The most devastating breaches of the past few years have begun not with zero-day exploits or impenetrable code but with a mundane act of deception: someone logging in under false pretences.

Attackers have learned that the shortest path into a network is to borrow a legitimate identity and walk through the front door. Abuse of valid accounts already sits at the top of IBM’s incident charts, representing 30% of the cases its XForce team handled in 2023, neck-and-neck with classic phishing as the favoured opening move for criminals.

Credentials are easy to steal, cheap to buy, and, once accepted by corporate infrastructure, extraordinarily difficult to tell apart from the real thing.

The real threat has already entered the chat

Identity centric attacks are now so common that eSentire’s 2025 threat report labels them “the current dominant attack vector,” warning that perimeter defences and endpoint agents alone cannot keep pace. All attackers need to do is to convince one authentication service that they are an authorised employee and after that, every subsequent action - opening email, reading source code, approving payments - appears routine, and the alarms stay silent.

When the intruder reuses genuine credentials, works within office hours, and touches only the systems their role allows, signature-based tools shrug. 

Deepfakes and deception: impersonation beyond IT

Consider the recent wave of deepfake recruitment scams: more than 320 cases have been tracked  where North Korean operatives secured remote developer roles by faking CVs, social media histories, and even live video interviews, complete with real time facial overlays powered by artificial intelligence.

Once inside, these impostors move with the confidence of insiders. They build code, pull data, or submit expense claims, all within policy limits. Because traditional detection relies on obvious anomalies, unusually large data transfers, connections from foreign IP addresses, sudden privilege spikes, the attacker’s steady, lowkey activity blends into the background.

By the time a ransom note or data leak headline forces the issue, the breach may have persisted for weeks. In that sense, identity misuse is cybersecurity’s kryptonite: it strips defenders of context, every log event is both legitimate and malignant until inspected.

From static defences to behavioural intelligence

Breaking this stalemate requires a shift, from static controls to behavioural understanding. AI-driven User and Entity Behaviour Analytics (UEBA) offers a practical path. Rather than relying on fixed rules, UEBA systems learn what “normal” looks like for each user.

For example, the applications they access, how often they query a database, how long sessions last, and the time zones they operate from. Unusual activity, such as a midnight login from a new device, or unexpected access to unfamiliar files, raises a risk score that can restrict access or trigger an investigation. Crucially, such analytics improve with scale, digesting millions of data points daily without fatigue, bias, or absence.

Implementing an identity-first defence, however, is more than a technology rollout. It is a cultural adjustment. Organisations must treat credential abuse as inevitable and build layers of friction to deter, detect, and contain impostors. That begins with strong, phishing-resistant multifactor authentication for every account, including contractors, service accounts, and senior executives. It extends to recruitment, where video interview “liveness” tests, asking candidates to turn sideways, repeat random phrases, or interact with on-screen prompts, can foil cheap deepfakes without disrupting genuine applicants.

Least-privilege policies then limit what any single persona can do, ensuring that the theft of one identity never grants carte blanche across the estate. Crucially, all identity telemetry, authentication logs, HR status changes, and SaaS audit trails, must feed the same analytics pipeline so security teams see context rather than isolated events.

Identity-first must also mean response-first

The final piece of the puzzle is response. When an identity alert triggers, the default should be to assume compromise and act fast.

Automation can help. Well-tuned playbooks reset passwords, disable tokens, and send real-time verification prompts before an analyst even opens the incident dashboard. The aim is to embed instinctive, rapid action around identity compromise, just as we once did for ransomware or denial-of-service attacks.

None of this is easy:it asks security leaders to focus less on exotic malware and more on the humble act of logging in. It challenges developers to integrate identity telemetry across the stack and encourages HR teams to treat every remote hire as a potential attack surface.

The payoff is clarity; by modelling normal behaviour and acting as soon as it skews, organisations can turn the attacker’s biggest advantage - trust in valid credentials - into their most obvious weakness. A persona that behaves out of character becomes noisy, traceable, and disposable.

Nick Walker Regional Director, EMEA, NetSPI