Identity-driven attacks compress to 72 minutes; SOC speed gap widens

TargetEnterprise security operations centers (SOCs); identity and access management infrastructureVectorCompromised credentials, MFA manipulation, help-desk impersonation, privilege escalation, lateral movement across identity/endpoint/cloud/SaaS environmentsAttributionMuddled Libra (aka Scattered Spider), Spoiled Scorpius (RansomHub distributor)

MITRE ATT&CKT1078T1556T1098T1134T1021T1059.001AffectedMulti-environment: identity systems, endpoint security controls, cloud infrastructure, SaaS platforms, remote access infrastructure

SectorsEnterpriseConfirmed DamageData exfiltration of hundreds of gigabytes within hours of initial access; business impact achieved in compressed timelines (72 minutes observed in fastest cases)

WorkaroundsShift from sequential triage workflows to parallel enrichment; implement automated correlation across identity, endpoint, cloud, and network signals; predefine containment actions for compromised accounts, suspicious PowerShell, malware, and unauthorized remote access; prioritize behavioral detection over static indicators; secure remote access infrastructureDetectionCorrelate unusual privileged account activity, PowerShell execution, abnormal authentication patterns, privilege escalation attempts, lateral movement indicators, impossible-travel logins, and abnormal process execution chains. Per Unit 42 Global Incident Response Report, 87% of incidents required evidence from two or more distinct sources; complex cases drew from up to 10 sources.

Similar Attacks65% of initial access driven by identity-based techniques per 2026 Unit 42 Global Incident Response Report; attackers increasingly moving from malware-based compromise to credential-based 'logging in' rather than 'breaking in'