Threat Intelligence advanced T1078

Identity-First Attacks: The Kill Chain Defends Five Stages the Attacker Skips

The 2011 kill chain trains you to stop malware at the perimeter. Identity-first attackers skip five of its seven links and log in. What to defend instead.

· 15 min read · Gowthamaraj Rajendran

The Lockheed Martin Cyber Kill Chain is not wrong. It is mistrained. It was built in 2011 to describe an intruder who has to cross a perimeter and detonate a payload to get anything done: reconnaissance, weaponization, delivery, exploitation, installation, command-and-control, actions on objectives [1]. Seven links, and the whole doctrine that grew up around it — where you put the email gateway, the EDR agent, the patch cadence — is downstream of one instruction: break the chain as early as you can, before installation.

Now look at how organizations actually get breached. In CrowdStrike’s 2026 telemetry, 82% of detections were malware-free — the adversary didn’t deploy a payload, they authenticated [2]. Stolen credentials were the single most common initial access vector in the 2025 Verizon DBIR, in the plurality of breaches [3]. The line everyone quotes — “adversaries don’t break in, they log in” [2] — is not a slogan. It is a statement that five of the kill chain’s seven links no longer fire, and your controls are still standing guard over all five.

This is the last post in a series about identity-first attacks. The previous five each took one surface — non-human identities, OAuth, workload identities, identity creep, and the vendor landscape. This one is about the model that sits above all of them, and why the mental picture most SOCs still defend by has quietly stopped matching the attack.

The Chain’s Real Lesson Was “Break It Early”

Give the kill chain its due, because the critique only lands if you’re fair to what it got right. Its enduring contribution was never the seven boxes — it was the economic argument underneath them. Each phase is a chance to interdict, and the earlier you interdict, the cheaper it is and the less the attacker has accomplished. Block the phishing email and you never have to find the beacon. Catch the exploit and you never have to scope the lateral movement. “Shift left” as a security idea is the kill chain’s grandchild.

That logic is still correct. Hold onto it — we’re going to need it at the end. The problem is not the principle that you should break the chain at the earliest possible link. The problem is that the earliest possible link moved, and the controls the industry bought to sit at the old early links are now guarding an empty stretch of road.

Walk an identity-first attack through the seven phases and watch what happens.

Reconnaissance still occurs — an attacker researches your employees on LinkedIn, or enumerates your tenant. Actions on objectives still occurs — data gets exfiltrated, mailboxes get read, environments get extorted. Those are the first and last links.

Everything in between collapses into a single event: a valid authentication. Weaponization — there is no payload to build. Delivery — nothing is delivered; a credential is presented. Exploitation — no vulnerability is triggered; the login is exactly what the system is designed to accept. Installation — nothing is installed; the “implant” is a session token the identity provider issued voluntarily. Command-and-control — there is no beacon to a C2 server, because the attacker drives the account over the same sanctioned API channels your business runs on: Microsoft Graph, the Salesforce API, the Snowflake client.

Five links — weaponization, delivery, exploitation, installation, C2 — compress into the one moment your detection stack is least equipped to question, because a valid login from a valid credential is, by definition, allowed. The receipts are not hypothetical:

IncidentEntry on the targetWhere the “middle five” actually happened
Colonial Pipeline (2021)Live legacy VPN credential, no MFANowhere — there was no malware phase at all
Storm-0558 (2023)A validly-signed, forged Azure AD token [4]Signing-key theft, upstream in Microsoft’s own crash-dump pipeline [4]
Scattered Spider / MGM (2023)A 10-minute vishing call to the help desk to reset MFA [6]Nowhere in your logs — it was a phone call
Midnight Blizzard (2024)Password spray on a legacy no-MFA test tenant [7]Persistence was a malicious OAuth app, not an implant [7]
Snowflake / UNC5537 (2024)Valid username + password, no MFA [5]Infostealer malware — years earlier, on someone else’s laptop [5]
Salesloft Drift (2025)A stolen but legitimate OAuth tokenToken theft at a third-party SaaS integration

Six breaches that defined the last five years. Not one of them would have tripped the controls the kill chain tells you to place at links two through six, because on the victim’s own telemetry, links two through six were blank.

The Malware Didn’t Vanish. It Moved to a Sensor You Don’t Own.

Here is the objection I’d raise if I were reading this, and it’s the right one: of course there was malware. UNC5537’s Snowflake credentials came out of infostealer logs [5]. Storm-0558 needed a stolen signing key [4]. Somewhere in every one of these, something was weaponized and delivered and exploited. The kill chain didn’t die; you’re just not looking in the right place.

That objection is correct, and it is the whole point — sharpened.

The malware phases didn’t disappear. They relocated to a sensor you don’t own. UNC5537’s delivery-and-installation happened on a contractor’s personal machine, sometimes years before the Snowflake login, harvested by an infostealer and sold through an access broker [5]. Storm-0558’s exploitation happened inside Microsoft’s build infrastructure, not the two-dozen-plus victim tenants that got their mail read [4]. Scattered Spider’s “delivery” was a phone call that no SIEM on earth ingests [6]. Drift’s compromise happened at a SaaS vendor three companies removed from the Salesforce data that walked out the door.

Your EDR, your mail gateway, your patch program are not failing. They are firing correctly on a stretch of chain that no longer runs through your environment. The attacker’s build-and-deliver work now happens on infrastructure you have no agent on — a victim laptop, a vendor’s cloud, an upstream software supply chain, or nowhere at all — and arrives at your door as a fact already accomplished: a working credential. Access broker activity was up roughly 50% in a single year for exactly this reason [2]. There is now a supply chain whose entire product is the left half of your kill chain, executed off-site and delivered to the attacker as a login.

One honest caveat, because the incidents demand it: the right end of the chain can still look classic. After Scattered Spider talked its way into MGM’s Okta, it deployed ALPHV/BlackCat ransomware for the actual impact [6]. Identity-first describes how attackers get in, move, and persist — not necessarily how they cause damage. The middle five links are what’s hollowed out. Don’t overclaim that the whole chain is dead; claim precisely that its interdiction points have moved off your sensors.

”ATT&CK Already Covers This” — Yes, and That’s Not the Problem

The sharpest reader has a better objection than the malware one: nobody serious uses the 2011 kill chain for detection anymore. We have ATT&CK, which enumerates Valid Accounts and Cloud Account manipulation and OAuth abuse in detail. We have the Unified Kill Chain, which fixed the linearity problem back in 2017 with eighteen non-linear phases [8]. You’re beating a dead framework.

Half right. ATT&CK absolutely documents these techniques — this post’s own frontmatter points at T1078. But ATT&CK is a matrix of techniques, not a doctrine for where to stand and fight. It tells you what an adversary can do; it does not tell you where the cheapest interdiction point is for your environment. And notice how it’s organized: Initial Access, Privilege Escalation, and Persistence are still separate tactic columns — separate phases you’re implicitly meant to defend in sequence.

For an identity-first attack, those columns are frequently the same action. When Midnight Blizzard’s operators consented a malicious OAuth application with full_access_as_app, that single act was initial foothold, privilege escalation, and persistence at once — and it survived every password reset and MFA rollout Microsoft applied afterward, because an OAuth grant is not a credential [7]. The taxonomy has a row for each of those behaviors. What it doesn’t have is a picture of how, in the identity layer, they fuse into one indivisible event.

So this isn’t a taxonomy gap. It’s a mental-model gap. The teams I’ve watched don’t lack a list of identity techniques — they lack a working picture of the identity attack that tells them where to put the control and what “early” even means when there’s no delivery to block. They inherited a perimeter-shaped intuition and a technique matrix, and neither one hands them the doctrine.

The Fix Is a Model, Not a Diagram: Instrument the Identity’s Life

The reframe is not a new box diagram — we have enough of those. It’s a change in what you model. Stop modeling the intrusion lifecycle and model the identity lifecycle, because that’s the surface the attack actually rides on.

Identity-first attacks have phases. They are just not the traditional ones — they’re shaped by how identity works:

  • Grant — the privilege is provisioned, and usually over-provisioned. This is the standing blast radius from Identity Creep: the access that accumulates and never gets revoked.
  • Assume — the attacker obtains the credential, token, or session. This is the step that most often happens off your telemetry.
  • Use — the identity authenticates and acts. Looks legitimate, because it is.
  • Escalate — a role assignment, a consent grant, a new admin.
  • Persist — a new app registration, an added client secret, a fresh MFA method that outlives the credential you’ll eventually rotate.

Every one of those maps to telemetry you almost certainly already collect: Entra and Okta audit logs, CloudTrail, SaaS admin and audit APIs, OAuth consent events. The signal was never the problem — as the NHI post argued, your SIEM ingests these events and correlates almost none of them into “this identity is behaving unlike itself.” Detection in this world is not about catching a break-in. It’s about noticing when a legitimate identity does something its own history says it doesn’t do — the same argument as workload identities having a home address, generalized to every identity you own.

Shift Left Until You Can’t, Then Detect the Rest

Now bring back the kill chain’s one surviving lesson: break the chain at the earliest link. That doctrine is still right. What changed is the definition of “earliest.”

In an identity-first attack, the earliest link is no longer a detection — it’s an architecture decision. The cheapest place to break the chain is to make sure the credential the attacker needs doesn’t exist to be stolen. No standing secret, no long-lived token, no dormant admin account, no legacy no-MFA tenant. Just-in-time access, secretless workload IAM, short-lived brokered credentials — the Layer 3 prevention argument from the NHI landscape post. Prevention is genuinely the play here, and I say that as someone who writes a detection blog. Every one of the six breaches above needed a standing credential — a VPN account nobody killed, an infostealer-harvested password nobody rotated, a legacy OAuth app nobody re-attested. Shift left far enough and most of them have nothing to grab.

Detection is not the primary control anymore. It is the compensating control for the residual you cannot prevent — and that residual is real, because prevention has hard limits. You cannot prevent a token being stolen at a third party you don’t run (Drift). You cannot prevent a help-desk analyst getting socially engineered into resetting MFA (MGM). For that irreducible remainder, you detect the behavior after the authentication — because the authentication itself is invisible, and so is everything upstream of it. Storm-0558 was caught by exactly one thing: a government analyst noticing anomalous MailItemsAccessed events with an app ID that had no business touching those mailboxes [4]. Not the forgery, not the key theft — the usage.

That’s what a phase-collapse detection looks like. The signature of an identity-first intrusion is a single principal doing several of the identity phases inside one short window — assume, escalate, and persist almost at once — the pattern behind both Midnight Blizzard and Scattered Spider:

# Detects one principal compressing escalate + persist into a single short session:
# a new MFA method, a privileged role grant, and new app credentials/consent
# within minutes of each other. This "phase collapse" is the identity-first
# signature — the same actor performing what the kill chain treats as three
# separate, sequential stages. Maps to T1078 / T1098 / T1136.
title: Identity Phase Collapse — Escalation and Persistence in One Session
status: experimental
logsource:
  product: azure
  service: auditlogs
detection:
  selection_actor:
    # correlate the events below by the same initiating principal + IP session
    initiatedBy.user.id: '*'
  persist_mfa:
    operationName: 'User registered security info'
  escalate_role:
    operationName: 'Add member to role'
    targetResources.modifiedProperties.displayName: 'Role.WellKnownObjectName'
  persist_app:
    operationName|contains:
      - 'Add service principal credentials'
      - 'Consent to application'
      - 'Add app role assignment grant to user'
  timeframe: 30m
  condition: selection_actor and 2 of (persist_mfa, escalate_role, persist_app)
falsepositives:
  - Legitimate onboarding or JML automation performing role + app grants in bulk
    (baseline your provisioning service principals and exclude them by object ID)
  - An admin doing genuine setup work — enrich with device compliance and
    whether the initiating IP matches the principal's usual ASN before paging
level: high

One rule, tuned to the collapse rather than to any single event, catches the shape that “one row per tactic” misses. It won’t fire on the phone call or the forged token — nothing will — but it fires the moment that stolen access starts doing the things the account never did.

What This Means for Where Your Budget Goes

The uncomfortable operational takeaway: if 82% of intrusions are malware-free [2] and eCrime breakout time is down to 29 minutes [2], then a control portfolio weighted toward links two through six is a portfolio defending the road the attacker no longer drives on. This is not an argument to rip out your EDR — the impact tail is still real, and prevention at the endpoint still matters. It’s an argument about marginal spend. The next dollar buys more coverage at the identity layer than at the perimeter, and most programs’ spend still reflects the opposite ratio.

It also changes what “coverage” means. Counting ATT&CK techniques with a detection is the perimeter-era version of the detection funnel’s vanity metric — it measures the map, not the territory. Coverage for identity-first attacks is measured in questions you can answer about behavior: Can you tell when an identity authenticates from somewhere it never has? When a service principal grants itself scope it’s never held? When a new OAuth app appears with mailbox access? If the answer is no, a green technique-coverage dashboard is telling you you’re covered while you’re being robbed.

The attacker skipped five of your seven links. They weaponized nothing, delivered nothing, exploited nothing, installed nothing, and never phoned a C2 — because all of that happened on a laptop, a vendor, or a phone line you have no sensor on, and arrived at your door as a working login.

So do two things. Shift the fight left of the login, where it’s cheapest: kill the standing credentials that make these attacks possible, so the stolen thing has no value. Then instrument the identity’s life for the residual you can’t prevent, because the only place an invisible compromise becomes visible is in what the credential does after it’s used. The kill chain’s lesson survives; its geography changed. Make sure your controls — and your budget — aren’t still guarding a stretch of road the attacker paved over years ago.

Resources

  1. The Cyber Kill Chain — Lockheed Martin (original seven-phase intrusion model, 2011).
  2. CrowdStrike 2026 Global Threat Report — CrowdStrike (82% malware-free detections, 29-minute breakout time, access-broker growth, “log in, don’t break in”).
  3. 2025 Data Breach Investigations Report — Verizon (stolen credentials as the leading initial access vector).
  4. Analysis of Storm-0558 techniques for unauthorized email access — Microsoft Security, Jul 2023 (forged Azure AD tokens, MSA signing key, MailItemsAccessed detection).
  5. UNC5537 Targets Snowflake Customer Instances for Data Theft and Extortion — Mandiant / Google Cloud, 2024 (infostealer-sourced credentials, absent MFA, ~165 orgs).
  6. Okta: Caesars, MGM hacked in social engineering campaign — TechTarget, 2023 (help-desk vishing, MFA reset, subsequent ALPHV/BlackCat ransomware).
  7. Midnight Blizzard: Guidance for responders on nation-state attack — Microsoft Security, Jan 2024 (password spray on legacy test tenant, malicious OAuth apps with full_access_as_app as persistence).
  8. The Unified Kill Chain — Paul Pols (18-phase non-linear model extending Lockheed’s chain and MITRE ATT&CK).