Cyber Threat Intelligence: Identifying Risk Exposures Before Attackers Do

Hypothetically speaking, where would you launch your attack as a cybercriminal? Definitely where the effort is low and the impact is high. Most attacks do not result from highly specialized individual operations, but from opportunities. Cyber criminals look for scalable entry points, automate the search and further exploit successful access points. This turns a compromised company access point into an exploitable entry point.

Attack surfaces in 2025 in figures: from phishing to the supply chain

Phishing unbeaten: 43% of all attacks start here

Cybercriminals try to phish other users through compromised email accounts. With LLMs, phishing scenarios can be scaled with little effort. Most phishing attacks are less targeted than opportunistic: the decisive factor is the quantity of emails sent.

25% of poorly protected remote services

Attackers systematically test exposed login prompts with brute force or password spraying. They use known username/password combinations, leaked passwords, typical variants and recognizable patterns in employees' password choices. Accordingly, brute force and password spraying are among the most common attack vectors identified as true positives in the InfoGuard Security Operations Center (SOC) in 2025.

20% exposed vulnerabilities: Patch windows continue to shrink!

According to Zerodayclock, vulnerabilities will be exploited after just 2.1 days on average in 2026, compared to 21.5 days in the previous year. This acceleration is putting classic patch processes under massive pressure. A key driver is AI tools, which facilitate both the detection of vulnerabilities and the development of exploits.

12 % Supply chain: when trust becomes a target

Partners and suppliers provide software, services and hardware, maintain systems via remote access or support business-critical processes. This is precisely why a company's own security is increasingly dependent on the security of third parties. Supply chain risks arise where trust, technical dependencies and external access come together.

Criminal market: when company access becomes tradable

The most common entry points show: Initial access to a corporate environment is no longer just a technical problem, but part of a criminal market. Initial access brokers procure, check and resell such accesses. What used to be the prelude to a single cyberattack is now part of the cybercriminal value chain.

Scalability counts. Cyber criminals collect as many access points as possible, evaluate their damage potential and resell particularly worthwhile access points. A compromised VPN account, valid remote access, a hijacked cloud account or access to an internal system can be enough - for ransomware, data theft, blackmail or espionage, for example.

For companies, this means that the actual attack often begins long before ransomware is executed or data is stolen - namely when access is compromised unnoticed and passed on in criminal supply chains.

"It is not just logins that are traded, but access opportunities and thus the possibility of making a company usable for blackmail, fraud or espionage."

Stolen access data: Why the role determines the damage

Which accesses are leaked and how they are misused depends on the compromise method and the role affected.

The following examples show how the damage potential varies depending on the role:

Employees

• Email accounts: Business email compromise, internal phishing, access to confidential communications, password resets

• M365/Google Workspace account: SharePoint, OneDrive, teams/chat, calendar, internal documents

• Session cookies and browser tokens: Access without password without renewed MFA request

• VPN accounts: Access to the internal network

• Password manager content: access to other internal and external services

Distribution/sales

• CRM access: customer data, pipeline, contracts, contact lists

• Email accounts: Invoice fraud

• Signing solutions: Manipulation or misuse of contract processes

• Customer portal access: customer data, service cases, orders

Helpdesk/IT support

• Helpdesk accounts: password resets, account recovery, user information

• Ticketing system: internal problems, system names, ongoing projects

• Remote support access: direct access to end devices and servers

• MDM and endpoint management access: device management, software distribution, policy changes

• MFA reset or MFA registration rights: takeover of third-party accounts

Engineering / IT operations

• VPN and Jumphost access: access to internal administration zones

• SSH keys: Access to Linux servers, network devices, appliances

• Domain admin: Complete compromise of theWindowsenvironment

• Cloud admin access: Access to virtual devices, storage, IAM, databases, backup

• Kubernetes admin access: access to clusters, secrets, workloads, containers

Software development / DevOps

• GitHub/GitLab/Bitbucket access: source code theft, search for secrets, code manipulation

• CI/CD secrets: manipulation of builds and deployments

• Deployment tokens: release of manipulated software in production

• Container registry accesses: infiltration of malicious images

• Package registry accesses: Supply chain attacks via manipulated packages

• Signing certificates: Signing manipulated software

• Secrets on local developer machines: Site access to build, test andproduction environments

• Webhook secrets: Manipulation of integrations and automations

Hardening and monitoring identities: 7 measures against compromised identities

Identities are among the most important targets today. Attackers often do not need malware or a complex vulnerability. A valid password, a stolen session cookie or a manipulated MFA process is enough. Identity protection must therefore be seen as a security discipline in its own right, not purely as an IT administration task.

The following seven measures show how organizations can effectively secure identities, access and sessions:

1. Secure user accounts with phishing-resistant MFA
   All user accounts need strong authentication. MFA is mandatory, but not every MFA is phishing-resistant: SMS codes and simple push confirmations can be bypassed. FIDO2 security keys, passkeys or certificate-based procedures are more effective - especially for privileged accounts, helpdesk roles and access to cloud, VPN and remote access systems.
2. Evaluate logins with Conditional Access
   Conditional Access not only evaluates the user name, password and MFA, but also the context of the login: device, location, browser, access pattern and sensitivity of the data. This allows risky logins to be blocked, additional checks to be enforced or access to be restricted to trusted devices.
3. Strictly control privileged identities
   Admin accounts need separate access, strong MFA, just-in-time access, role-based authorizations and seamless logging. Permanently active global admin, domain admin or cloud admin rights unnecessarily increase the risk. Privileges should only be granted when required and then automatically revoked again.
4. Do not underestimate passwords
   Passwords remain relevant, especially without phishing-resistant authentication. Strong passwords or passphrases, no reuse, no leaked or default passwords and no shared accounts are crucial. Password managers help with secure administration; in the long term, passwordless procedures should become the target.
5. Session protection: MFA does not end after login
   Attackers are increasingly stealing browser cookies and tokens to circumvent MFA. Companies should therefore recognize risky sessions, limit token lifetimes, require re-authentication for sensitive actions and restrict access from unmanaged devices. Protection does not end after login
6. Securing helpdesk processes
   Cyber criminals often circumvent technical protection measures via support, for example by manipulating MFA resets, new device registrations or password changes. Helpdesk processes therefore need clear identity checks, dual control principles and alarms for sensitive changes. A weakly secured helpdesk can undermine even strong MFA.
7. Define identity use cases for monitoring and detection
   Logs alone are not enough. Concrete identity use cases are crucial for monitoring and detection: impossible travel movements, unusual countries of origin, frequent login errors, unusual MFA registrations, new devices, suspicious OAuth shares, password reset anomalies, privileged role changes or mass file access. Identities must be protected and constantly monitored.

"Not every login is trustworthy just because the password is correct."

A strong identity security strategy only works in combination: robust authentication, context-based access, minimal rights, secure admin processes, session protection, ongoing monitoring and a rapid response to suspicious logins.

The whitepaper "InfoGuard Threat Intelligence Insights 2025" shows just how much identities have become the focus of real cyber incidents in 2025. It classifies current attack patterns and shows which measures organizations should prioritize in order to detect account takeovers earlier and prevent them more effectively. For the moment available in german only, in a few weeks also in english.

Monitor endpoints and servers: Detect attacks before they escalate

Even strong identity security does not close every gap. Attackers can gain access to an environment via vulnerabilities, stolen sessions, compromised suppliers or existing access points. From this moment onwards, visibility determines whether an attack is detected early or whether attackers can continue undisturbed.

EDR coverage: sensors on the critical systems

Systems with access to company data or internal infrastructures need the most complete EDR coverage possible: workstations, notebooks, servers, virtual machines, terminal servers, admin systems and critical application servers. Systems on which privileged users work or which are used to access business-critical data are particularly important.

EDR is not just another tool, but the sensor technology on the system itself. It detects suspicious process chains, unusual script execution, credential dumping, lateral movement, ransomware behavior or tampering with security tools. Without this visibility, a company often only recognizes the consequences - but not the actual course of the attack.

If EDR is not possible: create visibility differently

Not every system can be equipped with an EDR agent. Legacy systems, production facilities, appliances, network devices, mainframes, OT systems or highly critical platforms with stability requirements need compensating controls. Where EDR is not possible, administrative access must at least be controlled, logged and monitored - for example via hardened jump hosts or admin workstations with EDR coverage.

Network visibility through Network Detection and Response (NDR) and central logs in the SIEM are also required. NDR helps to detect lateral movement, unusual connections, command-and-control communication, scans or data leakage. Especially where no endpoint agent can be installed.

Critical servers: No blind spots in the escalation zone

The monitoring of high-priority servers is particularly critical. Domain controllers, identity systems, backup servers, virtualization platforms, file servers, databases, application servers, CI/CD systems, management servers, EDR/SIEM components and cloud connectors. If you only monitor user end devices but neglect servers, Linux systems, virtual environments or admin infrastructure, you may recognize the entry point - but miss the escalation.

The crucial point: every exception needs transparency. Companies need to know which systems exist, which of them have EDR, which exceptions exist and which compensating controls are in place. "Almost everywhere" is not enough if critical systems remain blind.

Managed risk exposure: which risks need to be reduced first

In addition to identity protection and endpoint and server monitoring, a third key capability is needed: the ability to continuously check your own attack surface. This is because many attacks do not start with highly complex exploits, but with what is visible to the outside world, incorrectly configured, forgotten or not properly accounted for.

This includes unmanaged assets, exposed systems, shadow IT, misconfigurations, unpatched vulnerabilities and technical attack paths that attackers find faster than the organization itself. This is precisely where a dangerous blind spot arises: organizations often protect what they know - they are compromised by what no one had on their radar.

From vulnerability lists to real cyber risks

Managed Risk Exposure adds the crucial context to traditional vulnerability management: it's not just about scanning CVEs and creating tickets. The actual attack surface is crucial: Which systems are accessible from the outside? Which identities have critical rights? Which cloud resources are incorrectly configured? Which supplier or remote accesses exist? Which vulnerabilities can realistically be combined into an attack path?

The most important point: not everything can be fixed at the same time. This is why risk-based prioritization is needed. A critical vulnerability on an isolated test system is not automatically more important than a medium vulnerability on an exposed system with access to productive data. The decisive factors are accessibility, criticality, existing controls, potential impact and probability of exploitation.

Identified risks should therefore be prioritized on an ongoing basis. This list is not a static reporting artifact, but an operational management tool. It shows which risks need to be reduced first with the available resources and which measures will bring the greatest security gains.

The typical areas are

• Unmanaged assets: Systems without an owner, EDR, patch process or inventory

• Exposed assets: Internet-accessible servers, VPN portals, remote access, admin interfaces, cloud services

• Shadow IT: Unapproved SaaS services, private cloud resources, forgotten subdomains, unofficial tools

• Misconfigurations: Open storage buckets, overly broad firewall rules, weak IAM roles, insecure default configurations

• Vulnerabilities: Unpatched systems, outdated software, known exploit paths, lack of hardening

• Attack paths: Combinations of exposure, identities, authorizations, network access and vulnerabilities

Translate findings: What is technically noticeable must be commercially relevant

This approach is particularly valuable if technical findings are not viewed in isolation. An open port is not yet a risk in understandable language. However, an exposed admin interface without MFA on a business-critical system is. It is precisely this translation that is crucial: technical findings become prioritized risks that management and technology can understand and deal with together.

Cyber resilience starts with a realistic picture of the situation

An annual look at the attack surface is not enough. New systems, cloud projects, suppliers, software releases, authorizations, acquisitions or shadow IT are constantly changing the security situation. Anyone who only checks their attack surface once a year is practically always too late. A recurring process is crucial: identify, assess and prioritize risks, implement measures and check their effectiveness.

The InfoGuard white paper "Threat Intelligence Insights 2025" deepens this perspective based on over 350 real cyber incidents that we processed in 2025. It shows which attack paths are particularly relevant and why identities, visibility and responsiveness will become even more important in 2026. The focus is on concrete findings from real attack patterns. This creates a picture of the situation that does not stop at analysis, but helps to expand monitoring in a targeted manner, test processes and make more informed decisions.

Use the white paper "InfoGuard Threat Intelligence Insights 2025" as a reality check: check which attack patterns are particularly relevant now - and which measures have priority for your organization. For the moment available in german only, in a few weeks also in english.

An attack. A blind spot. An opportunity to change that.

Sandro Bachmann, Principal Threat Intelligence Analyst, knows from daily practice that an attack rarely happens the way you expect it to.

In the "Cyber Threat Intelligence Webinar" on 27 May 2026, he will show how modern threats really work and how organizations can identify risk exposures at an early stage.

• When: Wednesday, May 27, 2026 | 10.00 - 10.45 a.m.
• Where: virtual

Will you be there? Simply register and take part. We look forward to seeing you!

Caption: Image generated with AI