8 Types of Identity-Based Attacks

What are identity-based attacks?

Identity-based attacks are cyberattacks that target user credentials, such as usernames, passwords, and authentication tokens, to gain unauthorized access to systems or data. These attacks exploit weaknesses in identity security through methods like phishing, credential stuffing, MFA bypass, and session hijacking, allowing attackers to impersonate legitimate users and move laterally within a network. Some reasons why identity attacks are on the rise are the use of adversarial AI, companies moving to cloud-based identity providers, and the adoption of more SaaS applications. 5 of the top 10 MITRE ATT&CK tactics are identity based.

Unfortunately, identity attacks are extremely hard to detect. When a valid user’s credentials have been compromised and an adversary is masquerading as that user, it is often very difficult to differentiate between the user’s typical behavior and that of the hacker using traditional security measures and tools.

To better understand the identity threat landscape, let's explore eight common identity-based attacks and how they work.

8 types of identity-based attacks

What are some common identity-based attacks? 

1. Phishing and social engineering

2. Credential stuffing

3. Golden ticket attack

4. Kerberoasting

5. MITM attack

6. Pass-the-hash attack

7. Password spraying

8. Silver ticket attack

1. Phishing and social engineering

Phishing is one of the most common identity-based attack methods, where cybercriminals manipulate victims into revealing sensitive information, such as login credentials or financial data. These attacks come in various forms, including email phishing, where attackers impersonate legitimate organizations, spear phishing, which targets specific individuals with personalized messages, and whaling, which focuses on high-profile executives. Other variants include vishing (voice phishing), where attackers use phone calls to extract information, and smishing (SMS phishing), which leverages text messages to deceive victims. 

Social engineering tactics, such as urgency, fear, or impersonation, make phishing highly effective, often bypassing traditional security measures. To defend against phishing attacks, organizations should implement email filtering, employee security awareness training, and advanced identity verification techniques like multi-factor authentication (MFA) and behavioral analytics.

2. Credential stuffing

Credential stuffing is a cyberattack where cybercriminals use stolen login credentials from one system to attempt to access an unrelated system.

Credential stuffing attacks follow a relatively simple attack path. First, the attacker leverages stolen account credentials or buys breached credentials via the dark web. With the credentials in hand, the attacker then sets up a botnet or other automation tool to attempt to log into multiple unrelated accounts simultaneously. The bot then checks to see if access was granted to any secondary services or accounts. In the event the login attempt was successful, the attacker will gather additional information, such as personal data, stored credit card information or bank details.

3. Golden ticket attack

A golden ticket attack is an attempt to gain almost unlimited access to an organization’s domain by accessing user data stored in Microsoft Active Directory (AD). This attack exploits weaknesses in the Kerberos identity authentication protocol, which is used to access the AD, allowing an attacker to bypass normal authentication.

To carry out a golden ticket attack, the attacker needs the fully qualified domain name, the security identifier of the domain, the KRBTGT password hash and the username of the account they are going to access.

4. Kerberoasting

Kerberoasting is a post-exploitation attack technique that attempts to crack the password of a service account within the AD.

In such an attack, an adversary masquerading as an account user with a service principal name (SPN) requests a ticket, which contains an encrypted password, or Kerberos. (An SPN is an attribute that ties a service to a user account within the AD). The adversary then works offline to crack the password hash, often using brute force techniques.

Once the plaintext credentials of the service account are exposed, the adversary possesses user credentials that they can use to impersonate the account owner.

5. Man-in-the-middle (MITM) attack

A man-in-the-middle attack is a type of cyberattack in which an attacker eavesdrops on a conversation between two people, two systems, or a person and a system.

The goal of a MITM attack is to collect personal data, passwords or banking details, and/or to convince the victim to take an action such as changing login credentials, completing a transaction or initiating a transfer of funds.

6. Pass-the-hash attack

Pass the hash (PtH) is a type of cybersecurity attack in which an adversary steals a “hashed” user credential and uses it to create a new user session on the same network.

The attacker typically gains access to the network through a social engineering technique. Once the attacker gains access to the user’s account, they use various tools and techniques that scrape the active memory to derive data that will lead them to the hashes.

Armed with one or more valid password hashes, the attacker gains full system access, enabling lateral movement across the network. As the attacker impersonates the user from one application to the next, they often engage in hash harvesting — accumulating additional hashes throughout the system which can be used to access more areas of the network, add account privileges, target a privileged account, and set up backdoors and other gateways to enable future access.

7. Password spraying

A password spraying attack is a brute force technique that involves a hacker using a single common password against multiple accounts.

First, the attacker acquires a list of usernames, then attempts logins across all usernames using the same password. The attacker repeats the process with new passwords until the attack breaches the target authentication system to gain account and systems access.

8. Silver ticket attack

A silver ticket is a forged authentication ticket often created when an attacker steals an account password. Silver ticket attacks use this authentication to forge ticket granting service tickets. A forged service ticket is encrypted and enables access to resources for the specific service targeted by the silver ticket attack.

Once the attacker obtains the forged silver ticket, they can run code as the targeted local system. They can then elevate their privileges on the local host and start moving laterally within the compromised environment or even create a golden ticket. This gives them access to more than the originally targeted service and is a tactic for avoiding cybersecurity prevention measures.

Best practices to protect from identity-based attacks

To defend against identity-based attacks, organizations must implement layered security measures that go beyond traditional authentication methods. Below are four key best practices to strengthen identity security:

Implement multi-factor authentication (MFA) everywhere

• Require at least two authentication factors (e.g., password + biometrics or hardware token).
• Use phishing-resistant MFA, such as FIDO2 security keys, to prevent credential theft.
• Avoid reliance on SMS-based MFA, as attackers can bypass it via SIM-swapping.

Adopt a zero trust security model

• Enforce continuous identity verification before granting access to resources.
• Implement least privilege access, ensuring users only have permissions necessary for their role.
• Use micro-segmentation to prevent lateral movement after credential compromise.

Use AI-driven identity threat detection

• Deploy behavior analytics to detect unusual login attempts or credential misuse.
• Monitor failed login patterns, location anomalies, and privilege escalations.
• Automate real-time identity threat responses, such as forced logouts or MFA re-prompting.

Reduce reliance on passwords with passwordless authentication

• Implement biometric authentication (e.g., fingerprint, facial recognition).
• Use hardware security keys or single sign-on (SSO) solutions for enhanced security.
• Enforce passkey authentication, eliminating the risks associated with weak or reused passwords.

By combining these best practices, organizations can proactively mitigate identity-based attacks and reduce the risk of credential compromise.

AI-powered identity security: how Falcon Identity Protection prevents attacks

Traditional security measures alone are no longer enough to stop identity-based attacks, as attackers continue to exploit stolen credentials, weak authentication methods, and gaps in identity security. CrowdStrike Falcon® Identity Protection delivers real-time visibility, detection, and response to identity threats, proactively stopping adversaries before they can compromise user accounts. By leveraging AI-driven behavioral analytics, continuous identity monitoring, and risk-based authentication, Falcon Identity Protection detects unauthorized access attempts, lateral movement, and MFA bypass techniques in real time. The platform seamlessly integrates with existing identity providers (IdPs) and enforces Zero Trust principles, ensuring that only verified users gain access to critical systems. 

Furthermore, CrowdStrike Falcon® Shield prevents attackers from escalating privileges, executing lateral movement, or gaining persistence within an environment through preemptive enforcement policies, session monitoring, and active attack disruption. By combining Falcon Identity Protection and Falcon Shield, organizations can establish an end-to-end identity security strategy, preventing identity-based attacks at every stage—before credentials are stolen, abused, or exploited.