The Problem: When Credentials Become the Crown Jewels

Two years ago, an Okta employee saved their work credentials to their personal Gmail account on a work laptop. It seemed like a convenience to have quick access to credentials across devices. Instead, it became the entry point for a breach that would affect 134 enterprise customers and ripple across the identity management ecosystem.

Around the same time, a LastPass engineer clicked on a phishing link, triggering MFA fatigue that led him to approve a suspicious authentication request. The attacker used this moment to access the cloud development environment and, from there, discovered that a senior DevOps engineer was running an outdated version of Plex on his home network, a system with a known critical vulnerability. By exploiting this weak point in the supply chain, attackers spent eight weeks undetected, living among legitimate traffic, extracting encryption keys and customer password vaults.

These weren’t sophisticated zero-day exploits. These were identity-based attacks, attacks that leveraged the fundamental trust we place in credentials and authentication systems.

The Evolving Threat: Identity Is the New Attack Perimeter

Attackers target digital identities such as users, admins, services, and machines that run modern businesses today. Attackers recognize that organizations rely on Active Directory, cloud IAM, and API tokens to drive every aspect of digital operations. With just one set of credentials or an API key, adversaries can:

  • Blend in with regular user activity and evade most security controls
  • Move laterally, escalate privileges, and access sensitive assets
  • Disrupt operations and launch large-scale ransomware attacks

A report from Cisco Talos shows that:

  • 60% of major incident response cases in 2024 featured an identity attack component.
  • 44% of identity attacks specifically targeted Active Directory, making it the most sought-after system for adversaries seeking full organizational compromise.
  • 20% of identity-based breaches in 2024 involved cloud applications or service provider APIs, a growing risk as organizations move resources and business logic to the cloud.

The commoditization of the dark web’s identity marketplace is fueling this epidemic:

  • Email/financial credentials, SSH passwords, and session cookies are now marketed openly, with bulk lists of credentials selling for as little as $10-$15 per batch.
  • Sophisticated attack toolkits for targeting credentials are widely available, with subscriptions as low as $50 and up to $750 for specialized tools.
  • High-profile company credentials are exchanged at prices between $1,000 and $3,000 per account.

In the 2025 Magic Quadrant for Hybrid Mesh Firewall, Gartner explicitly identifies “identity-centric risk-based controls across network and cloud edges” as a key criterion for evaluation. This represents a fundamental shift in how the industry evaluates firewall platforms. Firewalls can no longer be evaluated based on throughput, rule count, or protocol support alone. Their ability to integrate identity intelligence and enforce identity-aware policies is now a core requirement.

The Fundamental Failure of Traditional Approaches

So why haven’t organizations solved this problem already? The answer lies in a fundamental architectural mismatch between how modern enterprises operate and how traditional firewalls were designed.

Traditional firewalls think in terms of network topology: IP addresses, ports, network segments, and protocols. When a user with valid credentials connects to the network, whether on-premises or from the cloud, the firewall sees a legitimate connection. The firewall has no way to know whether those credentials are stolen, whether the user’s behavior is anomalous, or whether the account represents a compromised identity.

Modern enterprises operate through identity, not network topology: Employees work remotely from anywhere, applications run in multiple clouds, users access hundreds of SaaS applications, and machine identities (APIs, services, scripts) outnumber human identities by a ratio of 82:1. The network perimeter has dissolved. Identity is now the new perimeter.

The siloed identity infrastructure compounds the problem: Many organizations have fragmented identity stores. Each system operates independently, collecting its own data and making its own trust decisions. This fragmentation creates visibility gaps where attackers can hide and prevent the holistic view required to detect sophisticated identity-based attacks.

Attackers are patient and professional: They use toolkits to quietly harvest, escalate, persist, and evade, often remaining undetected until significant damage is done.

Case Study: Scattered — The Human Side of Identity Attackers

In September 2023, the Scattered Spider group of about 1,000 young English-speaking cybercriminals proved how devastating identity-based attacks can be. Using social engineering, they impersonated MGM employees over the phone, tricked help-desk staff into resetting credentials, and gained access to Okta and Azure AD without a single exploit or phishing link.

Within hours, they locked MGM’s systems, from slot machines to room keys, causing over $100 million in losses. Days later, they hit Caesars Entertainment, stealing 6 TB of customer data via a compromised third-party vendor. Their tactics: credential resets, MFA fatigue, RMM misuse, and identity infrastructure takeovers show how attackers now weaponize trust instead of code. Even the most advanced network defenses fail when identity itself becomes the entry point.

Organizations urgently need security solutions that understand and enforce the human and machine identity context on every network action blocking privilege escalation, lateral movement, and data theft at multiple stages of the kill chain, both on-premises and in the cloud. The challenge is to recognize attacks where they start with identity and stop them before the cost is measured in lost data, downtime, and ransom paid.

Analogy: Airport Security in the AI Era

A modern analogy for securing enterprise access is airport security. In the past, security focused mainly on physical barriers like gates and fences to keep unauthorized people out of restricted areas. But in today’s world, simply having a ticket or blending in among crowds isn’t enough. Security staff use multiple identity checks, biometrics, boarding passes, and real-time watchlists at each checkpoint to ensure only those with legitimate, up-to-date credentials are granted access no matter where they’re coming from. It’s not the perimeter fence that guarantees safety, but the layered, continuous verification of every person’s identity and purpose, actively detecting imposters and suspicious behavior at every critical step.

How Cisco Secure Firewall Transforms the Equation

Firewall policy can only remain relevant if it can keep up with the dynamic nature of users and workloads. This not only brings improved security and flexibility but also ensures that the policy intent is easier to understand in a readable format.

Dynamic Environments Need Dynamic Policies

Dynamic environments require adaptive, context-aware firewall policies that evolve alongside users and workloads. Cisco Secure Firewall addresses this with seamless integration to Cisco Identity Intelligence from Firewall Management Center (FMC/cdFMC), starting with upcoming 10.0 release, enabling it to continuously assess user risk levels and automatically push policy updates. Rather than relying only on static IPs and ports, the firewall ingests identity signals from both Cisco and third-party sources, mapping user, device, and application behaviors to establish a baseline.

An inbuild integration workflow with Cisco Identity Intelligence from Firewall Management
Dynamic Firewall Policy created automatically with pre-populated rules

When behavioral deviations occur such as impossible travel, MFA fatigue, help desk account anomalies, the firewall automatically enforces adaptive policies: monitoring low-risk users, requiring step-up authentication for medium-risk activity, and blocking high-risk access entirely. The firewall also surfaces proactive insights in the AIOps Security Insights view, providing root cause analysis, affected users, and remediation steps, turning identity risk visibility into actionable intelligence.

AIOps Security Insights — Visibility into risky users

Continuous Identity Integration

Cisco Secure Firewall Management Center can integrate with Identity stores including Microsoft Active Directory or Microsoft Entra ID and supports various methods of gathering data about where and how users are logged in. Gathering data from the Firewalls directly with capabilities such as Captive Portal or users connected via Remote Access VPN to integration with external solutions such as Cisco Identity Services Engine or using the Passive Identity Agent to query Active Directory directly. Beyond Active Directory and Entra ID, Secure Firewall now aligns with modern identity providers that use SAML for Remote Access VPN authentication including Azure, Okta, Ping, and Google Workspace.

Dynamic Workload Mapping

Cisco Secure Dynamic Attribute Connector, available in multiple form factors can integrate with both Public and Private cloud workload providers such as Amazon Web Services, Microsoft Azure, VMware and Cisco ACI. Attributes of running services are captured and can be used in policy. As workloads move or change, the policy is updated dynamically without any administrative action to ensure communication to workloads remains correct and consistent.

End-to-End Segmentation by Integrating With Cisco ISE

By integrating Cisco Secure Firewall with Cisco Identity Services Engine, organizations can further extend their dynamic policies with the attributes taking security policies based on campus users and devices, beyond just Users and Groups.

Secure Firewall Management Centra integrates with Cisco Identity Services engine using pxGrid connectivity and gathers User and Device context for use in policies, as well as being able to create policies based on ISE Security Group Tags (SGT). This allows organization’s policies to create varying levels of access based not only on User or Group membership but also Endpoint Profiles or location.

By assigning SGTs to endpoints based on the many criteria offered by Cisco ISE, Secure Firewall can enforce traffic decisions based on assigned tags. In addition to reading the SGTs via pxGrid, they can also be read directly from the traffic inline based on the SGT applied at a downstream device in the packet itself, providing an end-to-end TrustSec architecture for Zero Trust and Segmentation.

Conclusion

The question is no longer whether identity-aware firewalls are necessary. The question is how quickly organizations can implement them, because in a world where identity is the perimeter, the firewall that can’t think in identities is already compromised. Explore how Cisco Secure Firewall with Identity Intelligence transforms your security architecture. See firsthand how adaptive policies, continuous identity integration, and zero-trust segmentation work together to detect and block identity-based attacks before they traverse your infrastructure.

We’d love to hear what you think! Ask a question and stay connected with Cisco Security on social media.

Cisco Security Social Media

LinkedIn
Facebook
Instagram
X





Source link