Most attacks don’t break in anymore.

They log in.

‍

In many modern environments, initial access no longer requires:

·        Exploiting a vulnerability

·        Dropping malware

·        Triggering a high-confidence alert

‍ ‍

Instead, it looks like:

·        A user authenticating successfully

·        A session being established

·        Access to systems occurring through normal channels

‍ ‍

From a logging perspective:

Nothing is clearly wrong.

The Core Problem

Traditional detection was built around one assumption:

👉 Malicious activity introduces something new

‍

Something like:

·        A new binary

·        A known bad domain

·        A recognizable signature

Identity-based intrusion does not introduce something new.

👉 It misuses what already exists

‍

That means:

·        Authentication logs appear valid

·        Access tokens are legitimate

·        Application activity follows expected patterns

Detection doesn’t fail because activity is hidden.

It fails because:

👉 Validation succeeds

What Changed

The shift didn’t happen because attackers became more sophisticated.

It happened because they no longer need to introduce anything new.

Instead of breaking into systems:

They can operate entirely within:

·        Valid accounts

·        Trusted applications

·        Approved workflows

At the same time:

·        Credentials are easier to obtain

·        Access is easier to maintain ‍

·        Activity blends into normal operations

👉 The result:

Detection based on “something new appearing” becomes far less effective.

What This Looks Like in Practice

This is what that looks like in real environments.

Scenario 1: Phishing → Account Access → Data Exposure

A user receives a phishing email and enters credentials.

Shortly after:

·        A login occurs from a new location

·        MFA is satisfied (push fatigue or token replay)

·        A valid session is created

Then:

·        The account accesses a SaaS platform

·        Files are viewed or downloaded

·        Internal data is exposed

No malware.
No exploit.
No indicator.

Every action appears legitimate.

Scenario 2: Credential Reuse → Internal Exploration

An attacker uses previously leaked credentials.

They log in successfully.

Then:

·        Access internal applications

·        Query systems they’ve never accessed before

·        Enumerate available resources

Nothing triggers.

Because:

·        Credentials are valid

·        Access is allowed

·        Activity appears normal in isolation

But the behavior is inconsistent with the user’s history. ‍

Scenario 3: Legitimate Tools → Suspicious Sequence

An attacker gains access to an account.

They use only approved tools:

·        Admin consoles

·        SaaS dashboards

·        Built-in system utilities

Then:

·        Access privileged systems

·        Modify configurations

·        Initiate external connections

Every action is allowed.

The problem isn’t the action.

👉 It’s the sequence.

Scenario 4: MFA Bypass → Silent Persistence

An attacker gains session access via token theft or MFA fatigue.

They:

·        Maintain access without re-authenticating

·        Revisit systems periodically

·        Avoid triggering login anomalies

There are no repeated suspicious logins.

Just:

·        Ongoing, low-noise activity

·        Spread over time

·        Within expected boundaries

Where Detection Breaks Down

Across all scenarios:

·        Events are evaluated independently

·        Systems are siloed

·        There is no enforced correlation across time

So the logic becomes:

·        Login → valid

·        Access → valid

·        Action → valid

Case closed.

‍
The problem is not visibility.

‍

👉 It is correlation and interpretation

Where the Signal Actually Lives

The signal is not in the event.

It is in the pattern.
Across these scenarios, patterns look like:

·        First-time login + unusual access

·        Valid session + abnormal sequence

·        Normal tools + unexpected usage patterns

·        Legitimate access + inconsistent behavior

‍ ‍
Individually:

These are weak signals.

Combined:

They form behavior that does not make sense.

What This Means for Detection

Detection must shift from:

·        Event validation

To: ‍

·        Behavior evaluation over time

From:

“Is this login valid?”

To:

“Does this sequence of activity make sense for this user?”

‍

This requires:

·        Correlating identity, endpoint, and network activity

·        Evaluating sequences rather than isolated events

·        Understanding what is normal for a user

Operational Reality

This is difficult.

Because:

·        Signals are noisy

·        Context is incomplete ‍

·        Analysts are time-constrained

‍

Which leads to:

👉 If nothing is clearly malicious, nothing is escalated

‍ ‍
That is the failure point.

Key Takeaway

Attackers can change:

·        Tools

·        Infrastructure

·        Payloads

They cannot avoid:

·        Logging in

·        Accessing systems

·        Moving through environments

That activity creates patterns.
Detection must focus on those patterns.

Final Principle

Most identity-based attacks are fully visible in logs.