Identity threats: geopolitical, hybrid, and AI risks
New threat updates show identity compromise remains the favored initial access vector — Iranian-linked actors, Middle East hybrid campaigns, and AI‑powered techniques are all being used to target credentials and escalate privileges. CISOs also report big visibility gaps in AI-driven systems, widening the attack surface for identity abuse. (blog.qualys.com) (cyble.com) (thehackernews.com)
CISA’s Cyber Vulnerability Insights Estimate (CVIE) lists 136 CVEs associated with Iranian government‑sponsored or -linked activity, and Qualys added an “Iranian‑Linked Threat Management” dashboard in VMDR to surface those CVEs for rapid asset prioritization. (info.expel.com) U.S. government advisories and vendor analysis show Iranian‑linked actors continue to rely on credential access techniques such as password spraying, brute‑force, and MFA push‑based compromises, with documented actor activity and MFA manipulation observed since October 2023. (media.defense.gov) Hybrid cyber campaigns tied to the February 28, 2026 kinetic escalation in the Middle East have produced a surge in destructive and opportunistic cyber operations that target infrastructure, energy, and supply‑chain assets and create cross‑border spillover risks. (cyble.com) Pentera’s AI Security & Exposure Benchmark (survey of 300 U.S. CISOs) found nearly 70% of security leaders report limited visibility into how AI is deployed, and roughly 75% are securing AI with legacy controls ill‑suited for adversarial techniques such as AI‑generated phishing and deepfakes. (go.pentera.io) Splunk’s public analytic content includes workable detections for credential abuse: examples include correlation searches that flag one source failing to authenticate against ≥10 unique accounts (password spray) and Okta/Azure hunts that detect MFA exhaustion patterns such as ≥9 denied push prompts followed by a successful login. (research.splunk.com) Integrate Qualys VMDR intelligence into Splunk using the Qualys TA and VM App to ingest vulnerability and detection data via the Qualys API, enabling correlation of CISA/CVIE‑flagged CVEs with authentication anomalies and prioritized asset remediation workflows. (docs.qualys.com) For multi‑client Splunk environments, Splunk’s MSSP architecture guidance recommends tenant separation via per‑customer indexes, strict RBAC, and using Splunk SOAR multi‑tenancy features for playbook‑based response to prevent cross‑tenant data leakage during incident triage. (splunk.com) DoD Zero Trust materials define the User pillar as a distinct domain with prescriptive activities—the Zero Trust Capability Execution Roadmap lists 152 ZT activities across pillars and the DoD target level codifies ~91 target‑level outcomes—so map Splunk detections to ICAM controls like user inventory, continuous authentication, and phishing‑resistant MFA to demonstrate User‑pillar compliance. (dodcio.defense.gov)
