According to CrowdStrike, 62% of all so-called interactive intrusions—or intrusions that involve hands on a keyboard—during the 12 months ending in June 2023, have leveraged valid account credentials. The report also cites a “160% increase in attempts to gather secret keys and other credential materials via cloud instance metadata APIs.” Attacks using the technique known as “Kerberoasting”—where threat actors steal access tickets associated with the Kerberos authentication protocol and crack them offline using brute-force methods—surged 583% from the previous year, per CrowdStrike data.

“The biggest trend that we’ve seen is that everything is moving towards identity," Adam Meyers, head of intelligence at CrowdStrike, told CSO regarding the report.

Overall, 80% of breaches rely on compromised identities, a separate CrowdStrike report earlier this year found. As for why attackers are concentrating on identity now, defenders may be victims of their own success. Meyers told TechTarget that advances in endpoint detection and response capabilities have made breaches tougher for threat actors—that is, unless they use identity.

Elsewhere in the report, CrowdStrike found that adversary breakout time reached an all-time low of 79 minutes. Last year, the average time it took an adversary to move laterally from initial compromise to other hosts in the victim environment was 84 minutes, the previous low.

“When we talk about stopping breaches, we cannot ignore the undeniable fact that adversaries are getting faster and they are employing tactics intentionally designed to evade traditional detection methods,” Meyers said in a statement.