How Cyberattackers Gain Access
Key Takeaways
- Identity weaknesses show up in 90% of Unit 42 investigations, so identity is a top control point.
- Identity-driven techniques drive 65% of initial access, led by social engineering and credential misuse.
- Excess permissions and token abuse help attackers move faster, so least privilege and session hardening matter.
Most breaches don’t start with a rare software exploit. Instead, attackers often gain access by taking over identity and using it like a master key.
This graphic, in partnership with Unit 42 by Palo Alto Networks, shows how cyberattackers gain access by exploiting identity paths, based on data from Unit 42 incident-response investigations.
Identity Is the Practical Perimeter
Here is a table that summarizes the main identity-driven routes attackers use to gain access.
| Initial Access 1 | Initial Access 2 | Initial Access 3 | Percentage |
|---|---|---|---|
| Other | Other | Other | 35% |
| Identity-based techniques | Identity-based social engineering | Identify-based phishing | 22% |
| Identity-based techniques | Identity-based social engineering | Other social engineering | 11% |
| Identity-based techniques | Credential misuse and brute force | Credential misuse | 13% |
| Identity-based techniques | Credential misuse and brute force | Brute force | 8% |
| Identity-based techniques | Identity policy and insider risk | Insider threats | 8% |
| Identity-based techniques | Identity policy and insider risk | IAM misconfigurations | 3% |
In the past year, Unit 42 found identity weaknesses played a material role in 90% of investigations. As SaaS and cloud use grow, identity now acts as the perimeter.
Here, “identity-driven” specifically means abusing credentials, sessions, multi-factor workarounds, or permissions to look legitimate. Because that activity blends in, defenders often lose precious time.
The Way In: Identity-Driven Initial Access
Identity-based techniques drive 65% of initial access in Unit 42’s casework. However, many organizations still focus more on patching than authentication, and many still repeat common cybersecurity mistakes that attackers exploit.
Social engineering leads at 33%, including phishing designed to bypass MFA and hijack sessions. Meanwhile, credential misuse and brute-force attacks account for 21%, and policy or insider abuse accounts for 11%.
The Way Through: Identity Turns Access Into Impact
Once attackers log in, they can escalate privileges and move laterally with fewer alarms. In turn, Unit 42 found 99% of 680,000 cloud identities held excessive permissions.
Token theft and risky OAuth grants also let adversaries persist without repeated logins. Consequently, one over-privileged human or machine identity can expand the blast radius quickly.
Countermeasures That Disrupt Identity Attacks
Start with phishing-resistant MFA such as passkeys or FIDO2 keys for high-value roles. Next, rotate machine credentials, shorten sessions, and shift admins to just-in-time elevation.
You can also connect identity telemetry across cloud and SaaS to spot unusual access chains sooner.
-
Technology8 months agoRanked: The World’s Most Common Passwords
Explore the most common passwords globally, and see why predictable choices make accounts vulnerable to hacking.
-
Cities3 years agoRanked: The World’s Most Surveilled Cities
The world’s most surveilled cities contain hundreds of thousands of cameras. View this infographic to see the data in perspective.
-
Privacy5 years agoMapped: The Top Surveillance Cities Worldwide
Which cities have the most CCTV cameras? This map reveals the top surveillance cities worldwide in terms of the prevalence of CCTV cameras.
-
Maps6 years agoMapped: The State of Facial Recognition Around the World
Mass surveillance is becoming the status quo. This map dives into the countries where facial recognition technology is in place, and how it’s used.
-
Technology6 years agoWhy Biometric Security is the Future
Buoyed by innovation and user-friendly experiences, biometric security measures will soon be a mainstream method of keeping your online accounts safe.
-
Privacy7 years agoVisualizing Internet Suppression Around the World
Freedom of speech on the internet has been on decline for eight consecutive years. We visualize the death spiral to show who limits speech the most.
var disqus_shortname = “visualcapitalist.disqus.com”;
var disqus_title = “Visualized: How Cyberattackers Gain Access”;
var disqus_url = “https://www.visualcapitalist.com/sp/pal01-how-cyberattackers-gain-access/”;
var disqus_identifier = “visualcapitalist.disqus.com-195539”;