known of these is the exploitation of the AdminSDHolder container. Once an identity is added to this container, which is hidden by default in Active Directory, it will then periodically be granted access to highly privileged groups such as domain administrators. This access is granted through the SDProp process that, by default, is scheduled to run every 60 minutes. So even when the access is removed directly from the privileged groups, it is re-granted one hour later through the SDProp process when AdminSDHolder access is granted. Tenable Identity Exposure has the following indicator providing continuous visibility into AdminSDHolder membership:

• Ensure SDProp Consistency

There are a number of security tools on the market that can run point-in-time assessments to show weaknesses that need to be addressed; this data is often provided in a single report with no filterable history. Given the dynamic nature of identities, point-in-time assessments leave gaps in visibility for security teams. Attackers can take advantage of these gaps by making the changes in the environment to facilitate their activities and then undoing them before the next point-in-time assessment is performed, leaving security teams none the wiser. To be most effective, identity configuration monitoring should be continuous and have a filterable and referenceable record of all changes.

Tenable Identity Exposure continually monitors Active Directory and the indicator below provides a trail flow for this very purpose:

• Trail Flow

Stage 5: Deployment

Finally, we have the deployment of the payload, such as malicious code, malware or ransomware. Chances are an attacker will need to run some sort of script or installer — such as PowerShell scripts — to achieve this. Putting a restriction in place through security policies to prevent these running can dramatically reduce risk.

Tenable Identity Exposure provides the following indicator, specifically related to ransomware, to help security teams gain visibility into those places in the environment where the ability to run PowerShell scripts and access AppLocker could be restricted:.

• Insufficient Hardening Against Ransomware

The bigger picture

In summary, we can see how identity is at the heart of each of these five stages of a cyber attack. While the above examples are focused around on-prem Active Directory, hybrid environments are also a target for attackers, such as the 2024 attack by Storm-0501. Tenable Identity Exposure, available in the Tenable One Exposure Management Platform, provides visibility into both Active Directory and Entra ID. Tenable Cloud Security also provides a comprehensive view into identity entitlement within public cloud providers and identity providers (IdPs), such as Ping Identity and Okta.

Identity security is fundamental to a proactive exposure management program. To achieve effective exposure management, organizations need a comprehensive view of their entire attack surface. This means pulling together all available data from across their security tools, including those for identity, applications, cloud, operational technology (OT), endpoint, asset inventories, configuration management data bases (CMDBs), threat intelligence feeds and more. By combining insights from these diverse data sources, security teams can see the bigger picture, connecting the dots between assets, vulnerabilities, misconfigurations and existing compensating controls across multiple environments. The Tenable One Exposure Management Platform gives you a single, prioritized view of risk. By breaking down data silos and integrating insights from multiple security tools, organizations can reduce the likelihood of a breach and minimize risk exposure across the attack surface. Instead of viewing risks in isolation, security teams can connect the dots — understanding how attackers see their environment and taking smarter, more proactive action to reduce exposure.

Learn more

• 2024 Gartner® Prioritize IAM Hygiene for Robust Identity-First Security Report
• From Managing Vulnerabilities to Managing Exposure: The Critical Shift You Can’t Ignore
• A Unified Approach to Exposure Management: Introducing Tenable One Connectors and Customized Risk Dashboards