All news with #identity threat detection and response tag

🔒 Microsoft describes how Microsoft Defender’s predictive shielding — part of automatic attack disruption — proactively contains exposed high-privilege identities to stop credential abuse and lateral movement. In a June 2025 public sector incident, automated containment prevented attackers from leveraging exposed domain credentials to escalate and pivot across identity and Exchange infrastructure. The feature evaluates exposure signals and applies just-in-time restrictions to block sign-ins, sessions, and interactive pivots while investigators remediate. It’s available out‑of‑the‑box for Defender for Endpoint P2 customers who meet prerequisites.

🔐 In this episode of the Talos Threat Perspective, Hazel Burton examines how identity is being used to gain, extend, and maintain access inside environments. Drawing on the 2025 Talos Year in Review, the video outlines how attackers target identity systems and MFA workflows, establish persistent high-trust access, and use internal phishing to move laterally. It also explores risks from over-permissioned AI agents and identity-linked access, and how adversaries blend into normal user behaviour, complicating detection and containment.

🔒 The Cisco Talos 2025 Year in Review, discussed by Christopher Marshall and Peter Bailey, highlights accelerating attacker speed and a shift toward identity as the primary battleground. The report shows rapid weaponization of new flaws alongside persistent exploitation of legacy, end-of-life infrastructure, and a sharp rise in fraudulent device registration. Defenders are urged to prioritize identity controls, visibility, lifecycle discipline, and secure AI governance to keep pace.

🔒 HackerOne is notifying employees that their personal data was exposed after a compromise of benefits administrator Navia. The company reported a Broken Object Level Authorization (BOLA) vulnerability allowed an unknown actor to access Navia records between December 22, 2025 and January 15, 2026, affecting 287 employees. Exposed fields include Social Security numbers, names, contact details, dates of birth, and plan enrollment information. HackerOne advised monitoring accounts, changing passwords tied to exposed data, and using the 12‑month identity protection and credit monitoring Navia is offering.

⚠️ The Unit 42 2026 Global Incident Response Report analyzes over 750 major incidents across 50+ countries and reveals attackers are moving faster and leveraging trusted identities and integrations. The report documents AI-driven acceleration—some intrusions advanced from initial access to exfiltration in as little as 72 minutes—and shows identity weaknesses in nearly 90% of cases. It recommends reducing exposure, tightening identity controls, and increasing response speed.

🛡️Infostealer-laden Roblox “mods” and gaming downloads are a growing initial-access vector, commonly distributed through YouTube videos, Discord invites, GitHub repos, and cloud links. Within seconds these malicious executables harvest browser-saved passwords, session cookies, OAuth tokens, VPN credentials, SSH keys, and crypto wallets. Victims often run them on family or home PCs, enabling attackers to acquire corporate SSO access, bypass MFA with valid tokens, and move laterally. Identity compromise — not software exploits — is the primary enterprise threat.

🔐 The State of Incident Response Report 2026 from Eye Security finds cybercriminals increasingly exploiting legitimate credentials rather than breaking systems. Identity-based attacks now dominate, with 97% of incidents involving passwords and Business Email Compromise making up over 70% of cases. Ransomware remains a major threat as RaaS and access-broker marketplaces lower barriers. Analysis of 630 European incidents (2023–2025) shows many breaches begin with phishing, misconfigured internet-facing systems, or social engineering, and can go undetected for weeks.

🔐 Identity-focused attacks are now the dominant threat, and organizations must pair prevention with deep visibility. Identity Threat Detection & Response (ITDR) provides centralized logging, behavioral analytics, and alerts that reveal suspicious logins, anomalous account activity, and insider risk. tenfold combines Identity Governance and Event Auditing in one platform with lifecycle automation, access reviews, and centralized investigation tools. Book a personalized demo to evaluate capabilities and deployment speed.

🔒 SpyCloud announced Supply Chain Threat Protection, a new offering that extends identity threat monitoring across an organization’s entire vendor ecosystem using recaptured darknet data from breaches, malware, and successful phishes. The solution emphasizes verified, timely evidence of compromise over static scoring and external surface indicators. It provides an Identity Threat Index, visibility into compromised applications on supplier devices, and integrated response tools to help security, vendor risk, and GRC teams act on real threats.

🛡️ Amazon's chief security officer Stephen Schmidt says the company has blocked more than 1,800 job applications since April 2024 that are suspected to originate from North Korean agents, with linked submissions increasing roughly 27% per quarter in 2025. Amazon combines AI-based analysis with manual review—searching for links to at-risk institutions, application anomalies, and geographic inconsistencies—and verifies identities via background checks, references, and structured interviews. Recurring trends include increasingly sophisticated identity theft, hijacked LinkedIn profiles, fake U.S. educational credentials, and the use of "laptop farms" to simulate local presence; even phone numbers formatted with a country code of "1" can be a red flag. Amazon says the purpose appears to be securing remote employment to funnel income to North Korea's weapons program and urges industry peers to tighten identity verification and report suspicious activity to authorities such as the FBI.

🔒 CrowdStrike has been named the Overall Leader in the 2025 KuppingerCole Leadership Compass for Identity Threat Detection and Response, achieving top placement across Product, Innovation, Market, and Overall Ranking. The report cites Falcon Next-Gen Identity Security for its cloud-native design, AI/ML-driven detections, behavioral analytics, and automated identity-centric response. KuppingerCole highlights unified visibility across Active Directory, Entra ID, Okta, Ping, AWS IAM and SaaS via Falcon Shield, and notes deep integrations with XDR, SIEM, SOAR, IdP, IGA, PAM, and ITSM to accelerate detection and remediation for human, non-human, and AI agent identities.

🔒 The SpyCloud 2025 Identity Threat Report exposes a gap between confidence and capability: 86% of security leaders say they can prevent identity-based attacks, yet 85% of organizations experienced ransomware in the past year, with over one-third hit six to ten times. A survey of 500+ security leaders in North America and the UK highlights identity sprawl across SaaS, unmanaged devices and third-party ecosystems. The report notes phishing, credential reuse and exposed sessions increasingly enable persistent access. It warns that most organizations lack automated remediation, repeatable workflows and formal investigation protocols.

🔐 Organizations should urgently update defenses to counter the Scattered Spider collective, experts warned at the Gartner Security & Risk Management Summit 2025. The group used social engineering, helpdesk vishing, and push notification fatigue to bypass MFA and abuse SSO, compromising accounts like Okta and stealing tokens from LastPass. Firms are advised to implement stronger identity protections, number-matching MFA, stricter password-reset procedures, and tighter third-party vendor monitoring to reduce exposure.

🌊 Returning from vacation, the author notes headlines shifted away from AI and ransomware toward breaches tied to compromised OAuth tokens and integrations like Salesloft/Drift. The piece emphasizes two converging trends: supply chain risk that now includes datapaths where information is processed, and identity attacks that increasingly target interconnected applications. It highlights Cisco Talos’ CTI-CMM as a practical maturity framework to assess gaps, prioritize investments, and build a roadmap for continuous improvement.