Identity-First Attacks: The Kill Chain Defends Five Stages the Attacker Skips
The 2011 kill chain trains you to stop malware at the perimeter. Identity-first attackers skip five of its seven links and log in. What to defend instead.
8 posts
The 2011 kill chain trains you to stop malware at the perimeter. Identity-first attackers skip five of its seven links and log in. What to defend instead.
Prompt injection is OWASP's #1 LLM risk and you can't filter it out. Stop detecting the prompt — detect the lethal trifecta closing in one session.
Cloud hands every workload a privileged identity by default. Unlike other machine identities it's bound to one host — use from elsewhere is theft.
An AI agent is a non-human identity with an opaque decision layer. You can't detect the prompt injection — so watch what the agent's credential does.
OAuth abuse bypasses MFA by attacking authorization, not authentication. Most SOCs don't collect consent-grant telemetry — here's what to detect.
92% of identities are over-permissioned and creep leaves no log line. Stop treating the blast radius as cleanup — instrument it instead.
Most CTI programs measure IOCs ingested and reports published — activity, not effect. Here's what operationalized intelligence actually looks like.
You have ~45 non-human identities per human — and the signals your detection runs on (MFA, impossible travel, login geo) don't exist for any of them.