Attackers Are Logging In, Not Hacking In

The widespread use of stolen credentials remains a dominant attack vector, accounting for 49% of breaches by external actors, according to the 2023 Verizon Data Breach Investigations Report. This tactic's prevalence is a core driver for the DoD's push towards a Zero Trust architecture, which aims to be fully implemented by fiscal year 2027. The strategy is built upon seven pillars, including a critical focus on "Users" to counter credential-based threats. The DoD's Zero Trust model isn't just a technical shift; it's a cultural one, with one of its four main goals being "Zero Trust Cultural Adoption." This involves training all personnel to operate under a "never trust, always verify" mindset. The framework outlines 45 core capabilities that map to the seven pillars, providing a detailed roadmap for defense agencies to follow. For detection engineering in Splunk, this translates to a focus on User and Entity Behavior Analytics (UEBA). UEBA leverages machine learning to establish baseline behaviors for users and devices, flagging anomalies like logins from unusual locations or multiple failed login attempts that could indicate compromised credentials. This moves beyond static, rule-based alerts to a more dynamic, context-aware security posture. Integrating a robust SIEM with Identity and Access Management (IAM) systems is foundational to implementing the "User" and "Identity" pillars of the DoD and CISA Zero Trust models. This combination allows for continuous verification of user access, analyzing every request to ensure it's from an authenticated and authorized source. Splunk can be configured to monitor for specific credential abuse techniques, such as the extraction of federated directory objects like OAuth tokens or SAML assertions. Adversaries employ a range of techniques to steal credentials, as outlined in the MITRE ATT&CK framework under the "Credential Access" tactic (TA0006). These methods include OS Credential Dumping, modifying authentication processes, and stealing application access tokens. By mapping Splunk detection rules to these specific ATT&CK techniques, security teams can create more effective and targeted defenses. The ultimate goal of a Zero Trust architecture is to make stolen credentials useless by requiring continuous verification for every access request. This involves moving away from a perimeter-based defense model to one that scrutinizes every user, device, application, and data flow. For Splunk engineers, this means building dashboards and alerts that provide real-time visibility into identity-based threats and support automated responses to suspicious activity.