The cybersecurity industry has spent the last few years tracking advanced threats such as zero-days, supply chain breaches, and AI-powered exploits. However, the most reliable entry point for attackers remains the same. That’s credential theft.
Identity-based attacks remain the primary initial access vector for breaches today. Attackers obtain valid credentials through stuffing credentials from previously compromised databases, spraying passwords to exposed services, or phishing campaigns and use them to get through the front door. No exploit required. All you need is a valid username and password.
What makes this difficult to defend against is that the first access looks very mundane. A successful login from legitimate credentials does not trigger the same alarms as a port scan or malware callback. The attacker appears to be an employee. Once infiltrated, they dump and crack additional passwords and reuse those credentials to move laterally and expand their footprint throughout the environment. For ransomware teams, this chain leads to encryption and extortion within hours. For nation-state actors, the same entry points support long-term persistence and intelligence gathering.
AI accelerates what’s already working
The basic attack pattern hasn’t changed much. But what has changed is the speed and sophistication of execution. Attackers are leveraging AI to scale their operations by automating credential testing across large target sets, creating custom tools faster, and crafting phishing emails that are much harder to distinguish from legitimate communications.
This acceleration puts additional pressure on an already strained defender. Breaches are unfolding faster, more pervasive, and impacting more environments, from identity systems to cloud infrastructure to endpoints. IR teams built to slow the tempo of engagement found their existing processes couldn’t keep up.
A dynamic approach to incident response
The way you think about incident response is important here, as is the technical controls your team puts in place. SEC504 teaches the Dynamic Approach to Incident Response (DAIR). It’s a model designed to handle incidents of all sizes and shapes more effectively than traditional linear approaches.
The classical model treats it as a sequential process: prepare, identify, contain, eradicate, recover, and report. The problem isn’t theory, it’s that real events don’t unfold linearly. During containment, new data surfaces and changes the assumed scope. Evidence collected during removal reveals attacker tactics that were unknown at the time of initial detection. The range almost always grows, but rarely shrinks.
DAIR explains this reality. After detecting and validating an incident, response teams enter the loop to determine the scope of the breach, contain the affected systems, eradicate the threat, and restore operations. This loop repeats each time new information appears. Consider a credential-based compromise where the initial scope identifies a single affected workstation. Forensic analysis during containment reveals registry-based persistence mechanisms. This discovery led the team back to scoping, and they are now searching for the same metrics on other systems across the enterprise. If the attacker’s IP address revealed during that sweep is confirmed, it triggers a new pass-through for containment and eradication. Each cycle produces better intelligence that feeds into the next round of response actions.
The response continues to cycle until the team and organizational decision-makers determine that the incident has been fully addressed. This is what distinguishes DAIR from traditional models. DAIR treats the messy and iterative nature of real-world research as a feature of the process, rather than a deviation from it.
Communication first
When multiple teams across SOC analysts, cloud engineers, IR leaders, and system administrators focus on a single incident, it can be difficult to maintain coordination. Most organizations are not fully aligned across these departments before an incident occurs. What you can control is how well you communicate once the response has begun.
The most important element here in effective incident response is communication. This determines whether scope data reaches the right people, whether containment measures are coordinated or inconsistent, and whether decision makers have accurate information to guide their priorities. Beyond communication, consistent practice and rehearsal are essential. And the technical ability of the team is still very important. As AI becomes part of the defense toolkit, skilled professionals will be required to effectively configure and direct these capabilities.
build important skills
Organizations that are better able to combat identity-based attacks are those that have invested in their employees before the incident begins. They trained the team on how attackers operate in practice, not just in theory, but through practical exercises against the same tools and techniques used in real-world breaches. Effectively executing the DAIR response loop requires practitioners who understand both sides of the engagement: how attackers gain access, move laterally, and persist, and how to examine the evidence they leave behind at each step.
This June, I will be teaching SEC504: Hacker Tools, Techniques, and Incident Handling at SANS Chicago 2026. This course covers the entire attack lifecycle, from initial credential compromise to lateral movement and persistence, along with the incident response skills needed to detect, contain, and eradicate threats using the DAIR model. Practitioners looking to hone both their understanding of offense and their ability to respond defensively should start here.
Click here to register for SANS Chicago 2026.
Note: This article was professionally written and contributed by Jon Gorenflo, SANS Instructor for SEC504: Hacker Tools, Techniques, and Incident Handling.
Source link
