For many years, cybersecurity strategies followed a well-defined, almost established, clear-cut pattern. It was to protect the perimeter, control access, and monitor network traffic. This approach worked well when users and systems operated within defined boundaries. But not anymore. Because cloud adoption, remote work, and interconnected systems have altered the dynamics of how organisations operate.
At the same time, cybercriminals have adapted to the change. They are no longer trying to break in. Instead, they are logging in without hiccups. This shift has fundamentally changed where risk resides and how you need to respond.
The shift from network security to identity risk
The traditional perimeter assumed that threats existed outside the network. Once inside, users were largely trusted. But that assumption no longer holds. Why? Because today, access happens from multiple locations, devices, and applications. Identity has become the common control point across all of them.
Attackers have recognised this and are focusing their efforts accordingly. They typically:
- Exploit weak or reused credentials
- Use phishing to capture login information
- Manipulate users through social engineering
How modern attacks actually work
Credential-based attacks are effective because they remove the need for noisy intrusion techniques. A widely discussed example is the Uber incident. The attacker used stolen credentials and repeated MFA prompts until access was approved. From there, they moved across internal systems while appearing legitimate. Once attackers gain access, they:
- Operate within normal user privileges
- Move laterally without triggering alerts
- Access sensitive systems gradually
Their objective is persistence and invisibility. This makes detection significantly more difficult because the activity does not appear abnormal at first glance.
Why traditional controls are struggling to keep up
Security controls have changed, but attackers also have kept pace, keeping themselves updated and using modern techniques.
Take for example Multi-Factor Authentication (MFA). It has improved access security, but it does not eliminate risk. And today attackers are now bypassing it by targeting the gaps around authentication rather than the mechanism itself using techniques like:
- Session hijacking
- Token interception
- MFA fatigue attacks
So, the critical issue is this: authentication alone does not guarantee trust. When identity is compromised, even strong controls can be bypassed.
The identity attack surface is expanding
Let’s suppose MFA is working. But attackers are not limiting themselves to a single-entry point anymore. The identity attack surface itself is expanding across multiple layers.
1. User layer: human vulnerability remains the entry point
Phishing and social engineering continue to be highly effective because they exploit trust and urgency.
2. Device layer: trusted users on untrusted endpoints
A legitimate user accessing systems from a compromised device still creates risk.
Organisations should evaluate:
- Device compliance
- Security posture
- Endpoint protection
3. Session layer: persistence without re-authentication
Attackers can maintain access using:
- Token theft
- Session hijacking
This allows them to operate without repeated verification.
4. SaaS layer: identity beyond the enterprise boundary
Cloud platforms have expanded the identity surface further.
Common risks include:
- OAuth token abuse
- Misconfigured permissions
- Over-privileged third-party integrations
Incidents involving providers like Okta show how identity ecosystems themselves are becoming targets.
AI is accelerating identity-based attacks
Attackers are not just adapting their methods. They are scaling them. AI is enabling more precise and convincing identity attacks by automating tasks that previously required manual effort. This includes:
- Personalised phishing crafted from publicly available data
- Voice cloning to impersonate executives or colleagues
- Deepfake content that builds trust in real time
These techniques increase success rates while reducing the effort required to launch attacks. As a result, distinguishing between legitimate users and malicious actors is becoming significantly more difficult.
Why detection must transform: the role of ITDR
As identity becomes more distributed, traditional detection approaches struggle to keep pace. Security tools designed for endpoints or networks often miss identity misuse because the activity appears legitimate. This is where Identity Threat Detection and Response become critical.
It focuses on identifying subtle indicators of compromise across identity systems. Key signals include:
- Impossible travel between locations
- Unusual privilege escalation
- Access from dormant accounts
By focusing on behaviour rather than just access, organisations can detect threats earlier in the attack lifecycle.
From access control to identity assurance
Detection alone is not enough. Organisations need to prevent misuse while access is happening. This requires a shift from access control to identity assurance. Traditional access control verifies credentials at login. Identity assurance continuously validates whether the activity still aligns with the expected user. This involves evaluating:
- Behaviour patterns
- Device trust
- Location context
- Risk signals
Moving towards risk-based authentication
Not all access requests carry the same level of risk. Organisations can adapt authentication dynamically:
- Low-risk scenarios allow seamless access
- High-risk scenarios trigger additional verification
This ensures that security controls are applied where they are needed most.
What organisations should prioritise now
To address identity risk effectively, organisations need a focused and practical approach.
- Strengthen identity governance: Maintain clear control over user roles, permissions, and lifecycle management.
- Control privileged access: Attackers often aim to escalate privileges after initial entry. Organisations should use just-in-time access, monitor administrative sessions and secure credentials through vaulting.
- Reduce reliance on static authentication: Adopt adaptive and context-aware authentication models.
- Monitor behavioural signals continuously: Track anomalies in login behaviour, access patterns, and system usage. Our experience shows that consistent improvements in these areas can significantly reduce exposure.
Why this matters for business leaders
This shift is not just technical. It directly impacts business risk, resilience, and trust. When identity is compromised, attackers can bypass multiple layers of defence without resistance. This affects:
- Data protection
- Regulatory compliance
- Operational continuity
Organisations that treat identity as a strategic risk layer are better positioned to detect, respond, and adapt.
Conclusion
Cybersecurity is no longer defined by network boundaries. It is defined by how effectively organisations can verify identity at every stage of access. Attackers have adapted by targeting credentials because it allows them to operate within systems without immediate detection. This is why identity has become the new perimeter.
At CyberNX, we help you strengthen identity security with practical and scalable approaches. If you are looking to assess your current exposure and build a stronger identity framework, we are here to help.
FAQs
How do attackers bypass MFA without breaking it?
They exploit gaps around authentication, such as session hijacking or overwhelming users with repeated approval requests.
What is identity assurance and how is it different from authentication?
Authentication verifies credentials once, while identity assurance continuously validates user behaviour and context.
Why are identity-based attacks harder to detect?
Because attackers use legitimate credentials, their activity often appears normal to traditional security tools.
What is the first step to improving identity security?
Start by strengthening identity governance and gaining visibility into user access and behaviour.
