CrowdStrike Warns: Identity Is the Fastest Moving Threat Vector

CrowdStrike’s 2025 Threat Hunting Report does not mince words. Identity based compromise is not just rising, it is dominant. 

• 52% of vulnerabilities observed by CrowdStrike in 2024 were related to initial access with the majority of the TTPs focused on valid accounts. 
• Over 73% of interactive intrusions tracked were attributed to eCrime, with adversaries increasingly skipping malware and instead going straight for credentials. 
• Vishing attacks surged 442% in late 2024 and have already surpassed those totals in just the first half of 2025. 

These attacks, often conducted by adversaries like SCATTERED SPIDER, bypass MFA entirely by socially engineering help desks into resetting credentials and revoking MFA devices prompting CrowdStrike to call out, “It is difficult for a single security tool to distinguish between a legitimate employee and an adversary using stolen credentials”.

Here are some key takeaways from the report and recommendations specific to identity defense. 

Necessity of Cross Domain Visibility

The report details how adversaries now move fluidly across identity, cloud, and endpoint domains, making them invisible to siloed tools. BLOCKADE SPIDER and OPERATOR PANDA exemplify this evolution: gaining access via VPN or cloud infrastructure, pivoting through identity providers, and maintaining persistence without touching endpoints at all.

In one case, BLOCKADE SPIDER added compromised users to a “No MFA” Active Directory group, bypassed controls, and deployed ransomware while evading traditional detection systems.

Action: Correlate identity, endpoint, and cloud activity using a SIEM or XDR with behavioral analytics, immutable authentication and identity logs, and differential analysis against device-bound identities. Monitor and enforce adaptive access controls that account for anomalous access patterns such as after hours logins, bulk exports, and privilege escalation attempts.

GenAI Is Fueling Identity Fraud at Scale

FAMOUS CHOLLIMA, a DPRK nexus actor, used GenAI to infiltrate more than 320 companies as fake software engineers. They automated résumé generation, real time deepfake interviews, and multilingual code generation to operate across multiple job roles undetected.

GenAI is not just accelerating phishing content. It is optimizing adversary workflows across credential theft, code obfuscation, and impersonation.

Action: Harden the entire identity lifecycle from the hiring processes on, with identity verification and deterministic assertions of identity, device posture, and real-time security compliance.

Close Your Device Trust Gaps

Adversaries like GLACIAL PANDA exemplify stealth persistence using hijacked Linux systems, trojanized OpenSSH binaries, and credential harvesting tools like ShieldSlide. These techniques exploit unmanaged or legacy devices, which are often blind spots in enterprise defenses.

Action: Establish continuous trust for all devices, including and especially Linux, legacy, and unmanaged or partner devices, using Device Bound Credentials (DBC), real time posture signals, and active trust monitoring. Do not just validate the user. Validate the device, OS integrity, and session behavior continuously. Do not stop at MacOS, Windows, and mobile devices. Close the visibility and control gap over unmanaged, contractor, partner, Linux, and older devices. 

The Cloud Is an Adversary Playground

China nexus actors like MURKY PANDA and GENESIS PANDA are exploiting identity misconfigurations, trusted service accounts, and weak IAM governance to persist and exfiltrate data.

GENESIS PANDA regularly abuses metadata services to escalate privilege and inject persistence into cloud control planes.

Action: Treat your cloud control plane like core infrastructure. Monitor service principal behavior, enforce strict access segregation, and audit for privilege sprawl and long lived tokens.

Conclusion

The 2025 CrowdStrike Threat Hunting Report makes it clear: the identity attack surface is expanding faster than legacy controls can keep up. Enterprises must assume that credentials will be compromised, that adversaries will operate across domains, and that devices and users alike must be continuously validated.

What to Do Next:

• Deploy phishing-resistant, Device-Bound Credentials (DBCs) without fallbacks
• Monitor and hunt across identity, device, and cloud events backed by immutable logs
• Use real-time risk signals to drive adaptive access policies across your environment and endpoint gaps (e.g. Linux, older devices, unmanaged devices, partners and contractor devices)
• Harden the identity lifecycle and validate trust continuously

Make identity compromise impossible

Beyond Identity’s platform replaces passwords and phishable MFA with unstealable, device bound credentials and continuously evaluates user and device risk to shut down adversaries in real time. Learn how we do it!