Home
Story
From Access to Attack Paths: How Attackers Exploit Identity
From Access to Attack Paths: How Attackers Exploit Identity
By Jared Atkinson, Chief Technology Officer at SpecterOps
Aug 13, 2025

From Access to Attack Paths: How Attackers Exploit Identity

The post-perimeter reality.

Over the past decade, the security community has experienced a profound shift. Where once the primary objective was keeping attackers out via hardening the perimeter, patching servers, and locking down firewalls, the new reality forced the community to adopt a different mindset: assume breach. We began operating under the premise that attackers would find a way in. Whether through phishing, malware, or misconfiguration, compromise was inevitable. The question became “How do we reduce the impact of the inevitable breach?” instead of “How do we keep them out?”

This shift in posture gave rise to a wave of new technologies and processes. Investment in threat hunting programs grew to proactively search for signs of post-exploitation. Endpoint Detection and Response (EDR) tools were deployed to give us visibility into attacker behavior after initial access. These investments were critical. They allowed us to detect and respond to active threats more effectively than ever before. We understood that attackers weren’t stopping at the point of entry—they were moving through the network to accumulate access.

What detection taught us: Chaining control.

In post-exploitation scenarios, attackers rarely settle for the privileges they gain through initial compromise. Whether they enter through a vulnerable workstation, a phished user account, or a forgotten service, their next move is almost always the same. They pivot.

What SpecterOps observed in red team operations, and what defenders began to see in real-world breaches, was the emergence of identity chaining. Attackers compromise one identity, then leverage control over that identity to move to another, and another. The goal is accumulation. Accumulate access. Accumulate privilege. Accumulate control.

This behavior mirrors what we've come to call the identity snowball: A single compromised identity grows in influence as it absorbs more control through lateral movement and escalation.

Crucially, this process isn’t about accessing files or exploiting vulnerabilities. It’s about understanding and exploiting the relationships between identities like sessions, delegation rights, group memberships, and trust boundaries. And it's about how an attacker translates that access into control of other identities.

The problem beneath the behavior: Identity risk

For a long time, we lacked the language to describe this pattern. We might have called it “lateral movement,” “privilege escalation,” or “post-exploitation behavior.” But those are symptoms, not a diagnosis.

The underlying issue is identity risk.

But identity risk isn’t a static property of an individual account. It’s not simply a user having domain admin rights or being in too many groups. Instead, identity risk is best understood as a function of connectivity and reachability: The extent to which an identity, once compromised, can be used to reach and control others.

Traditional tools focused on access. They told us who could log into what or who had which permissions. But they couldn’t tell us how attackers move through identities. They couldn’t tell us who could become whom.

And that’s the key insight: The risk isn’t the identity. The risk is the path.

Understanding identity risk through structure.

Once we saw that identity chaining was the mechanism, we needed a way to describe and model it. That’s where the concept of attack paths comes into play.

In the same way that a network path connects machines, an attack path connects identities. It tells the story of how an attacker can move from one identity to another using control relationships.

This is where exposure and impact become useful metrics:

  • Exposure tells us how easy it is for an attacker to reach a given identity. It reflects the number, type, and length of attack paths leading to that identity.
  • Impact tells us what an attacker could do once they get there, how much control they would gain over the environment (other identities and resources) from that one compromise.

With these two metrics, we can understand identity risk. We can see it, measure it, and most importantly we can reduce it.

We can reduce the surprise of a breach by reducing uncertainty and constraining the range of possible outcomes. In cybersecurity terms: We reduce surprise by reducing attacker options. We break the paths. We prune the attack graph. We make escalation harder.

From theory to reality: The numbers don’t lie.

To some, attack paths might sound hypothetical or theoretical, something that lives in models, not in production environments. But the data tells a different story. In every single BloodHound Enterprise deployment to date, in 100% of environments, we have found at least one non-privileged identity with an active attack path to critical resources.

Not occasionally. Not in poorly secured networks. Always.

More than that, on average, 70% of non-privileged users have at least one attack path to a high-value target, whether that’s a domain admin account, a cloud platform admin, or a business-critical system.

On average, an attacker has a seven out of 10 chance of going from initial access by phishing a random user to full compromise of the enterprise.

This is not a fringe problem. It’s the norm.

It shows us that identity compromise is not just possible, it’s predictable. And that means it’s manageable, if we take the right approach.

Rethinking identity strategy.

Most identity programs today are built around governance, with a focus on provisioning, deprovisioning, access reviews, and least privilege. Those are necessary steps, but they’re no longer sufficient.

To truly address identity risk, we must move beyond static access and start thinking in dynamic control. We need to stop measuring who has access and start measuring who can be reached.

That means modeling attack paths, calculating exposure and impact, and reducing them through architectural changes, not just policy.

To learn more about the problem the security community faces and how to implement a practice of Attack Path Management to combat identity risk, read the SpecterOps 2025 State of Attack Path Management report. Click here.

As Chief Technology Officer at SpecterOps, Jared Atkinson leads the research and development team in uncovering adversary tradecraft, expanding the BloodHound attack graph, and developing new use cases. He began his career in the U.S. Air Force, where he helped establish the Hunt Team.

SpecterOps is a leader in Identity Attack Path Management. As experts in adversary tradecraft and the creators of BloodHound, SpecterOps delivers leading-edge assessments, research, and technology to help organizations minimize identity risk.

This is a sponsored story produced in collaboration with SpecterOps. The views and opinions expressed in this article are solely those of the authors of the article, and are not necessarily shared with the editorial and publication staff of the CyberWire Briefings or its parent company, N2K Networks, Inc. N2K Networks will not publish content it knows to be false, illegal, or defamatory, or that is inconsistent with our brand and commitments.