Decentralized Identifiers and its impact on privacy and security

Part 2 of: The Decentralized Cybersecurity Paradigm: Rethinking Traditional Models

The Decentralized Cybersecurity Paradigm: Rethinking Traditional Models - Decentralized Identifiers and its impact on privacy and security

In Part 1 we considered decentralized technology for securing data. Now, the time has also come for the decentralized identity revolution. Traditional, centralized identity management systems generally rely on single entities to store and verify user information. However, these solutions face increasing limitations in the face of evolving cybersecurity threats (https://redcanary.com/threat-detection-report/trends/identity-attacks/). Specifically, these systems present inherent risk areas such as single points of failure and attractive targets for malicious actors. Data breaches targeting centralized repositories are growing in frequency and severity. Consequently, this highlights the urgent need for resilient, user-centric digital identity. Therefore, it is time to consider decentralized identifiers and its impact on privacy and security.

In response to these challenges, Decentralized Identifier (DID) (https://www.w3.org/TR/did-1.0/) technology has emerged as a transformative paradigm shift in cybersecurity. DID offers the promise of enhanced privacy and security by distributing control over digital identities. Ultimately, this aims to empower individuals and organizations to manage their own credentials without dependence on central authorities. We will explore DID, delving into its core principles, potential impact on privacy and security, and its promising future within the broader landscape of decentralized cybersecurity.

Demystifying DID: Core Concepts and Principles

DID represents a novel approach to the management of digital identity. It shifts control from centralized entities to individual entities (e.g. users, organizations). At its core, DID empowers individuals to store their identity-related data securely on their own devices (e.g. digital wallet). In doing so DID enables the use of cryptographic key pairs to share only the information necessary for specific transactions. This approach aims to bolster security by diminishing the reliance on central authorities. After all, these traditional mechanisms have historically served as prime targets for cyberattacks. Central data stores actually make an attacker’s mission easier, one breach and access to all centrally stored data is possible.

DIDs are the cornerstone of making identity breaches more challenging for nefarious actors. DIDs act as globally unique, user-controlled identifiers. Importantly, these can be verified without the need for a central authority, akin to a digital address on a blockchain. This innovative methodology facilitates secure control over digital identities. It offers a robust framework for authentication and authorization that moves away from traditional, less secure, centralized models.

The World Wide Web Consortium (W3C) has formally defined DIDs as a new class of identifiers that enable verifiable, decentralized digital identity. Specifically, they are designed to operate independently of centralized registries and identity providers.  Through the use of cryptographic techniques, DIDs ensure the security and authenticity of these digital identities. As a result, they provide a tamper-proof and verifiable method for managing identity data across various disparate platforms. Ultimately, Decentralized Digital Identity (DDI) seeks to eliminate the necessity for third parties in managing digital identities. Furthermore, it aims to mitigate the risks associated with centralized control. In turn, this empowers users to create and manage their own digital tokens as identification on a blockchain (https://www.1kosmos.com/blockchain/distributed-digital-identity-a-transformative-guide-for-organizations/).

The efficacy of DID rests upon several fundamental principles that distinguish it from traditional identity management frameworks:

  • Self-Sovereign Identity (SSI)
  • User-Centric Control
  • Independence from Central Authorities

Self-Sovereign Identity (SSI)

This principle grants individuals complete ownership and control over their digital identities and personal data. The goal being liberation from dependencies on third-party entities. SSI empowers users to choose what information they share. Importantly, it also lets them decide who they share it with. This enhances trust between parties. It mitigates privacy concerns by avoiding third-party data storage. This approach places individuals at the helm of their digital personas.  It enables individuals to store their data on their own devices. They can engage with others in a peer-to-peer manner. There are no centralized data repositories involved. No intermediaries track their interactions. SSI makes individuals the custodians of their digital identities. It gives them the power to control access to their data. Subsequently, this model also introduces the user controlled ability to revoke access at any given time.

This paradigm stands in stark contrast to the conventional model. Users often navigate fragmented web experiences. They rely on large identity providers who control their personal information. SSI changes this by using digital credentials and secure, private connections. These connections are facilitated through digital wallets. SSI offers a transformative path forward. It empowers individuals to assert sovereignty over their digital existence. This user-centric model often leverages blockchain technology to ensure the security and privacy of sensitive identification information.

This foundational principle of SSI is what truly sets DIDs apart. It shifts the focus from decentralized infrastructure to decentralizing control. With DIDs, control moves directly to the individual. Traditional systems inherently give data ownership to corporate entities or service providers. SSI fundamentally reverses this dynamic. It gives users the autonomy to govern their data. Users can also dictate who gets access and under what conditions. This realignment resonates with the increasing demand from users for greater privacy and control over their digital footprint.

User-Centric Control

Building upon the foundation of SSI, DID empowers users with comprehensive control over their identity data. This means they can actively manage, selectively share, and impose restrictions on who can access their personal information. This user-centric model places individuals at the forefront of their digital interactions, granting them the authority to decide what information is shared and with whom. This approach inherently minimizes the risk of data breaches and the potential for misuse of personal information. The design and development of DID systems are guided by the needs, preferences, and overall experiences of users. User control, a core tenet of user experience design, ensures that individuals have autonomy and independence when interacting with digital interfaces.

Principles of user-centric data control further emphasize transparency, informed consent, data minimization, purpose limitation, and robust security measures.These are all aimed at empowering users in the management of their own data. Ultimately, the user-centric data model operates on the principle that individuals should possess absolute ownership and control over their personal data, granting them the power to decide how their information is utilized and what value they derive from it. DID wallets and decentralized identifiers serve as pivotal tools in realizing this control, enabling users to selectively disclose specific aspects of their identity and manage access permissions according to their preferences.

Independence from Central Authorities

Traditional Identity and Access Management (IAM) folks may perceive this as sacrilege. But, the time for change is upon the industry. A defining characteristic of DID is its operational independence from traditional identity providers, centralized registries, and certificate authorities. DIDs are meticulously designed to function without the need for permission or oversight from any central entity. This autonomy means that the lifecycle of a DID, from creation to potential deactivation, rests solely with the owner, free from the dictates of any IAM ecosystems.

Historically, the pursuit of independence from central authorities has been a significant theme across various domains. Even in the realm of monetary policy, the concept of central bank independence underscores the importance of autonomy in critical functions. This principle of independence in DID is paramount for fostering resilience and mitigating the inherent risks associated with single points of failure, a notable vulnerability in traditional, centralized systems. By distributing trust and control across a decentralized network, DID ensures a more robust and secure ecosystem, less susceptible to the failures or compromises that can plague centrally managed identity frameworks.

How DID Differs from Traditional Identity Management

The advent of DID heralds in a new era of identity management. Digital identities are undergoing a significant shift. This is particularly so when contrasted with traditional identity management systems concerning user privacy. Unlike traditional systems, where organizations collect and control user data, DID puts individuals at the center. This model grants individuals greater autonomy over their personal information. The principle of data minimization drives this paradigm shift. Data minimization empowers users to share only the precise information required for a specific interaction, thereby limiting the exposure of their personal details.

Furthermore, DID fosters a reduced reliance on intermediaries and integrations. This reduction on reliance has profound implications for curtailing the pervasive tracking and surveillance often allowed with traditional models. Traditional models empower organizations. As such, DID represents a fundamental alteration from the prevailing model. Organizations and service providers have traditionally treated user data as a valuable asset, but DID shifts the framework, empowering individuals to become the ultimate custodians of their own digital identity.

Deviation from traditional IAM

Traditional identity management often requires users to divulge an extensive array of personal information, and various organizations then store and manage that data. This places inherent trust on the folks designing and managing those systems. In stark contrast, DID champions the concept of data minimization, enabling users to selectively disclose only the essential details required for a given transaction or service. This approach not only enhances user privacy but also significantly curtails the risk of extensive data breaches, as less personal information is centrally stored. Moreover, DID inherently promotes a reduced dependence on intermediaries, which traditionally act as central points for identity verification and data management.

In contrast to traditional systems, DID circumvents these central entities and reduces opportunities for widespread data tracking and surveillance, since user interactions no longer pass through a limited number of organizations that aggregate and monitor user activities. Consequently, individual control over personal data is markedly amplified within a DID ecosystem. Users are empowered to manage their own identity credentials, granting or revoking access as they see fit, and maintaining a clear understanding of who holds what information about them. This user-centric approach to privacy stands in stark contrast to the often opaque and less controllable nature of traditional identity management systems.

The following table summarizes some of the points just covered:

FeatureTraditional Identity ManagementDecentralized Identity Management (DID)
ControlPrimarily held by organizationsPrimarily held by users
PrivacyUsers often share excessive data; risk of broad data collectionData minimization; users share only necessary information
SecurityCentralized data storage creates single points of failureDistributed control reduces attack surface; enhanced cryptographic security
Reliance on IntermediariesHigh; relies on identity providers for verificationReduced; enables peer-to-peer interactions
Single Points of FailureYes; central databases are vulnerableNo; distributed nature enhances resilience

The Impact of DID on Vulnerabilities and Authentication

DID presents a clear paradigm shift in digital security by addressing many of the inherent vulnerabilities associated with traditional, centralized identity providers. By distributing control over identity data, DID inherently mitigates the risk of large-scale data breaches that are often the hallmark of attacks on centralized systems. Furthermore, DID significantly enhances user authentication processes through the deployment of robust cryptographic methods, effectively eliminating the reliance on less secure password-based systems.

Centralized identity providers, by their very nature, constitute single points of failure. Consequently, they become prime targets for cyberattacks seeking to compromise vast amounts of user data. DID, with its foundational principle of decentralization, inherently diminishes this risk by distributing the control and storage of identity data across a network, rather than concentrating it within a single entity. This distributed architecture makes it exponentially more challenging for malicious actors to orchestrate widespread data breaches. 

Expanding that impact, traditional authentication mechanisms are increasingly susceptible to a myriad of security threats. These include phishing, brute-force attacks, and credential stuffing based on the use of passwords. DID leverages the power of cryptographic key pairs and digital signatures to establish more robust and secure authentication frameworks. This shift towards cryptographic authentication effectively removes some vulnerabilities associated with password-based systems, offering a more resilient and secure pathway for verifying user identities.

DID Technology: Specifications, Infrastructure, and Cryptography

The foundation of the DID ecosystem rests upon a robust technological framework. This is spearheaded by the W3C DID specification and underpinned by Decentralized Public Key Infrastructure (DPKI). The W3C DID specification serves as a cornerstone, defining a new type of identifier for verifiable, decentralized digital identity. This specification outlines the core architecture, data model, and representations for DIDs, aiming to ensure interoperability across different systems and platforms. It provides a common set of requirements, algorithms, and architectural options for resolving DIDs and dereferencing DID URLs (https://www.w3.org/TR/did-resolution/). The W3C also maintains a registry of various DID methods, each detailing a specific implementation of the DID scheme (https://decentralized-id.com/web-standards/w3c/decentralized-identifier/did-methods/).

Recognizing the evolving needs of the digital landscape, the W3C provides mechanisms for extending the core DID specification through DID Extensions, allowing for the addition of new parameters, properties, or values to accommodate diverse use cases (https://www.w3.org/TR/did-extensions/). The DID 1.0 specification achieved the status of a W3C Recommendation in July 2022, signifying its maturity and readiness for widespread adoption. Ongoing developments within the W3C include the exploration of DID Resolution specifications to further standardize the process of resolving DIDs to their corresponding DID documents. The broader vision of the W3C is to foster an open, accessible, and interoperable web, with standards like the DID specification playing a crucial role in realizing this vision.

DPKI

Complementing the W3C DID specification is the concept of DPKI, which is pivotal for managing cryptographic keys in a decentralized manner (https://www.1kosmos.com/article/decentralized-public-key-infrastructure-dpki/). DPKI empowers individuals and organizations to create and anchor their cryptographic keys on a blockchain in a tamper-proof and chronologically ordered fashion. This infrastructure distributes the responsibility of managing cryptographic keys across a decentralized network, leveraging blockchain technology to align with the core principles of decentralization, transparency, and user empowerment. DPKI aims to return control of online identities to their rightful owners, addressing the usability and security challenges inherent in traditional Public Key Infrastructure (PKI) systems.

Blockchain-enabled DPKIs can establish a fully decentralized ledger for managing digital certificates. This can ensure data replication with strong consistency and distributed trust management properties built upon peer-to-peer trust models. By utilizing blockchain as a decentralized key-value storage, DPKI enhances security and minimizes the influence of centralized third parties in the management of cryptographic keys.

At the heart of DID security and verifiable interactions lie various cryptographic techniques, most notably digital signatures and public-private key pairs. DIDs often incorporate cryptographic key pairs, comprising a public key for sharing and a private key for secure control.

Blockchain technology itself employs one-way hashing to ensure data integrity and digital signatures to provide authentication and privacy. DIDs leverage cryptographic proofs, such as digital signatures, to enable entities to verifiably assert control over their identifiers. Digital signatures play a crucial role in providing authenticity, non-repudiation, and ensuring the integrity of data. Public-private key pairs are instrumental in enabling encryption, decryption, and the creation of digital signatures, forming the bedrock of secure communication and verification within DID ecosystems. Verifiable Credentials (VC), which are integral to DID, also rely on cryptographic techniques such as digital signatures to ensure the authenticity and integrity of the claims they contain (https://www.identity.com/what-are-verifiable-credentials/).

Verifiable Credentials (VC)

VCs serve as the fundamental building blocks for establishing trust and ensuring privacy within DID ecosystems. These are tamper-evident, cryptographically secured digital statements issued by trusted authorities. They represent claims about individuals or entities, such as identity documents, academic qualifications, or professional licenses. VCs are meticulously designed to be easily verifiable, portable, and to preserve the privacy of the credential holder. A crucial aspect of VCs is that they are cryptographically signed by the issuer, allowing for independent verification of their authenticity without the need to directly contact any issuing authority.

Furthermore, VCs often have a strong relationship with DIDs, with DIDs serving as verifiable identities for both the issuers and the holders of the credentials. Essentially, this provides a robust foundation for trust and verification within the digital realm. The W3C VC Data Model provides a standardized framework for the issuance, holding, and verification of these digital credentials, promoting interoperability and trust across diverse applications and services.

VC Role

VCs are instrumental in enabling the secure and privacy-preserving sharing of digital credentials by leveraging the power of digital signatures and the principle of selective disclosure. Digital signatures play a pivotal role here by guaranteeing that a credential originates from a trusted issuer, thus establishing the authenticity and integrity of the data. Enhancing the trustworthiness factor, VCs eliminate reliance on physical documents, which are inherently susceptible to forgery and tampering. In turn, this significantly reduces the risk of identity fraud and theft.

Aligning with the principles of SSI, VCs empower individuals with complete control over their digital identities. A key feature that enhances privacy is selective disclosure. This allows credential holders to share only the necessary information required for a specific verification, without revealing extraneous personal details. The use of digital signatures authenticates an issuer but it also protects the integrity of the data within the credential. Any alteration to the data would invalidate the signature, immediately indicating tampering.

The VCs ecosystem is comprised of three primary roles that interact to facilitate the secure and privacy-preserving exchange of digital credentials:

  • Issuers
  • Holders
  • Verifiers

Issuers

Issuers are the trusted entities that create and digitally sign VCs. They attest to specific claims about individuals, organizations, or things. Issuers could be employers verifying employment status, government agencies issuing identification documents, or universities issuing degrees.

Holders

Holders are the individuals or entities who possess these VCs and have the ability to store them securely in digital wallets. These are the entities being verified. Holders have control over their credentials and can choose when and with whom to share them. 

Verifiers

Verifiers are the third parties who need to validate the claims made in a VC. They validate claims made by issuers about holders. Using an issuer’s public key, verifiers can cryptographically verify the authenticity and integrity of a VC without needing to contact the issuer directly. This ecosystem ensures a decentralized method for verifying digital credentials, enhancing both security and privacy for all participants.

Real-World Use Cases Across Diverse Sectors

DID is rapidly transitioning from a theoretical concept to a practical solution with tangible applications across a multitude of sectors. Its potential to address real-world challenges in IAM, data security, and privacy is becoming increasingly evident through various innovative use cases.

Digital Identity Wallets

One prominent application lies in digital identity wallets. They can serve as secure repositories for storing and managing an individual’s digital credentials. These wallets enable users to conveniently access and share their verified information, such as payment authorizations, travel documents, and age verification, without the need for physical documents. Platforms like Dock Wallet exemplify this by allowing users to manage their DIDs and VCs efficiently. Basically, digital identity wallets enhance user convenience and security by providing a centralized, encrypted space for personal identity assets.

Secure Data Sharing

DID is also impacting secure data sharing across various industries. In supply chain management, DID and VCs can be used to track product origins and verify supplier credentials. This can ensure transparency and authenticity. The technology facilitates secure data exchange for critical applications. Some examples are intelligence sharing and monitoring human trafficking, where insights need to be shared between different organizations securely. Furthermore, DID enables the secure sharing of encrypted data for collaborative analysis without the need for decryption. This opens up new possibilities for deeper secure data collaboration.

Another significant area of application is access control for both physical and digital resources. DIDs allow individuals to prove control over their private keys for authentication purposes, granting secure access to various services and resources. This can range from providing secure entry to physical spaces to granting access to sensitive digital information. DID-based systems can also facilitate fine-grained access control based on specific attributes, ensuring that users only gain access to the resources necessary for their roles.

Other Examples

Beyond these examples, DID is finding applications in Decentralized Finance (DeFi). The use case here is the enablement of users to access financial services without relying on traditional intermediaries. It also holds promise for enhancing digital governance and voting systems, aiming to create more secure and transparent electoral processes. In the healthcare sector, DID empowers patients to control their health data and share it securely with healthcare providers, improving both patient care and data privacy. The education sector can benefit from DID by simplifying the verification of academic credentials and issuing fraud-proof certificates. Similarly, DID can streamline human resource services, allowing for efficient and secure verification of things like employee work history. These diverse use cases underscore the versatility and broad applicability of DID in addressing real-world challenges related to identity, security, and privacy across various industries.

Challenges to Mainstream Adoption of DID

While DID presents a compelling vision for the future of digital identity, its widespread adoption and implementation are accompanied by several challenges.

User Adoption

One significant hurdle lies in user adoption, the very people DID intends to benefit. For DID to achieve mainstream success, it requires ease of use, user-friendly interfaces, and comprehensive educational resources. Individuals need to learn how to seamlessly manage their DIDs and VCs effectively. Overcoming user resistance to change and ensuring that the technology is intuitive and provides clear benefits are crucial steps in this process.

Another critical aspect is the development of robust recovery mechanisms for lost or compromised private keys. Losing control of the private key associated with a DID can lead to a permanent loss of digital identity. Therefore, the creation of secure and user-friendly key recovery solutions is essential to prevent such scenarios.

Standardization

Standardization and interoperability across different DID methods and platforms also pose considerable challenges. The lack of complete uniformity and the potential for fragmentation among various DID implementations can hinder seamless cross-platform usage and limit the overall utility of the technology. Efforts towards establishing common standards and ensuring interoperability are vital for the widespread adoption of DID.

Compounding these challenges, the regulatory landscape surrounding DID is still in its infancy. This leads to uncertainties regarding compliance and legal recognition. Clear and consistent regulatory frameworks will be necessary to provide a stable foundation for the adoption of DID across various jurisdictions and industries.

The following table summarizes some of the points just covered:

ChallengeDescriptionPotential Mitigation Strategies
User AdoptionResistance to change, complexity of new technologyUser-friendly interfaces, comprehensive educational resources, clear value proposition
Key RecoveryRisk of permanent identity loss due to lost private keysDevelopment of secure and user-friendly key recovery mechanisms
StandardizationLack of uniformity across different DID methods and platformsCollaborative efforts to establish common standards and ensure interoperability
InteroperabilityDifficulty in using DIDs across different systemsDevelopment of universal resolvers and bridging technologies
Regulatory ComplianceUncertainty around legal recognition and adherence to data privacy lawsEngagement with regulatory bodies, development of privacy-preserving DID methods and frameworks

DID and Blockchain: A Symbiotic Relationship for Secure Decentralized Identity

DID and blockchain technology share a strong and mutually beneficial relationship that underpins the foundation of secure decentralized identity ecosystems. Blockchain technology provides decentralization, immutability, and transparency. These qualities become a robust foundation for anchoring DIDs and establishing a secure and immutable infrastructure for decentralized identity as a whole.

Blockchain’s distributed ledger technology provides an immutable and transparent record for DIDs, ensuring their integrity and verifiability. Its decentralized nature eliminates single points of failure and reduces the risk of data tampering. Various blockchain platforms are utilized for DID, including Bitcoin (ION), Ethereum (Ethr-DID), and Hyperledger Indy, each offering unique characteristics. Decentralized Web Nodes (DWN) and the InterPlanetary File System (IPFS) further extend the capabilities of DIDs by providing decentralized storage solutions for DID-related data.

The Future of Identity in a Decentralized World

Ultimately, DID offers significant benefits for enhancing privacy and security in the digital realm. By empowering individuals with control over their identity data and reducing reliance on centralized authorities, DID presents a compelling alternative to traditional identity management systems. Its potential to reshape the digital identity landscape and the broader decentralized cybersecurity paradigm is immense.

Looking ahead, several key trends are expected to drive the future adoption and evolution of DID. These include the increasing adoption of verification through digital credentials, the continued momentum of decentralized identity adoption across various sectors, the growing importance of trust in digital interactions, and the convergence of AI and verifiable credentials to reshape certain digital experiences. While DID holds great promise, its widespread realization depends on addressing existing challenges related to user experience, security of private keys, standardization, and regulatory clarity.This exploration dove into decentralized identifiers and its impact on privacy and security.

In Part 3 this decentralized journey continues into exploring the role of Zero-Knowledge Proofs in enhancing data security.

Unlock Superior Threat Protection: The Power of Identity Risk Intelligence in CTEM

Unlock Superior Threat Protection: The Power of Identity Risk Intelligence in CTEM

Modern cyber defenses increasingly need to be identity-centric. Many industry thought leaders have honed in on this giving rise to the often heard “identity is the new perimeter”. Consequently, attackers do indeed now find it easier to log in rather than break in (https://www.tenable.com/webinars/embracing-identity-security-as-part-of-continuous-threat-exposure-management-ctem). In fact, some research shows that up to 80% of breaches involve compromised or stolen identities, typically due to poor identity hygiene​ (https://www.crowdstrike.com/en-us/resources/infographics/identity-security-risk-review/). As such, let’s aim to unlock superior threat protection: the power of identity risk intelligence in CTEM.

Recognizing this shift in reality, security leaders are embracing Continuous Threat Exposure Management (CTEM) as a proactive program. The goal here is to continuously uncover and mitigate all forms of risk exposure, including identity-related risks​ (https://www.oneidentity.com/learn/what-is-ctem.aspx). CTEM aims to move security from the reactive to a continuous, iterative cycle focused on what most threatens a given business​.

Identity as the New Perimeter in CTEM

At this point it is clear that traditional security perimeters have dissolved with the rise of cloud services, mobile workforces, and remote access. As the new de-facto perimeter, verifying who is accessing assets is now foundational for trust. Attackers capitalize on identity systems like Active Directory (AD) and Azure AD to gain illicit access, monetize stolen data, and maintain persistence. A recent industry threat report found that 79% of detected attacks were “malware-free”, indicating adversaries are using valid credentials and living off the land instead of deploying malware​ (https://www.crowdstrike.com/en-us/blog/how-three-industry-leaders-are-stopping-identity-based-attacks-with-crowdstrike/).

In cloud ecosystem breaches, valid account abuse has become the top initial access method in over a third of incidents​. These trends underscore that protecting identity systems (authentication, credentials, and privileges) is now mission-critical. Compounding matters, identity-driven attacks now readily bypass traditional network defenses. For example, in the Microsoft Midnight Blizzard breach, a nation-state actor gained access by password-spraying a test account that lacked multi-factor authentication (MFA). In another case, attackers used stolen Okta credentials to impersonate user sessions (bypassing MFA) and compromise multiple Okta customers’ data​ (https://www.savvy.security/blog/top-10-identity-security-breaches-of-2024-so-far/). Each of these illustrates how inadequate identity controls (e.g. weak passwords, absent MFA, or misconfigurations) can undermine an organization’s defenses. A CTEM program must treat identity as a primary attack surface and continuously scope, monitor, and harden it.

Attack Surface Expansion via Identity Sprawl

The challenge for defenders is magnified by identity sprawl. This is the proliferation of user and service accounts across external, on-premises, multi-cloud environments. Enterprises today use hundreds of SaaS applications with the average large organization using over 200 (https://www.idsalliance.org/blog/best-practices-to-ensure-successful-real-time-iga-2). This sprawl results in thousands of identity accounts and credentials that security teams must try to keep track of. Employee data is only one factor, there are also contractors, partners, customers, and a booming number of Non-Human Identities (NHI) (https://entro.security/blog/use-case-secure-non-human-identities/). Some research suggests that NHIs now outnumber human users by as much as 50 to 1 in many organizations​. Each of these identities is a potential path of ingress to an organization. If these accounts and their access rights aren’t centrally visible and controlled, they become part of an expanding, fragmented attack surface.

Properly managing this sprawl is very difficult. Users often accumulate multiple accounts (e.g. separate logins for different cloud platforms or dev/test systems). Dormant or orphaned accounts frequently persist after employees leave or vendors finish contracts​. Over time, over-permissioning creeps in – users and service principals gain far more access than necessary, violating least privilege principles. Hybrid and multi-cloud architectures contribute to this complexity leading to inconsistent security controls. As the Identity Defined Security Alliance warns, “identity sprawl and over-permissioning… is accelerating,” (https://www.idsalliance.org/blog/best-practices-to-ensure-successful-real-time-iga-2). Each unmanaged identity or excessive privilege expands an attack surface and needs to be accounted for in a CTEM strategy.

The CTEM Framework and the Identity Component

CTEM, as introduced by Gartner, is structured as an iterative five-stage cycle aimed at continuously reducing an organization’s exposure to threats (https://www.gartner.com/en/articles/how-to-manage-cybersecurity-threats-not-episodes). Rather than a one-time effort, CTEM is an ongoing program that repeats these stages to adapt to evolving threats. The five CTEM stages are:

  • Scoping: define the full attack surface of the organization, all systems, applications, data, and identities that could be targeted. This includes not only servers and devices but also things like corporate social media accounts, code repositories, and third-party services​. Crucially, scoping must cover identity stores (e.g. AD/Azure AD, IAM systems) and credentials at play. It is important to note that credentials can be at play nefariously, this is part of a given scope.
  • Discovery: perform in-depth discovery of assets and exposures. This goes beyond traditional Operating System (OS) vulnerability scanning and penetration testing. It must factor in software vulnerabilities and resource misconfigurations. It must also include IAM issues such as weak configurations, excessive privileges, or unknown accounts​. As One Identity notes, discovery “must also include IAM assets like identities and access rights” to build a complete matrix of assets, vulnerabilities, threats, and business impact​ (https://www.oneidentity.com/learn/what-is-ctem.aspx). In practice, this means identifying all user/service accounts and evaluating their overall risk profiles (e.g. are infostealers present, etc).
  • Prioritization: analyze and rank identified exposures based on urgency and impact. For example, take a critical vulnerability on a low-value system. It might rank below an “identity exposure” like an admin account with no MFA or an exposed credential. The CTEM framework calls for a risk-based list, considering threat likelihood, business impact, and the effectiveness of controls in place. Identity context is essential here. Security teams should prioritize exposures involving highly privileged or widely used identities (e.g., domain admins or SSO accounts) due to their potential impact if compromised.
  • Validation: rigorously test and validate the true exploitability of the prioritized exposures. Moreover, validate the relevant protective mechanisms that are in place. This may involve penetration testing or red-team exercises that simulate identity-based attacks (for instance, attempting lateral movement with a captured credential to see if detection tools trigger). Validation ensures that assumed risks are real, and that proposed mitigations (like stricter access controls) actually add protective value.
  • Mobilization: mobilize the organization to remediate and reduce exposure. This stage is about taking action. Action could take the form of patching vulnerabilities, addressing identity and access misconfigurations, closing policy gaps, or improving processes​. It requires engaging stakeholders (IT, DevOps, business units) and implementing changes. Mobilization transitions CTEM findings into real risk reduction, after which the cycle repeats.

Gartner predicts that organizations who proactively adopt continuous exposure management will be 3× less likely to suffer a breach by 2026​ (https://www.oneidentity.com/learn/what-is-ctem.aspx). Achieving that requires treating identity exposures on par with software vulnerabilities. CTEM provides the framework to do so, but it demands directed strategies, new practices, and intelligence focused on identities. This is where identity risk intelligence comes into play.

From Identity and Access Management to Identity Risk Intelligence: Big Difference

It’s important to distinguish Identity and Access Management (IAM) tools from identity risk intelligence capabilities. IAM (including identity governance and privileged access management) is primarily about enabling and restricting access:

  • Authentication: ensuring users are who they claim
  • Authorization: granting the right level of access to resources
  • Provisioning and Deprovisioning: managing the lifecycle of identity accounts and permissions

IAM solutions strengthen account hygiene and enforce policies upfront. For example this means requiring MFA, rotating passwords, or limiting who can access a sensitive database. These are critical preventive controls, but by themselves they don’t provide full visibility into active threats targeting identities.

Identity risk intelligence, by contrast, focuses on the threats and risk indicators associated with identities on an ongoing basis. Gartner has coined the term Identity Threat Detection and Response (ITDR) for the emerging security discipline that fills this gap. Identity risk intelligence is a key component of ITDR. Unlike traditional IAM, which might flag a policy violation or require periodic access reviews, identity risk intelligence is more proactive and context-driven. For example, IAM might ensure a user has a strong password; identity risk intelligence will alert if that password later appears in a public breach database or if the user suddenly logs in from an unusual location at some odd hour. In essence, IAM asks “Who should have access, and are they authenticated?” whereas identity risk intelligence asks “What is this identity doing, and does that behavior or configuration pose a risk?”.

Several areas may fall under identity risk intelligence:

  • Exposure of Credentials and Secrets: tracking if user passwords, API keys, or session objects have been leaked or are weak. For instance, monitoring dark web and breach data for any of an organization’s accounts can reveal stolen credentials before attackers use them. This goes beyond standard IAM by ingesting external threat intelligence relevant to identity compromise.
  • User Behavior Analytics (UBA): establishing baselines of normal user and service account behavior and detecting anomalies. Sudden privilege escalations, a typically dormant admin account becoming active, or active sessions from new geolocations could indicate account takeover. Identity-focused UBA aims to provide this continuous risk scoring of identities’ behavior​.
  • Identity Threat Detection: real-time detection of attacks targeting identity infrastructure, such as brute-force/MFA fatigue attacks.

In summary, identity risk intelligence is about having unified visibility and analytics across all types of identities (software, human, and machine) and feeding that into some risk management program. It complements IAM by focusing on continuous monitoring, threat detection, and risk-based decision-making around identities. This unified approach lowers the risk of dangerous identity conditions slipping through gaps between siloed IAM, PAM, and governance tools. In a CTEM context, identity risk intelligence supplies the data needed to uncover and prioritize identity exposures. It also helps validate that identity-focused attacks are being detected, and ideally, stopped.

Real-World Breaches Underscoring Identity Risk

CTEM program designers should study real-world breaches to understand how identity weaknesses translate into business risk. Here are a few illustrative cases:

  • Lack of MFA: the Change Healthcare breach (2023) saw ALPHV/BlackCat ransomware actors exfiltrate 4 terabytes of health data after finding a VPN account that had no MFA​ (https://www.savvy.security/blog/top-10-identity-security-breaches-of-2024-so-far/). Absence of MFA made it trivial to exploit a stolen password. The incident disrupted healthcare operations nationwide and cost over $1B in recovery, all traced back to a single identity exposure. Similarly, the Midnight Blizzard attack on Microsoft’s environment (2023) exploited a non-production account without MFA. This showed that even test or service accounts can cause catastrophic breaches if not secured. These cases underscore the need to enforce MFA universally. Security teams must also audit for accounts left outside strong SSO or MFA coverage. This step is non-negotiable for reducing the attack surface.
  • Supply Chain Effect: in the 2024 Okta support system breach, attackers obtained an Okta support engineer’s credentials. With that access, attackers grabbed session cookies from the support portal. These cookies enabled them to impersonate Okta customers. The attackers bypassed MFA and escalated into those customers’ systems. This case highlights the risk that arises when attackers compromise an identity platform—such breaches can cascade across many organizations. A CTEM strategy must account for third-party identity risk and include vendors like Okta and Microsoft in regular risk assessments.
  • Privileged Account Compromise: an analysis (2024) by BeyondTrust noted that compromised privileged identities accounted for 33% of security incidents, up from 28% the year before​ (https://www.beyondtrust.com/blog/entry/the-state-of-identity-security-identity-based-threats-breaches-security-best-practices). One breach example is the Uber 2022 incident, where an attacker obtained an IT admin’s VPN password (likely via social engineering) and then spammed the user with MFA push requests (MFA fatigue) until the user approved one. This granted the attacker VPN access, leading to a major internal compromise. Such breaches show why defenders must secure administrative identities with extra safeguards. These include phishing-resistant MFA, risk-based authentication, and admin action monitoring. Just-in-time privilege adds another layer of protection. It limits risk by ensuring attackers can’t misuse stolen admin credentials outside a narrow time window.
  • Cloud Identity Misconfigurations: many cloud breaches stem from identity and access misconfigurations in multi-cloud environments. For instance, a leaky AWS access key or an overly permissive cloud IAM role can open the door to an attacker. CTEM must treat cloud entitlements (managed by Cloud Infrastructure Entitlement Management (CIEM) tools) as part of identity risk intelligence. A well-known example is the Capital One breach in 2019: a misconfigured AWS identity (EC2 role) allowed an attacker to perform actions and access data they shouldn’t have. While on the older side, this case set a precedent for cloud IAM review being vital. Modern CTEM programs use CIEM tools to continuously check for things like unused high-privilege roles, tokens without rotation, or cross-account trusts that could be abused.

In each of these scenarios, a failure in identity controls either enabled the breach or worsened its impact. They illustrate why identity exposures need to be surfaced and prioritized within an exposure management strategy. Either way, the message is clear: if you’re not actively looking for identity-related risks, your adversaries certainly are.

Identity-Centric CTEM Success Stories

Not all is gloom and doom, some organizations have embraced an identity-focused approach to CTEM and are reaping the benefits. By integrating identity risk intelligence into their security operations, they are catching attacks earlier and addressing gaps proactively. Here are two examples of companies that leveraged identity risk intelligence to strengthen their security posture:

  • Dark web credential monitoring – Texas Mutual, a large insurance provider, recognized that many of their user accounts (including those of infrequent users like board members or policyholders) could be targeted by attackers if their credentials were exposed​. As part of their CTEM efforts, they deployed a commercial identity threat protection platform. One component continuously monitors dark web and criminal forums for any mention of Texas Mutual user credentials. When a leaked username/password is found, the security team is alerted immediately. They can then take action before any nefarious activity takes place. This approach transforms credential theft from a hidden danger into a manageable risk.
  • Risk-Based identity protection – Borden Ladner Gervais (BLG), Canada’s largest law firm, adopted an identity-centric security strategy to protect sensitive client data. Partnering with a managed service provider, they implemented 24/7 identity threat monitoring and real-time, risk-based conditional access. Each login attempt is evaluated using signals like device hygiene, user role, and location. High-risk events, such as privileged logins from unusual geographies, are blocked or escalated. An AI-driven engine continuously scores identity risk, flags exposed credentials, and enforces immediate password changes. It also detects dormant accounts and triggers their removal. BLG’s operationalized identity risk intelligence enables rapid detection and response to identity anomalies, directly supporting CTEM’s goal of continuous exposure reduction.

These case studies illustrate tangible benefits:

  • Early detection of credential compromise
  • Automated blocking of suspicious logins
  • Elimination of unnecessary privileges

They also show that technology and managed services are available to help achieve these outcomes. The key is integrating these tools and practices into a broader CTEM strategy – treating identity risks as first-class citizens alongside software vulnerabilities, OS, and network threats.

Recommendations for Leveraging Identity Risk Intelligence in CTEM

To build a CTEM program with strong identity-centric coverage, organizations should consider the following strategic and tactical recommendations:

  • Adopt an “Identity-First” security strategy – make identity security a leadership and board-level priority alongside application, data, API, endpoint and network security.
  • Embrace Zero Trust (ZT) principles – assume any identity could be compromised and require continuous verification of users and devices. Treat your identity providers (AD, Azure AD, IAM systems) as critical infrastructure and resource them accordingly. This strategic shift ensures that investments in identity risk intelligence are supported from the top down.
  • Enforce strong authentication everywhere – the “everywhere” part is essential here. This point deserves emphasis – enable MFA for all users and critical accounts, including service accounts where possible. Doing so eliminates easy credential stuffing attacks. Many known breaches, including Change Healthcare and Microsoft, could have been prevented with stricter authentication requirements. Wherever possible, push towards phishing-resistant methods (FIDO2 tokens, certificate-based auth, or app-based OTP) for high-privilege accounts to thwart phishing and MFA fatigue techniques.
  • Gain visibility into all identities and privilege levels – continuously inventory every identity in your environment. This includes human, software, service, application, across on-prem and multi-cloud. This type of inventory (https://www.plerion.com/cloud-knowledge-base/identity-inventory) is now becoming more important than the traditional notion of asset inventory. Map out what systems a given identity can access and what privileges they have. This intelligence is foundational for CTEM​. Leverage tools to enumerate accounts in AD, Azure AD, SaaS apps, AWS IAM, etc., and centralize this data. Pay special attention to dormant accounts, shared accounts, default accounts, and third-party identities. Eliminate or disable what is not actually needed (especially legacy accounts) and tighten privileges for what remains. Reducing identity clutter will shrink the attack surface significantly.
  • Continuously monitor identity activity and risk – this cannot be overstated. The days of point in time snapshots are behind us. Things in this industry just move too fast and change too frequently. This requires an integration of identity telemetry into your security operations center (SOC) monitoring. Data signals must include breach data, cybercrime forum data, infostealer data, login logs, privilege use logs, IAM changes, and alerts from identity protection tools. Establish baselines and let automated systems flag outliers, or anomalies (e.g. an admin logging in from an unusual IP, or a service account suddenly accessing new resources). 
  • Implement an ITDR solution – aim to get real-time detection of identity-based threats that IAM alone won’t catch​. The goal is real-time response (e.g., if user credentials are detected on the dark web, immediately disable or step up stronger authentication for that account​).
  • Integrate identity risk intelligence into risk assessments and incident response – when prioritizing risks (the CTEM Prioritization stage), include identity signals. Develop scoring or a posture rating that raises risk for identity assets that have been part of data leaks and/or have high-privilege access. Additionally, update incident response plans to account for identity compromise scenarios (have playbooks for rapid credential resets, terminating all sessions for a user, or evicting attackers from cloud accounts). Practicing these in drills (e.g. simulate a leaked password scenario) will improve resilience.
  • Apply the principle of least privilege – make it a continuous effort to adjust privileges. Privileges should no longer be a set and forget mechanism. Also, use identity analytics or governance tools to detect over-privileged accounts and roles, and then remediate them (via access reviews or automated role mining). When done properly, least privilege drastically limits what an identity compromise can achieve.
  • Apply Just-in-Time (JIT) access – consider JIT access as a replacement for static access rules. This way privileges are activated only when needed and expire automatically. In this model, even if an attacker compromises an account with elevated privileges, they cannot do damage unless they also compromise the privilege elevation process.
  • Address identity misconfigurations and hygiene issues proactively – treat misconfigurations in identity systems as seriously as OS or software vulnerabilities. Regularly audit configurations in identity stores and cloud IAM settings. Known attack paths often rely on poor configurations, security teams must find and fix them before attackers do. For example, avoid setting service account passwords to never expire. Also, remove any redundant admin accounts to reduce unnecessary risk. These hygiene improvements reduce the number of “easy wins” an attacker might find if they penetrate your ecosystem​.
  • Leverage automation for identity risk analysis – the scale of identity data (thousands of accounts, millions of logins) demands automation. Invest in solutions that use machine learning to assess risk continuously (focusing on the patterns humans might miss or sheer volume alone make unrealistic). As an example, risk-based authentication systems automatically adjust requirements when they detect elevated risk. Add intelligence to some of these solutions and a model can surface a user whose behavior subtly changes following a phishing campaign, or flag a rarely used service account that suddenly starts querying a database.
  • Unify identity risk intelligence with CTEM programs – ensure that all the identity risk insights feed into your overall CTEM data sets. When you communicate exposure levels to executives, include identity metrics (number of known exposed accounts, high-risk accounts, SSO coverage gaps, etc.) alongside vulnerabilities and patch status. As part of your program metrics develop KPIs like:
  • Number of detected data breaches showing identities from this organization
    • Average time to reset compromised credentials
    • Number of identities from this organization with known infostealer infections
    • Number of attempts to log in to our systems via exposed session objects
    • MFA coverage percentage
    • Number of stale identities from this organization removed this quarter

This reinforces that identity risk management is an integral part of exposure management. 

CTEM should break down silos. For example, use CTEM’s Mobilization phase to bring together the IAM team (to implement policy changes) and the SOC team (to tune detections) when an identity risk needs mitigation. Over time, organizations build a culture of continuous improvement by addressing identity-related findings as routinely as OS and software patches.

By following these recommendations, organizations can significantly strengthen their security posture against identity-centric threats. The goal is to be proactive, don’t wait for an identity breach to force action. Instead, continuously hunt for identity weaknesses and address them on your own terms. This will reduce your overall attack surface and threat exposure while complementing all the other security efforts under your CTEM program.

In today’s threat landscape, protecting identities is as vital as patching servers or monitoring networks. Identities are the keys to the kingdom, the pathway into your ecosystems, and attackers know it. Their tactics prove this. CTEM provides a powerful framework to systematically reduce risk, but it only achieves its full promise when identity risk intelligence is brought into the fold. Identity risk intelligence is the missing piece that turns CTEM into a truly comprehensive defense strategy. Organizations can close the gaps attackers most eagerly exploit by continuously analyzing who has access to what, how they use that access, and where identity-driven weaknesses exist.

The convergence of IAM, ITDR, and CTEM practices represents a shift toward identity-first security. For security leaders and professionals, the message is clear: make identity a cornerstone of your continuous risk management. Those who do so will greatly enhance their resilience and stay ahead of adversaries who are relentlessly probing for that one weak login or forgotten account to open the door. By leveraging identity risk intelligence within CTEM, organizations can dramatically lower their odds of identity related breaches. Moreover, they can build a modern cyber defense that truly leaves attackers with no easy way in due to identity risk intelligence: the missing piece in continuous threat exposure management.

Identity Risk Intelligence and it’s role in Disinformation Security

Src: https://soundproofcentral.com/wp-content/uploads/2020/10/How-To-Block-Low-Frequency-Sound-Waves-Bass-e1602767891920.jpg.webp

From Indicators to Identity: A CISOs guide to identity risk intelligence and its role in disinformation security

The power of signals, or indicators, is evident to those who understand them. They are the basis for identity risk intelligence and it’s role in disinformation security. For years, cybersecurity teams have anchored their defenses on Indicators of Compromise (IOCs), such as IP addresses, domain names, and file hashes, to identify and neutralize threats.

Technical artifacts offer security value, but alone, they’re weak against advanced threats. Attackers possess the capability to seamlessly spoof their traffic sources and rapidly cycle through their operational infrastructure. Malicious IP addresses quickly change, making reactive blocking continuously futile. Flagged IPs might be transient The Onion Routing Project (TOR) nodes, not the actual attackers themselves. Similarly, the static nature of malware file hashes makes them susceptible to trivial alterations. Attackers can modify a file’s hash in mere seconds, effectively evading signature-based detection systems. The proliferation of polymorphic malware, which automatically changes its code after each execution, further exacerbates this issue, rendering traditional hash-based detection methods largely ineffective.

Cybersecurity teams that subscribe to voluminous threat intelligence feeds face an overwhelming influx of data, a substantial portion of which rapidly loses its relevance. These massive “blacklists” of IOCs quickly become outdated or irrelevant due to the ephemeral nature of attacker infrastructure and the ease of modifying malware signatures. This data overload presents a significant challenge for security analysts and operations teams, making it increasingly difficult to discern genuine threats from the surrounding noise and to construct effective proactive protective mechanisms. Data overload obscures critical signals, proving traditional intelligence ineffective. Traditional intelligence details attacks but often misses the responsible actor. Critically, this approach provides little to no insight into how to prevent similar attacks from occurring in the future.

The era of readily identifying malware before user execution is largely behind us. Contemporary security breaches frequently involve elements that traditional IOC feeds cannot reveal – most notably, compromised identities. Verizon’s 2024 Data Breach Investigations Report (DBIR) indicated that the use of stolen credentials has been a factor in nearly one-third (31%) of all breaches over the preceding decade (https://www.verizon.com/about/news/2024-data-breach-investigations-report-emea). This statistic is further underscored by Varonis’ 2024 research, which revealed that 57% of cyberattacks initiate with a compromised identity (https://www.varonis.com/blog/the-identity-crisis-research-report).

Essentially, attackers are increasingly opting to log in rather than hack in. These crafty adversaries exploit exposed valid username and password combinations, whether obtained through phishing campaigns, purchased on dark web marketplaces, or harvested from previous data breaches. With these compromised credentials, attackers can impersonate legitimate users and quietly bypass numerous security controls. This approach extends to authenticated session objects, effectively nullifying the security benefits of Multi-Factor Authentication (MFA) in certain scenarios. While many CISOs advocate for MFA as a panacea for various security challenges, the reality is that it does not address the fundamental risks associated with compromised identities. IOCs and traditional defenses miss attacks from seemingly legitimate, compromised users. This paradigm shift necessitates a proactive and forward-thinking approach to cybersecurity, leading strategists to pivot towards identity-centric cyber intelligence.

Identity intelligence shifts focus from technical IOCs to monitoring digital entities. Security teams now ask: ‘Which identities are compromised?’ instead of just blocking IPs. This evolved approach involves establishing connections between various signals, including usernames, email addresses, and even passwords, across a multitude of data breaches and leaks to construct a more comprehensive understanding of both risky identities and the threat actors employing them, along with their associated tactics. The volume of data analyzed directly determines this approach’s efficacy; more data leads to richer and more accurate intelligence. Unusual logins trigger checks for compromised credentials via identity intelligence. Furthermore, it can enrich this analysis by examining historical data to identify patterns of misuse. Recurring patterns elevate anomalies to significant events, indicating broader attacks. Data correlation provides contextual awareness traditional intelligence lacks.

Fundamentally, identity signals play a crucial role in distinguishing legitimate users from imposters or synthetic identities operating within an environment. In an era characterized by remote and hybrid work models, widespread adoption of cloud services, and the ease of leveraging Virtual Private Network (VPN) services, attackers are increasingly attempting to create synthetic identities – fictitious users, IT personnel, or contractors – to infiltrate organizations. They may also target and compromise the identities of valid users within a given environment.

While traditional indicators like the source IP address of a login offer little value in determining whether a user truly exists within an organization’s Active Directory (AD) or whether that user is a genuine employee versus a fabricated identity, an identity-centric approach excels in this area. This excellence is achieved by meticulously analyzing multiple attributes associated with an identity, such as the employee’s email address, phone number, or other Personally Identifiable Information (PII), against extensive data stores of known breached data and fraudulent identities. Identity risk intelligence can unearth data on identities that simply appear risky. For example, if an email address with no prior legitimate online presence suddenly appears across numerous unrelated breach datasets, it could strongly suggest a synthetic profile.

Some advanced threat intelligence platforms now employ entity graphing to visually map and correlate these intricate and seemingly unrelated signals. Entity graphing involves constructing a network of relationships between various signals – connecting email addresses to passwords, passwords to specific data breaches, usernames to associated online personas, IP addresses to user accounts, and so forth. These interconnected graphs can become highly complex, yet they possess a remarkable ability to reveal hidden links that would remain invisible to a human analyst examining raw data.

An entity graph might reveal that a single Gmail address links multiple accounts across different companies and surfaces within criminal forums, strongly implicating a single threat actor who orchestrates activities across various environments. Often, these email addresses utilize convoluted strings for the username component to deliberately obfuscate the individual’s real name. By pivoting on identity-focused nodes within the graph, analysts can uncover associations between threat actors who employ obscure data points. The resulting intelligence is of high fidelity, sometimes pointing not merely to isolated threat artifacts but directly to the human adversary orchestrating a malicious campaign. This represents a new standard for threat intelligence, one where understanding the identity of the individual behind the keyboard is as critical as comprehending the specific Tactics, Techniques, and Procedures (TTPs) they employ.

The power of analyzing signals for threat intelligence is not a new concept. For example, the NSA’s ThinThread project in the 1990s aimed to analyze massive amounts of phone and email metadata to identify potential threats (https://en.wikipedia.org/wiki/ThinThread). ThinThread was designed to sort through this data, encrypt US-related communications for privacy, and use automated systems to audit how analysts handled the information. By analyzing relationships between callers and their contacts, the system could identify potential threats, and only then would the data be decrypted for further analysis.

Despite rigorous testing and demonstrating superior data-sorting capabilities compared to existing systems, ThinThread was discontinued shortly before the 9/11 attacks. The core component of ThinThread, known as MAINWAY, which focused on analyzing communication patterns, was later deployed and became a key part of the NSA’s domestic surveillance program. This historical example illustrates the potential of analyzing seemingly disparate signals to gain critical insights into potential threats, a principle that underpins modern identity risk intelligence.

Real-World Example: North Korean IT Workers Using Disinformation/Synthetic Identities for Cyber Espionage

No recent event more clearly underscores the urgent need for identity-centric intelligence than the numerous documented cases of North Korean intelligence operatives nefariously infiltrating companies by masquerading as remote IT workers. While this scenario might initially sound like a plot from a Hollywood thriller, it is unfortunately a reality that many organizations have fallen victim to. Highly skilled agents from North Korea meticulously craft elaborate fake personas, complete with fabricated online presences, counterfeit resumes, stolen personal data, and even AI-generated profile pictures, all to secure employment at companies in the West. Once these operatives successfully gain employment, data exfiltration, or at the very least the attempt thereof, becomes virtually inevitable. In some particularly insidious cases, these malicious actors diligently perform the IT work they were hired to do, effectively keeping suspicions at bay for extended periods.

In 2024, U.S. investigators corroborated the widespread nature of this tactic, revealing compelling evidence that groups of North Korean nationals had fraudulently obtained employment with American companies by falsely presenting themselves as citizens of other countries (https://www.justice.gov/archives/opa/pr/fourteen-north-korean-nationals-indicted-carrying-out-multi-year-fraudulent-information). These operatives engaged in the creation of entirely synthetic identities to successfully navigate background checks and interviews. They acquired personal information, either by “borrowing” or purchasing it from real citizens, and presented themselves as proficient software developers or IT specialists available for remote work. In one particularly concerning confirmed case, a North Korean hacker secured a position as a software developer for a cybersecurity company by utilizing a stolen American identity further bolstered by an AI-generated profile photo – effectively deceiving both HR personnel and recruiters. This deceptive “employee” even successfully navigated multiple video interviews and passed typical scrutiny.

In certain instances, the malicious actors exhibited a lack of subtlety and wasted no time in engaging in harmful activities. Reports suggest that North Korean actors exfiltrated sensitive proprietary data within mere days of commencing employment. They often stole valuable source code and other confidential corporate information, which they then used for extortion. In one instance, KnowBe4, a security training firm, discovered that a newly hired engineer on their AI team was covertly downloading hacking tools onto the company network (https://www.knowbe4.com/press/knowbe4-issues-warning-to-organizations-after-hiring-fake-north-korean-employee). Investigators later identified this individual as a North Korean operative utilizing a fabricated identity, and proactive monitoring systems allowed them to apprehend him in time by detecting the suspicious activity.

HR, CISOs, CTOs: traditional security fails against sophisticated insider threats. Early detection of synthetic insiders is crucial for preventing late-stage damage. This is precisely where the intrinsic value of identity risk intelligence becomes evident. By proactively incorporating identity risk signals early in the screening process, organizations can identify red flags indicating a potentially malicious imposter before they gain access to the internal network. For example, an identity-centric approach might have flagged the KnowBe4 hire as high-risk even before onboarding by uncovering inconsistencies or prior exposure of their personal data. Conversely, the complete absence of any historical data breaches associated with an identity could also be a suspicious indicator. Consider the types of disinformation security that identity intelligence enables:

  • Digital footprint verification – by leveraging extensive breach and darknet databases, security analysts and operators can thoroughly investigate whether a job applicant’s claimed identity has any prior history. If an email address or name appears exclusively in breach data associated with entirely different individuals, or if a supposed U.S.-based engineer’s records trace back to IP addresses in other countries, these discrepancies should immediately raise concerns. In the context of disinformation security, digital footprint verification helps to identify inconsistencies that suggest a fabricated identity used to spread false information or gain unauthorized access. Digital footprint analysis involves examining a user’s online presence across various platforms to verify the legitimacy of their identity. Inconsistencies or a complete lack of a genuine online presence can be indicative of a synthetic identity.
  • Proof of life or Synthetic identity detection – advanced platforms possess the capability to analyze combinations of PII to determine the chain of life, or the likelihood of an identity being genuine versus fabricated. For instance, if an individual’s social media presence is non-existent or their provided photo is identified as AI-generated (as was the case with the deceptive profile picture used by the hacker at KnowBe4), these are strong indicators of a synthetic persona. This is a critical aspect of disinformation security, as threat actors often use AI-generated profiles to create believable but fake identities for malicious purposes. AI algorithms and machine learning techniques play a crucial role in detecting these subtle anomalies within vast datasets. Behavioral biometrics, which analyzes unique user interaction patterns with devices, can further aid in distinguishing between genuine and synthetic identities.
  • Continuous identity monitoring – even after an individual is hired, the continuous monitoring of their activity and credentials can expose anomalies. For example, if a contractor’s account suddenly appears in a credential dump online, identity-focused alerts should immediately notify security teams. For disinformation security, this allows for the detection of compromised accounts that might be used to spread malicious content or propaganda.

These types of sophisticated disinformation campaigns underscore the critical importance of linking cyber threats to identity risk intelligence. Static IOCs would fail to reveal the inherent danger of a seemingly “normal” user account that happens to belong to a hostile actor. However, identity-centric analysis – meticulously vetting the true identity of an individual and determining whether their digital persona has any connections to known threat activity – can provide defenders with crucial early warnings before an attacker gains significant momentum.

This is threat attribution in action. Prioritizing identity signals, the attribution of suspicious activity to the actual threat actor becomes possible. The Lazarus Group, for instance, utilizes social engineering tactics on platforms like LinkedIn. Via Linkedin they distribute malware and steal credentials, highlighting the need for identity-focused monitoring even on professional networks. Similarly, APT29 (Cozy Bear) employs advanced spear-phishing campaigns, underscoring the importance of verifying the legitimacy of individuals and their digital footprints.

The Role of Identity Risk Intelligence in Strengthening Security Posture

To proactively defend against the evolving landscape of modern threats, organizations must embrace disinformation security strategies and seamlessly integrate identity-centric intelligence directly into their security operations. The core principle is to enrich every security decision with valuable context about identity risk. This means that whenever a security alert is triggered, or an access request is initiated, the security ecosystem should pose the additional critical question: “is this identity potentially compromised or fraudulent?”. By adopting this proactive approach, companies can transition from a reactive posture to a proactive one in mitigating threats:

  • Early compromised credential detection – imagine an employee’s credentials leak in a third-party breach. Traditional security misses this until active login attempts. Identity risk intelligence alerts immediately upon detection in breaches or dark web dumps. This early warning allows the security team to take immediate and decisive action, such as forcing a password reset or invalidating active sessions. Integrating these timely identity risk signals into Security Information and Event Management (SIEM) and Security Orchestration, Automation and Response (SOAR) systems enables such alerts to trigger automated responses without requiring manual intervention. Taking this further, one can proactively enrich Single Sign-On (SSO) systems and web application authentication frameworks with real-time identity risk intelligence. The following table illustrates recent high-profile data breaches where compromised credentials played a significant role:

    Table 1: Recent High-Profile Data Breaches Involving Compromised Credentials (2024-2025)
OrganizationDateEstimated Records CompromisedAttack VectorReference
Change HealthcareFeb 2024100M+Compromised CredentialsReference
SnowflakeMay 2024165+ OrgsCompromised CredentialsReference
AT&TApr 2024110MCompromised CredentialsReference
TicketmasterMay 2024560MCompromised Credentials (implied)Reference
UK Ministry of DefenceMay 2024270KCompromised Credentials (potential)Reference
New Era Life Insurance CompaniesFeb 2025335KHackingReference
Hospital Sisters Health SystemFeb 2025882KCyberattackReference
PowerSchoolFeb 202562MCyberattackReference
GrubHubFeb 2025UndisclosedCompromised Third-Party AccountReference
DISA GlobalFeb 20253.3MUnauthorized AccessReference
FinastraNov 2024 & Feb 2025400GB & 3.3MUnauthorized AccessReference
Legacy Professionals LLPFeb 2025215KSuspicious ActivityReference
Bankers Cooperative Group, IncAug 2024UndisclosedCompromised EmailReference
Medusind Inc.Jan 2025112KData SeizureReference
TalkTalkJan 202518.8MThird-Party Supplier BreachReference
Gravy AnalyticsJan 2025MillionsUnauthorized AccessReference
UnacastJan 2025UndisclosedMisappropriated KeyReference
  • Identity risk posture for users – leading providers offer something like an “Identity Risk Posture” Application Programming Interface (API). This yields a categorized value that represents the level of exposure or risk associated with a given identity. Meticulous analysis of a vast amount of data about that identity across the digital landscape derives this score. For instance, the types of exposed attributes, the categories of breaches, and data recency are all analyzed. A CISOs team can strategically utilize such a posture value to prioritize decisions and security actions. For example, a Data Security Posture Management (DSPM) solution identifies a series of users with access to specific data resources. If the security team identifies any of those users as having a high-risk posture, they could take action. Actions could include investigations or the mandate of hardware MFA devices. Or even call for more frequent and specialized security awareness training.
  • Threat attribution and hunting – identity-centric intelligence significantly empowers threat hunters to connect seemingly disparate signals, security events, and incidents. In the event of a phishing attack, a traditional response might conclude by simply blocking the sender’s email address and domain. However, incorporating identity data into the analysis might reveal that the phishing email address previously registered an account on a popular developer forum, and the username on that forum corresponds to a known alias of a specific cybercrime group. This enriched attribution helps establish a definitive link between attacks and specific threat actors or groups. Knowing precisely who is targeting your organization enables you to tailor your defenses and incident response processes more effectively. Moreover, a security team can then proactively hunt for specific traces within a given environment. This type of intelligence introduces a new dimension to threat attribution, transforming anonymous attacks into attributable actions by identifiable adversaries.

Integrate identity risk signals via API into security tools: a best practice. Effective solutions offer API access to vast identity intelligence datasets. These APIs provide real-time alerts and comprehensive risk posture data based on a vast data lake of compromised identities and related data points (e.g. infostealer data, etc). Tailored intelligence feeds continuously provide actionable data to security operations. This enables security teams to answer critical questions such as:

  • Which employee credentials have shown up in breaches, data leaks, and/or underground markets?
  • Is an executive’s personal email account being impersonated or misused?
  • Is an executive’s personal information being used to create synthetic, realistic looking public email addresses?
  • Are there any fake social media profiles impersonating our brand or our employees?

These identity risk questions exceed traditional network security’s scope. They bring crucial external insight – information about internet activity that could potentially threaten the organization – into internal defense processes.

Furthermore, identity-centric digital risk intelligence significantly strengthens an organization’s ability to progress towards a Zero Trust (ZT) security posture. ZT security models operate on the fundamental principle of “never trust, always verify” – particularly as it relates to user identities. Real-time information about a user’s identity compromise allows the system to dynamically adjust trust levels. For example, if an administrator account’s risk posture rapidly changes from low to high, a system can require re-authentication until investigation and resolution. This dynamic and adaptive response dramatically reduces the window of opportunity for attackers. Proactive interception of stolen credentials and fake identities replaces reactive breach response.

Embracing Identity-Centric Intelligence: A Call to Action

The landscape of cyber threats is in a constant state of evolution, and our defenses must adapt accordingly. IOCs alone fail against modern attackers; identity-focused threats demand stronger protection. CIOs, CISOs, CTOs: identity-centric intelligence is now a critical strategic necessity. As is understanding identity risk intelligence and it’s role in disinformation security. This necessary shift does not necessitate abandoning your existing suite of security tools; rather, it involves empowering them, where appropriate, with richer context and more identity risk intelligence signals.

By seamlessly integrating identity risk data into every aspect of security operations, from authentication workflows to incident response protocols, security teams gain holistic visibility into an attack, moving beyond fragmented views. Threat attribution capabilities then become significantly enhanced, as cybersecurity teams can more accurately pinpoint who is targeting their organization. Identifying compromised credentials or accounts speeds incident response, enabling faster breach containment. Ultimately, an organization can transition into both proactive and disinformation security strategies.

Several key questions warrant honest and critical consideration:

  • How well do we truly know our users and their associated identities?
  • How quickly can we detect an adversary if they were operating covertly amongst our legitimate users?

If either of these questions elicits uncertainty, it is time to rigorously evaluate how identity risk intelligence can effectively bridge that critical gap. I recommend you begin by exploring solutions that aggregate breach data and provide actionable insights, such as a comprehensive risk score or posture, which your current security ecosystem can seamlessly leverage.

Identity-centric intelligence is vital against sophisticated attacks, surpassing traditional methods for better breach detection. CISOs enhance breach prevention by viewing identity risk holistically, moving beyond basic IOCs. North Korean attacks and data breaches highlight the urgent need for identity-focused security. Implement identity risk, entity graphing, and Zero Trust for a proactive, resilient security posture. Understanding and securing identities equips organizations to navigate complex future threats effectively. Fundamentally, this requires understanding identity risk intelligence and it’s role in disinformation security.