When the Attacker Has Valid Credentials, Prevention Is Already Over
Executive Summary
For most of the history of security, the defensive model was about keeping attackers out. Build a strong boundary, authenticate rigorously at the door, and the assumption was that anyone on the inside had earned the right to be there. Enormous investment went into prevention — into making sure the wrong people could not get in.
The modern attacker has rendered much of that model beside the point, not by defeating it but by sidestepping it. Increasingly, intrusions do not involve breaking in. They involve logging in — with credentials that are entirely legitimate, obtained through phishing, theft, purchase, or the compromise of a trusted identity. An attacker operating through valid credentials does not trip the controls designed to keep intruders out, because from the system's perspective there is no intruder. There is an authenticated user doing things an authenticated user is allowed to do.
When that is the attack, prevention has already happened and failed silently. The credentials worked. The authentication succeeded. The boundary was not breached because the attacker walked through the front door with a valid key. At that point, the only thing standing between the organization and a serious incident is whether it can detect that legitimate access is being used illegitimately — which is precisely what identity threat detection and response exists to do.
Why This Matters Now
Two shifts have made identity the dominant axis of compromise. The dissolution of the network perimeter means there is no longer a meaningful "inside" that confers trust; access is governed by identity, and identity has become the thing worth stealing. And the maturing of preventive identity controls — stronger authentication, better access management — has, paradoxically, pushed attackers toward the path of least resistance: rather than defeating the controls, they obtain legitimate credentials and use them.
The economics favor the attacker here. Credentials are abundant, traded, and continuously harvested. Once an attacker holds valid credentials, they inherit the legitimacy of the identity — its access, its normal patterns, its trusted status. The activity blends into ordinary operations, which is exactly why it is so dangerous: an organization watching for intrusions will not see one, because there isn't one in the traditional sense. There is a trusted identity behaving in ways that, examined closely, do not fit — and only an organization examining identity behavior closely will notice.
CISO2CISO Insight
We spent decades building a stronger front door. The modern attacker stopped trying to break it down and started showing up with a working key. The question is no longer "did someone get in?" It is "is someone we let in doing something they shouldn't?"
Why Prevention Cannot Be the Whole Strategy
This is not an argument against preventive identity controls — they remain essential and they raise the cost of obtaining credentials. It is an argument that prevention, however strong, leaves a gap that only detection can close.
Legitimate access cannot be prevented away. By definition, an attacker using valid credentials has passed the preventive controls. No amount of strengthening authentication helps once the attacker holds a credential that authenticates successfully. The defensive question shifts from "can we stop them from getting access?" to "can we tell when granted access is being misused?"
The activity looks normal until it doesn't. An attacker operating through a valid identity often behaves normally at first — and the malicious behavior, when it comes, may be subtle: accessing systems the identity does not usually touch, operating at unusual times, escalating privileges, or moving in ways that deviate from the identity's established pattern. Detecting this requires a baseline of normal identity behavior and the ability to spot deviation from it.
Standing access widens the consequence. When identities — human and especially machine — hold broad, standing privileges, a compromised credential inherits all of it. The combination of credential theft and over-provisioned access is what turns a single compromised identity into a wide-ranging incident.
What Identity Threat Detection and Response Adds
The discipline that has emerged to address this — identity threat detection and response — extends the detection-and-response mindset, long applied to endpoints and networks, to identity itself.
It establishes what normal looks like. Detecting misuse of legitimate access depends on knowing the legitimate pattern: what each identity normally accesses, from where, when, and how. Deviation from that baseline is the signal that an authenticated identity may not be in the hands it should be.
It watches for the behaviors of identity-based attack. Anomalous access, unusual privilege escalation, lateral movement through identity, suspicious authentication patterns, and the misuse of the identity infrastructure itself — these are the behaviors that betray an attacker operating through valid credentials, and they are detectable to an organization watching for them.
It enables a response to compromised identity. Detection without response is incomplete. The ability to act on a suspected identity compromise — to disable, isolate, force re-authentication, or revoke access quickly — is what converts a detection into a contained incident rather than an alert that arrives too late.
It complements prevention rather than replacing it. Strong preventive controls raise the cost of obtaining credentials; detection catches the cases where prevention is bypassed anyway. The two together form the actual defense; either alone leaves a gap.
Executive Framework
| Dimension | Prevention-only model | Prevention plus ITDR |
|---|---|---|
| Core assumption | Keep attackers out | Assume some will get valid access |
| Defends against | Unauthorized entry | Misuse of authorized access |
| Blind spot | The valid login | Closed by behavioral detection |
| Key capability | Authentication, access control | Baseline of normal, anomaly detection |
| When it acts | At the door | Throughout the session and lifecycle |
| Response | Block entry | Disable, isolate, revoke on detection |
What CISOs Should Do Next
- Accept that some attackers will hold valid credentials, and build a strategy that assumes legitimate access will be misused rather than only trying to prevent unauthorized access.
- Establish behavioral baselines for identities, since detecting misuse depends on knowing what normal access looks like for each identity.
- Deploy detection for identity-based attack behaviors — anomalous access, privilege escalation, suspicious authentication, lateral movement through identity.
- Build a real response capability for compromised identities, with the ability to disable, isolate and revoke access quickly enough to contain rather than merely record.
- Reduce standing access for human and machine identities, narrowing the consequence of any single compromised credential.
- Treat identity as a monitored surface, applying the same detection-and-response discipline to identity that the organization applies to endpoints and networks.
Board-Level Questions
- If an attacker obtained valid credentials for one of our identities today, would we detect the misuse — or would the activity look like normal authenticated use?
- Do we have a baseline of normal identity behavior that lets us recognize when granted access is being abused?
- Can we respond quickly to a suspected identity compromise — disable, isolate, revoke — or only investigate after the fact?
- How much access would a single compromised identity inherit, and are we narrowing that standing access?
Final Executive Takeaway
The uncomfortable truth at the center of modern identity security is that prevention, no matter how good, has a hard ceiling. An attacker who holds a valid credential has, in the only sense that matters to the system, become a legitimate user — and there is no preventive control that stops a legitimate user from doing legitimate-looking things. The organization that has invested entirely in keeping attackers out has built a defense that goes quiet at precisely the moment the attack actually begins.
Closing that gap means extending detection and response to identity itself — knowing what normal looks like, watching for the deviations that betray misuse, and being able to act fast enough to contain. It does not replace prevention; it completes it. Together they assume what the modern threat has made undeniable: that some attackers will get in through the front door with a working key, and the defense has to be ready for what they do once they are inside.
The attacker no longer needs to break in. So the question that decides the outcome is not whether your door is strong — it is whether you can tell when someone you let in is not who their credentials say they are.
*To be continued...*
