Identity Abuse in Real-World Breaches: Lessons from Marcus Hutchins
Attackers don’t hack their way in, they log in. That’s not a new observation, but it’s one most organizations still haven’t internalized. Identity abuse is the primary mechanism behind the breaches that keep CISOs up at night, and a single compromised credential is often all it takes to open the door to ransomware, data exfiltration, and persistent access.
In the latest installment of our Through the Eyes of the Adversary series, I sat down with Marcus Hutchins, the malware analyst and incident responder who stopped WannaCry in 2017 and has spent years studying how threat actors operate inside compromised environments. His perspective is rare and is built from direct empirical experience analyzing malware campaigns in the wild.
What follows is a breakdown of some takeaways from the conversation, including why enterprise defenses consistently fall short and what Zero Trust means when pressure is tested.
Why Direct Malware Experience is Critical
We call the series Through the Eyes of the Adversary for a reason. Attackers don’t see your environment the way your tools or your org charts do. If you are not thinking like an attacker, you are not going to be able to effectively defend what is important.
During the webinar with Marcus, we polled more than one hundred security and identity leaders in attendance regarding which business impact worries them the most when an identity-based attack hits their organization.
43% of leaders are most worried about sensitive data exfiltration or leaks after an identity-based attack on their organization.
This overwhelming concern for the leak of company data is a shared experience among CISOs across critical sectors. For this reason, it is essential to pinpoint how the identity attack surface can be minimized.
Considering his journey from being an undercover malware hobbyist to the WannaCry superhero that frustrated government authorities, Marcus offered invaluable advice about how CISOs and IAM leaders can address these concerns.
While Marcus did cross paths with real-world cybercriminals through his independent research, he was not in association with them due to his red-team mindset.
“What got me interested (in malware) was this idea that there’s all these operating system functionalities that you can undermine, manipulate and use to make malware that just hides itself.” — Marcus Hutchins
It is through this lens that Marcus saw in real-time how an organization’s identity ecosystem, which is often fractured and siloed between on-prem and cloud solutions, is ripe with abuse opportunities.
“Identity is a very, very big thing for attackers. They’re almost always going for credential resets or some kind of identity access, almost never dropping malware on endpoints.” — Marcus Hutchins
How Identity Abuse Enables Malware and Lateral Movement
Marcus shared that infostealers, ransomware and backdoor trojans are the types of malware that organizations need to look out for. While enterprise cybersecurity primarily centers anti-malware efforts on endpoint detection and response (EDR) platforms, Marcus stressed that these tools aren’t a one-and-done solution.
“A lot of people have this idea that if you go out and you buy a top‑end EDR and you just deploy it with a default configuration, you’re good. In reality, you need to spend a lot of time fine‑tuning your rules to your specific situation.” — Marcus Hutchins
This is because organizations need to do the prep work to set their EDR solution up for success. Much of this success is determined by how organizations provision access across their identity ecosystem, whether it is human, non-human, or agentic AI identities.
In a second poll asked during the webinar, leaders were asked what the biggest identity-based gap is in their organization’s environment once an attacker infiltrates it. Interestingly, there was shared concern for several critical areas.
32% of leaders consider visibility on suspicious token or cookie use as their biggest security gap, compared to catching privilege escalations in real-time (28%), tracking lateral movement across systems (25%), and visibility to risky logins or sessions (14%).
This underscores how confidence among CISOs in shoring up their identity infrastructure is low and far-reaching. To resolve this, the CISO needs to work with the IAM leader to ensure that their organization has a comprehensive identity layer, which should continually map the “who, what, when, where and why” of all security gaps.
Marcus made it clear that once this groundwork is done, organizations can make better use of their EDR solution to understand how malware entered the enterprise environment or how a data breach occurred in the aftermath of a breach.
“From the endpoint perspective, you should know what is accessing password files. If some random, unheard‑of application is hitting your credential store, that’s a little bit suspicious.” — Marcus Hutchins
What Zero Trust Looks Like in a Real Attack
Zero Trust is a longstanding principle in the world of enterprise cybersecurity, but its practical application for reducing identity-based threats requires a red-team lens. Hutchins challenged the enterprise outlook on the principle, pointing out that operational frameworks inherently require trust to function.
“I’m going to be honest: I do not know what Zero Trust means at this point. If you are outsourcing your credentials to something like Okta, you’re trusting Okta, right?” — Marcus Hutchins
Zero Trust is a mindset, not a practical cybersecurity strategy. This is because there is no system where trust is completely eradicated, as is the case for securing enterprise identity ecosystems. In a plea to the CISO, Hutchins urged leaders to be careful about how their organizations enforce Zero Trust.
“What I find happens with Zero Trust is (that) they (CISOs) are just moving the trust to someone else, somewhere else, and the attackers will just go after whoever holds the trust.” — Marcus Hutchins
For the CISO to do their best at following Zero Trust, they must work with the IAM team to gain a clear picture of the identity trust chains within their organization. Accounting for identity-based threats demands that leaders acknowledge which identities the enterprise is trusting as well as what they are being trusted with.
Securing the Identity Perimeter
Hutchins’s message is straightforward. Although much of his work circles around vulnerabilities, identity abuse isn’t an edge case: it’s the playbook. Attackers follow the trust, and most organizations don’t have a clear picture of where that trust actually lives.
The starting point is knowing what you’re defending. That means red teaming your identity infrastructure, not just your endpoints. It means understanding that EDR alone won’t save you if the credentials were already compromised upstream. Lastly, it means mapping the trust chains across your identity ecosystem, so you can see what an attacker sees, whether those identities are human, non-human, or agentic.
Watch the full conversation with Marcus Hutchins in Through the Eyes of the Adversary: Identity Abuse in Real-World Breaches on demand.
Up Next
On April 28, physical and cybersecurity expert Freaky Clown (FC) will share in the third part of Through the Eyes of the Adversary how identity spans both the digital and physical worlds, and how attackers exploit that overlap.
Through the Eyes of the Adversary is a webinar series produced by Radiant Logic, exploring how real-world attackers exploit identity to compromise enterprise environments. The series is designed for security leaders, IAM practitioners, and anyone responsible for protecting organizational infrastructure.
