Unit 42: Nearly two-thirds of breaches now start with identity abuse

Source: CyberScoop

Author: Matt Kapko

URL: https://cyberscoop.com/attackers-abuse-identity-unit42-palo-alto-networks-incident-response-report/

ONE SENTENCE SUMMARY:

Unit 42 reports identity abuse drives most breaches, fueled by social engineering, misconfigurations, overprivilege, and fast multi-surface attacks.

MAIN POINTS:

1. Identity-based techniques caused nearly two-thirds of initial network intrusions in 2025.
2. Social engineering led initial access, comprising one-third of 750 incident responses.
3. Compromised credentials, brute force, permissive policies, and insiders bypassed security controls.
4. Identity elements were critical in nearly 90% of incidents across the attack lifecycle.
5. Misconfigurations across interconnected tools and systems magnified identity abuse impact.
6. Detection is difficult because malicious actions can appear as legitimate authenticated activity.
7. Vulnerability exploits still accounted for 22% of initial intrusions despite constant patching.
8. Machine identities, AI agents, APIs, and SaaS integrations expand identity attack surface.
9. Over-permissioned accounts enable pivots from branches to core environments and cloud services.
10. Median extortion payments rose 87% to $500,000, while exfiltration often occurred within days.

TAKEAWAYS:

1. Prioritize identity security as the dominant initial-access vector and recurring incident enabler.
2. Reduce blast radius through least privilege, segmentation, and tighter identity governance.
3. Improve detection for “valid-but-malicious” behavior amid noisy authenticated enterprise activity.
4. Secure supply-chain integrations by controlling API keys and third-party SaaS access paths.
5. Plan for rapid attacker timelines with faster monitoring, response, and data-exfiltration controls.