Enterprises and MSSPs alike know that identity is now a
critical issue in cybersecurity. The question becomes whether they understand what all that entails.
Ian Gray, vice president of intelligence at
Flashpoint, isn’t so sure.
“Many still underestimate the extent of the attack surface,” Gray told MSSP Alert. “The conversation is often centered on employee credentials, while attackers increasingly leverage a much broader set of identity artifacts, including session cookies, cloud tokens, browser data, and authenticated sessions.”
There’s a growing realization that identity risk extends beyond the corporate network, he said.
“A compromised personal device, browser profile, or third-party SaaS account can create pathways into enterprise environments,” Gray said. “Most organizations recognize the threat conceptually, but many are still adapting their security programs to address identity exposure occurring outside traditional security boundaries.”
Digging Into the Details
In a 25-page report released this week, Flashpoint researchers detailed what the modern-day environment looks like when it comes to identity with the goal of reinforcing the message for IT, threat intelligence, fraud, and hunt teams – as well as MSSPs and other service providers – that the threat no longer lives only within the network perimeter.
“Infostealers have transformed identity into a scalable attack vector – one that extends beyond corporate infrastructure into employee browsers, personal devices, and SaaS environments,” wrote the authors of the report, “
Identity Is the New Attack Surface: A Guide to Infostealers and Proactive Defense.” “As a result, organizations are now responsible for defending an attack surface that is continuously expanding, often outside the visibility of traditional security controls.”
A Look at the Numbers
The report pointed to a case earlier this year, when a publicly disclosed database emerged that contained more than 149 million stolen login credentials, which weren’t tied to a single breach or organization. Rather, they’d been collected over time from myriad devices infected with information-stealing malware that collected usernames, passwords, session data, and the context necessary to use them.
There was no single incident to respond to or alert tying the data to a single attack. The identity data was captured, circulated, and resold, the authors wrote. It was ready for threat actors to use across corporate systems, cloud platforms, and third-party services.
Among the data points in the report was that more than 11.1 million devices were compromised with infostealer malware last year, leading to more than 3.3 billion credentials, cloud tokens, and the like stolen and put into circulation.
In addition, Flashpoint researchers found more than 30 active infostealer strains being sold and passed around among the cybercrime ecosystem, and Flashpoint’s credential database contains more than 48 billion credentials, with more than 1 billion linked to infostealer activity.
AI's Influence on Identity
Such numbers indicate that for security teams and MSSPs, the job is not just detecting when a breach occurs but understanding when access already exists, including where compromised credentials are circulating, how they’re being used, and how quickly they can be weaponized.
In the middle of this is the rapidly
expanding use of AI and AI agents by defenders and attackers alike. When OpenAI’s ChatGPT hit the scene in late 2022, initial worries centered around such concerns as the technology making it easier for bad actors to write more convincing emails or to write malware. Three-plus years later, the threat has expanded and highlights the need for security pros to continue to adopt AI in their work.
“What concerns us is not simply AI generating phishing emails or malware code,” Gray said. “It's the potential for AI to help threat actors rapidly aggregate, enrich, test, and prioritize stolen identity data at scale. When you combine billions of stolen credentials and session artifacts with automated decision-making, the time between exposure and exploitation continues to shrink.”
The Need to Keep Pace
That’s a key reason why Flashpoint describes identity-based threats “as increasingly machine-speed problems,” he said. “Defenders need visibility and response capabilities that can keep pace with that acceleration.”
That includes MSSPs and MSPs, which are important because they are involved in multiple client environments, where they can more easily identify broad patterns of exposure that individual companies can miss, he said. With this, they can be central players in monitoring for compromised credentials, detecting identity-based threats, and helping organizations operationalize response workflows.
“The challenge is that identity exposure doesn't exist in a single location,” Grays said. “Relevant data may appear across underground forums, marketplaces, Telegram channels, infostealer logs, breach repositories, and other sources. At the same time, service providers are expected to deliver actionable intelligence rather than simply alert customers to the existence of exposure.
Understanding the Threat
They need to be able to translate the huge amounts of such data into prioritized actions that clients can execute.
The first step in doing all of this is expanding their definition of identity risk. However, regarding capabilities, “organizations and service providers need strong identity monitoring, exposure detection, threat intelligence, incident response processes, and the ability to quickly invalidate sessions and credentials when exposure occurs,” Gray said.
He added that “perhaps most importantly, they need analysts who can provide context. Security teams don't need more alerts. They need to understand what was exposed, who may be affected, how the exposure occurred, and whether attackers are actively operationalizing that access.”
