Navigating the AI Threat Landscape: Why Identity-First Matters

As the digital world continues to shift at pace, cyber security threats are growing more sophisticated, with artificial intelligence (AI) amplifying both the capabilities of attackers and defenders. As organisations increasingly adopt cloud services and SaaS platforms, the traditional perimeter-based security model is becoming obsolete. Instead, identity has emerged as the new battleground. This blog post, inspired by industry insights and bolstered by data from the NCSC assured Cyber Incident Response (CIR) members and NCSC, explores the AI-enabled threat landscape and why an identity-first approach is essential to staying ahead of cybercriminals.

The Rise of Identity-Focused Attacks

Cybercriminals are zeroing in on identities as the key to unlocking sensitive systems and data. Data from the last 12 months of incident response (IR) cases reveals that 40% of initial access methods involve identity-focused attacks, making it the most exploited vector. This outpaces other methods like exploiting public-facing applications (27%) and external remote services (15%).

Figure 1: Breakdown of initial access methods over the last 12 months, highlighting the dominance of identity-focused attacks.

This shift underscores a critical reality: identity is the new attack surface. With the rise of SaaS platforms like Microsoft 365, securing identities through robust authentication, monitoring, and access management is no longer optional, it's a necessity.

Vulnerable Sectors and Diverse Threat Actors

According to CIR and NCSC data, certain sectors are particularly vulnerable to cyber incidents. Finance, manufacturing, and retail dominate as the top sectors for cyber incidents, likely due to the sensitive data they handle and the high value of their assets. These sectors are prime targets for identity-focused attacks, as compromised credentials can lead to significant financial and operational damage.

Moreover, the threat landscape is diverse. CIR data shows that cybercriminals are the top actors behind these attacks, often motivated by financial gain. In contrast, NCSC data highlights nation-state actors as a leading threat, typically driven by espionage or geopolitical motives (note: the NCSC data is weighted towards nation-state actors due to the requirements of NCSC). This diversity in threat actors, ranging from profit-driven criminals to state-sponsored groups, emphasises the need for a robust identity-first approach that can counter a wide range of attack vectors.

Real-World Examples of Identity Threats

To grasp the stakes, let’s look at two real-world use cases: Business Email Compromise (BEC) and MFA Bypass. These examples are further contextualised by CIR and NCSC data on initial access methods.

Business Email Compromise (BEC)

BEC attacks leverage compromised identities to deceive employees into transferring funds or sharing sensitive data. Here’s how they unfold:

1. Attackers use public data to profile a company and its executives.

2. A tailored phishing campaign targets executives or finance teams.

3. Attackers exploit urgency or authority to convince victims to act.

4. Fraudulent transaction instructions lead to funds being sent to attacker-controlled accounts.

CIR data reveals that phishing is the top initial access method used by cybercriminals, making it a critical vector for BEC attacks. Compromised email accounts often serve as the entry point, emphasising the need for strong identity protections like multi-factor authentication (MFA) and continuous monitoring.

MFA Bypass

While MFA is a cornerstone of identity security, it’s not invincible. Attackers are using advanced tactics to bypass it, such as:

1. MFA Fatigue Attacks - Overwhelming users with authentication requests until they approve one.

2. Social Engineering - Tricking users or IT help desks into resetting MFA settings.

3. Adding New MFA Methods - Registering attacker-controlled devices to maintain access.

AI, including deepfake audio, is increasingly used to enhance these attacks, imagine a fake CEO voice requesting an urgent transfer. This highlights the need for next-level defences beyond basic MFA.

Interestingly, NCSC data shows that for nation-state actors, exposed endpoints are a key initial access method. This data suggests that phishing remains a top vector for cybercriminals but nation-state actors may exploit different vulnerabilities, such as unsecured devices or misconfigured systems.

AI: A Double-Edged Sword

AI is transforming cyber security on both sides of the equation. Attackers use it to:

1. Craft deepfake audio for impersonation.

2. Automate personalised phishing campaigns at scale.

3. Execute credential stuffing with ruthless efficiency.

Defenders, meanwhile, can harness AI for behavioural analytics, threat detection, and rapid response. The difference lies in staying ahead, traditional security measures alone won’t cut it against AI-driven threats.

Incident Response in a SaaS World

As organisations shift to SaaS environments, incident response faces new challenges:

1. Traditional IR focuses on endpoints and networks, not SaaS telemetry.

2. A single compromised identity can unlock multiple platforms, email, SharePoint, Salesforce, and more.

3. Sensitive data is scattered across SaaS tools, complicating breach analysis.

An identity-first approach to IR, powered by tools like CybaVerse’s Identity Threat Detection and Response (ITDR), tackles these issues by:

1. Pulling data from SaaS platforms via connectors.
2. Offering a single view of identity activity across systems.
3. Alerting on security events and misconfigurations as they occur.
4. Automated response actions to contain threats fast.

The Role of Basic Cyber Security Measures: Insights from CE Data

While advanced identity protections are critical, basic cyber security measures also play a role. CIR data on Cyber Essentials (CE) adoption provides valuable insights:

1. 56% of incidents occurred in organisations that did not have CE or CE+ certification.

2. Only 5.6% of incidents involved organisations with CE+, and 5.25% with CE.

This suggests that even basic cyber security frameworks like Cyber Essentials can reduce the likelihood of incidents. However, the data also reveals that in organisations with CE, phishing is no longer the top initial access method, it is preceded by exposed endpoints and valid accounts. This indicates that while CE helps mitigate phishing risks, attackers shift to exploiting other vulnerabilities, such as misconfigured systems or compromised credentials.

Thus, while CE is a good starting point, it’s not sufficient on its own. Organisations must go beyond basic measures and adopt a comprehensive identity-first approach to address the full spectrum of threats.

Modernising Your Identity and Access Management (IAM)

To combat these threats, organisations must transform their IAM programs. Common challenges include:

1. Separate IAM solutions for on-premises and cloud apps.

2. Growing complexity in managing user access.

3. Struggling to keep up with evolving SaaS connectors.

CybaVerse suggests a roadmap to modernise IAM:

1. Identify gaps in provisioning, access reviews, and more.
2. Transition to scalable, cloud-native solutions.
3. Gain visibility into access, compliance, and security via centralised reporting.
4. Partner with specialists for implementation and support.

A modern IAM program enhances security while delivering a seamless user experience.

Conclusion: Identity-First is the Future

The AI-enabled threat landscape demands a new mindset. With 40% of attacks targeting identities, and AI amplifying attacker capabilities, organisations must prioritise identity security. CIR and NCSC data further highlight the vulnerability of key sectors like finance, manufacturing, and retail, and the diverse nature of threat actors, from cybercriminals to nation-states.

While basic cyber security measures like Cyber Essentials can reduce risks, they are not enough. Attackers adapt, shifting from phishing to exploiting exposed endpoints and valid accounts. Therefore, embracing an identity-first approach, through advanced authentication, centralised monitoring, and proactive IAM transformation, is essential to protect your digital assets against today’s most pressing threats.