Identity Compromise Drives Majority of Cyber Incidents - CISA’s 2023 Findings

Cybersecurity isn't just about preventing break-ins anymore—it’s about stopping attackers from logging in with legitimate credentials.

Attackers predominantly log in, they do not break in into organizations

A recent report by the U.S.-based Cybersecurity and Infrastructure Security Agency (CISA) confirms threat actors are mostly gaining initial access to organizations through valid, compromised accounts.

The 2023 CISA report, based on 143 risk and vulnerability assessments (RVAs) across various critical infrastructure sectors, reveals that attackers are primarily using known passwords and phishing techniques to enter systems.

Following an attack model based on the MITRE ATT&CK® framework, the agency found that initial access into organizations is largely obtained via valid accounts, phishing campaigns an brute forcing passwords.

The findings show that:

• 41% of initial breaches occur through valid accounts, often using credentials found on the dark web.

• 37% of breaches stem from phishing and spear-phishing campaigns, tricking users into sharing sensitive information.

• 10% are the result of brute-force attacks, where attackers repeatedly try to guess passwords.

Notice all the above cases (roughly 90%) feature passwords, while the remaining incidents (~10%) involve exploiting vulnerabilities in public-facing applications or external remote access services like VPNs.

Passwords Are Still the Weakest Link

The report highlights a critical weakness: phishable authentication factors, such as passwords, are one of the top enablers of cyber-attacks. This means that identity-based security is no longer optional—it's essential. Protecting the digital identities of employees and users should be a top priority for organizations worldwide.

For more insights and to view the full report, visit: CISA Report.