The Identity Crisis of 2024

Last year identity-based threats rose to the top of the enterprise risk landscape. Push Security’s latest findings highlight a stark truth: attackers are shifting strategies, and legacy defenses are no longer holding the line. What does that mean for the future?

Identity Has Become the New Perimeter

In 2019 we saw work from home increase drastically causing many IT teams to rethink how exactly they can secure their companies. Fast forward to 2024, with remote work now the norm and SaaS usage exploding, the old idea of a secure network boundary has collapsed. Most day-to-day work happens in browsers, across dozens (if not hundreds) of cloud apps. Oversight is fragmented, and security teams are often in the dark.

Push’s research shows identity isn’t just another attack vector anymore it’s the main one. The rise of decentralized identity systems, inconsistent controls, and overlapping providers has opened the door for attackers. Misconfigured services, forgotten user accounts, and password reuse are being exploited daily.

Snowflake: The Breach That Shook 2024

Of all the incidents last year, none hit harder than the breach affecting around 165 Snowflake customers. The attackers used credentials stolen by infostealer malware some going back to 2020 to log in without triggering MFA. These long-forgotten, still-valid passwords became skeleton keys for accessing customer data.

In many cases, the attackers didn’t need to hack anything they simply logged in and ran SQL queries to extract sensitive information. The fallout was massive, sparking debates about shared responsibility, software supply chains, and the future of authentication.

Smarter Tools, Sneakier Tactics

The playbook has evolved. Phishing tools capable of defeating MFA are now commonplace, thanks to tactics like Adversary-in-the-Middle (AitM) attacks. Tools such as Evilginx can intercept tokens in real-time, silently hijacking sessions.

Meanwhile, infostealer malware like RedLine and Raccoon spreads through fake ads, shady downloads, and poisoned GitHub repos. These programs quietly lift credentials, cookies, and even screenshots feeding a booming underground market.

Session hijacking has also grown more efficient. Instead of stealing passwords, attackers steal session cookies, which can give them instant access without MFA. Many cookies remain valid for days or weeks, offering plenty of time for exploitation.

The Usual Suspects and Some New Faces

Several threat actors stood out in 2024:

• APT29 (Cozy Bear): Allegedly tied to Russian intelligence, they used low-tech methods like password spraying and rogue OAuth apps to compromise enterprise accounts often starting with test accounts lacking MFA.
• Scattered Spider: English-speaking and highly coordinated, this crew leaned on SIM swapping and helpdesk social engineering to bypass MFA and move laterally through cloud environments.
• ShinyHunters: Believed to be behind the Snowflake attacks, they automated credential stuffing using data from malware logs frequently from unmanaged devices. When law enforcement caught up, millions in extorted Bitcoin and a trove of stolen data came to light.

MFA and SSO: Helpful, But Not Bulletproof

MFA and SSO are widely adopted, but Push’s findings make clear that they’re far from foolproof:

• Not everything supports SSO, and users often bypass it with direct logins.
• MFA might be enabled at the IdP, but many apps don’t enforce it locally.
• Local logins remain open, especially in apps that allow password-based access on top of SSO.
• Shadow SaaS apps often never make it into the SSO system at all.

Even though just 1% of breached credentials are still valid, attackers operate at such a scale that they only need one hit to succeed. It’s a volume game.

What Comes Next And What Needs to Change

Push’s report closes with a clear warning: as cloud adoption deepens and attackers refine their methods, identity will remain the primary battleground. It’s no longer just a means of access it’s the attack surface itself.

To counter these threats, organizations need to invest in Identity Threat Detection & Response (ITDR). That means:

• Enforcing tighter session controls and reducing cookie lifetime
• Applying MFA consistently at the app level not just at the identity provider
• Gaining visibility into unmanaged devices and unsanctioned apps
• Making credential hygiene like regular password rotation a non-negotiable

In 2024, identity moved from being a point of concern to the very heart of the breach. As cyber threats grow more agile and sophisticated, security teams can no longer afford to treat identity as a routine item on a checklist. It must be recognized as a cornerstone of modern defense. Yesterday’s tools and approaches won’t hold up against the evolving tactics of today’s attackers. To stay ahead, security leaders need to reexamine their approach to identity, reinforce the weak spots, and shift from simply reacting to actively preventing before the next incident unfolds.