Attackers Are Stealing Identity at Lightning Speed. Here's How We Stop Them

Attackers Are Stealing Identity at Lightning Speed – Here’s How We Stop Them

In 2026, identity is the primary target in modern cyberattacks. Credentials, session tokens, and trusted user access have become the fastest and most reliable way for attackers to bypass perimeter controls and move directly into business-critical systems.

The pace of these attacks has accelerated dramatically. Industry reporting shows average adversary breakout times, the window between initial access and lateral movement, are often under an hour, with some cases reported in seconds. With AI-enabled tooling, attackers can automate credential harvesting, session hijacking, and social engineering at a scale and speed that fundamentally changes the defender’s challenge.

For organisations, this creates a stark reality: if detection and response are not faster than compromise, visibility and control are lost, sometimes almost instantly.

At the same time, regulatory expectations are rising. The UK Cyber Action Plan (2026) mandates rapid incident visibility and response. The Cyber Security & Resilience Bill is expected to expand responsibility across MSPs and data centres. In the EU, NIS2 and the Cyber Resilience Act elevate requirements around identity security, supply chain risk, and incident reporting. In this environment, speed is no longer just a technical advantage, it is a core operational and compliance requirement

Why Identity Has Become the Primary Attack Vector

Identity-based attacks dominate because credentials and tokens provide legitimate access. Once attackers obtain valid credentials, or compromise a session token / OAuth trust path, they can often:

Bypass endpoint and network controls
Move laterally using trusted administrative tools
Escalate privileges without triggering common detection logic
Blend malicious activity into normal user behaviour

AI compounds this risk by accelerating the attack chain. Automated workflows can test credentials at scale, hijack sessions, and pivot techniques in seconds. When blocked, attackers simply iterate often faster than traditional SOC workflows can respond.

This shift hasn’t eliminated known attack patterns. Credential harvesting still looks like credential harvesting. Lateral movement still follows recognisable paths. What has changed is tempo. Defenders are no longer racing human adversaries; they are racing machine-assisted attack chains.

What’s New and Why It Matters

Several converging trends are redefining identity security:

Identity-focused attacks dominate initial access. Compromised credentials, tokens, and abused SSO sessions remain the gateway to business email compromise, brand impersonation, and ransomware staging.
AI acts as a force multiplier. Automated tooling allows attackers to scale credential theft and social engineering faster than human-paced triage and response workflows can react.
Supply chain and trust exploitation is rising. Attacks increasingly abuse legitimate software, vendors, and user trust – areas emphasised by NIS2 and the Cyber Resilience Act.
Speed has material financial impact. In one recent case, post-incident analysis estimated that a response delay of approximately 10 minutes could have increased client losses by around £1.7M.

Regulators now expect organisations to detect, assess, and contain incidents rapidly. Where SOCs cannot meet these timelines, the risks extend beyond security to include regulatory exposure, operational disruption, and reputational damage.

Detection in Action: How the SOC Responds at Speed

At Redsquid, the differentiator isn’t a single tool or detection technology it’s how signals are turned into decisions.

Modern attacks generate large volumes of low-level indicators: suspicious process launches, anomalous authentication attempts, registry changes and command-line activity. On their own, these signals can be ambiguous. The SOC’s role is to assemble context fast enough for decisive action.

This requires:

Automated enrichment to correlate identity, endpoint, and behavioural telemetry
Prioritisation based on impact, not volume
Real-time escalation to senior analyst judgement
The authority to contain threats using agreed runbooks, without multi-tier escalation delays

When these elements work together, the window between compromise and containment collapses.

Two Case Studies, One Lesson: Speed Wins

Case Study 1: Trojanised PuTTY / Lumma InfoStealer

Identity and Access Management (IAM) Threat

What happened
Attackers abused legitimate software distribution channels, deploying a combination of trusted and malicious executables. The objective was to harvest credentials and establish persistence before attempting lateral movement.

Key risks

Credential theft leading to impersonation
Abuse of legitimate software to evade detection
Registry modification and session hijacking

SOC detection and response
The SOC identified anomalous execution patterns inconsistent with approved application behaviour. Automated enrichment surfaced integrity anomalies, triggering immediate analyst review.

The affected endpoint was isolated before the attacker could progress to credentials harvesting
Application whitelisting and integrity controls prevented execution of the malicious payload
Indicators of compromise were identified and actioned in real time across the environment

Impact
Post-incident analysis estimated that a response delay of approximately 10 minutes could have increased client losses by around £1.7M, driven by identity compromise and potential downstream fraud.

Lesson
Even attacks that blend legitimate and malicious activity can be stopped — but only when detection and analyst decision-making operate faster than the attacker’s timeline. Identity compromise isn’t stopped by “more alerts” – it is stopped by faster decisions.

Case Study 2: ClickFix Malware Attack Chain

Identity Exposure via Social Engineering

What happened
A deceptive Windows+R prompt was used to initiate a fileless malware chain designed to harvest credentials and enable brand impersonation. Microsoft reporting indicates ClickFix-style lures became a major contributor to initial access in 2025, accounting for around 47% of observed initial access methods.

Key risks

Social engineering combined with user trust abuse
Fileless malware leveraging living-off-the-land binaries (LOLBins)
Exploitation of previously exposed credentials

SOC detection and response
Dark Web monitoring surfaced pre-exposed credentials associated with the user account. Correlation with endpoint behaviour elevated the alert priority.

Analysts validated the risk context within minutes
Containment actions prevented progression to credential misuse and account takeover
No escalation into lateral movement or impersonation occurred

Lesson
Fileless and socially engineered attacks can still be neutralised but only when SOCs operate in seconds, not minutes.

The Cost of Delay

In identity-driven attacks, small delays have outsized consequences:

Account takeover and credential exposure
Business email compromise (BEC)
Brand impersonation and fraud
Regulatory reporting obligations under GDPR and NIS2
Direct financial loss and operational disruption

Speed is no longer optional. It is the difference between containment and catastrophe.

The Redsquid Advantage

Redsquid enables organisations to respond faster than attackers can act:

Sub-one-minute alert acknowledgement
Analyst-first, automation-supported SOC operations
ASPECT removes escalation delays by design
Consistent prevention of credential theft before it becomes a breach

The result is not just detection, but decisive containment at the speed modern attacks demand.

Policy and Market Context

UK Cyber Action Plan (2026): Mandates rapid incident visibility and response
Cyber Security & Resilience Bill: Proposes expanded accountability across MSPs and data centres
NIS2 & Cyber Resilience Act: Tighten requirements around identity security, supply chain risk, and incident reporting obligations
AI-enabled attacks: Accelerate speed and scale, raising expectations of SOC performance

Compliance and resilience increasingly depend on real-time visibility, senior analyst judgement, and rapid containment. In this environment, resilience is measured in minutes and compliance depends on proving you can see, decide and act fast.

Take Action

Register for our webinar: “Stop Credential Theft – How Our SOC Blocked Two High-Risk Attacks” – 5 Feb. Watch our analysts walk through these record-speed detections.
Download the H2 2025 Threat Findings Report: Full cases, IoCs, and actionable insights for your SOC.

Footnotes / References: