Identity-Centric Threat Actor Models (ICTAM)

Created by Claudiu Tabac - © 2026 
This material is open for educational and research use. Commercial use without explicit permission from the author is not allowed.
Find me on LinkedIn 
Buy Me a Cofee
Identity-Centric Threat Actor Models(ICTAM)
Understanding how sophisticated adversaries weaponize identity infrastructure in modern cyber operations
Purpose of This Module
ICTAM provides authoritative intelligence on how real threat actors weaponize identity in cyber operations. Unlike generic threat frameworks, this module focuses exclusively on identity-driven intrusion techniques used by sophisticated adversaries.
These models reveal how attackers think in identity terms—exploiting federation trust, token lifecycles, and cloud IAM misconfigurations rather than traditional endpoint vulnerabilities. Each actor profile maps directly to observable identity attack patterns.
Core Focus Areas
Identity-driven intrusion techniques
Federation and SSO abuse patterns
Token replay and manipulation
Cloud IAM privilege escalation
Lateral movement via trust relationships
Persistence using identity mechanisms
Threat Actor Archetypes
Four high-value actor classifications derived from global identity-focused campaign analysis
APT Actors
State-sponsored groups employing sophisticated identity tradecraft for long-term strategic access. Focus on federation abuse, token theft, and cloud infrastructure compromise.
Ransomware Operators
Fast-moving groups leveraging credential harvesting and rapid privilege escalation to achieve domain-wide compromise and deploy encryption payloads.
Insider & Hybrid Threats
Malicious insiders and compromised accounts exploiting legitimate access for data exfiltration, sabotage, or enabling external threat actors.
Cloud-Native & Supply-Chain Actors
Groups targeting OAuth flows, DevOps pipelines, CI/CD systems, and SaaS supply chains through identity pivoting and token manipulation.
Actor Model Navigation
APT Intelligence
Comprehensive identity tradecraft analysis for major state-sponsored threat groups including targeting patterns and TTPs.
APT Identity-Centric Actors
Ransomware & Insider Threats
Fast escalation techniques, credential harvesting operations, and internal abuse patterns from criminal and insider actors.
Ransomware & Hybrid Actors
Cloud & Supply-Chain
OAuth abuse, DevOps compromise, token replay, and CI/CD identity pivoting from cloud-native threat actors.
Cloud-Native Threat Actors
Actor Mode Catalog
Actor Modes (001-010)
Actor Modes (011-020)
Actor Modes (021-040)
Why Identity-Centric Models Matter
Modern intrusions increasingly use identity as the primary attack vector, bypassing traditional perimeter defenses
Authentication Compromise
Compromised MFA, stolen refresh tokens, and cloud role escalation enable persistent access without malware deployment or network exploitation.
Federation Abuse
SSO misconfigurations, federation trust manipulation, and OAuth phishing allow attackers to hop between connected systems seamlessly.
Cloud IAM Exploitation
CI/CD identity takeover, SaaS application hopping, and long-lived token persistence provide attackers with legitimate-looking access paths.
Integration with Identity Attack Chain
ICTAM threat actors map directly to the nine-stage Identity Attack Chain, showing how specific groups execute each phase
1
Stages 1-2: Reconnaissance & Enumeration
Actors identify identity infrastructure, enumerate users, and map trust relationships across cloud and on-premises environments.
2
Stages 3-4: Credential Acquisition & Authentication Abuse
Groups employ phishing, token theft, or MFA bypass to acquire valid credentials and abuse authentication mechanisms.
3
Stages 5-6: Privilege Escalation & Token Tampering
Attackers elevate permissions through cloud IAM misconfigurations and manipulate tokens to extend access duration or scope.
4
Stages 7-9: Lateral Movement, Persistence & Impact
Threat actors pivot across systems using identity, establish persistent access via federation, and achieve final objectives.
View Identity Attack Chain (IAC)
Breach Pattern Mapping
Each threat actor model links to specific identity breach patterns (BP-001 through BP-049) documented in the Identity Breach Patterns Library. This mapping enables security teams to correlate observed actor behavior with known attack patterns.
The pattern library provides detailed technical breakdowns of how each actor type exploits specific identity weaknesses, including real-world case studies, detection signatures, and mitigation strategies validated against production incidents.
Pattern Categories
Federation trust exploitation
Token lifecycle abuse
Cloud IAM misconfiguration
Session hijacking techniques
DevOps pipeline compromise
Privilege escalation paths
Identity Breach Patterns Library (IBP)
Identity Misconfiguration Universe
Threat actors systematically exploit six categories of identity misconfigurations across hybrid and cloud environments
1
Federation Misconfigurations
Weak trust establishment, certificate validation bypass, and SAML assertion manipulation enabling cross-domain compromise.
2
Cloud IAM Weaknesses
Overprivileged service principals, resource-based policies, and cross-tenant access enabling privilege escalation.
3
Session Management Flaws
Long-lived tokens, missing session binding, and inadequate timeout policies allowing persistent unauthorized access.
4
DevOps Identity Issues
CI/CD credential exposure, pipeline token theft, and service account over-permissions enabling supply chain attacks.
5
PIM Gaps
Weak just-in-time access controls, missing approval workflows, and privilege elevation without logging.
6
Authentication Bypass
MFA policy exclusions, legacy protocol abuse, and conditional access gaps allowing unauthorized authentication.
Identity Misconfiguration Universe (IMU)
Detection Logic Integration
Each actor archetype triggers recognizable signals mapped to the Identity Threat Detection Logic Library
01
Token Anomaly Detection
Unusual token issuance patterns, scope modifications, or geographic inconsistencies indicating credential theft or replay attacks.
02
Impossible Travel Analysis
Authentication events from geographically impossible locations within short timeframes revealing token sharing or compromise.
03
Conditional Access Bypass
Successful authentication attempts that circumvent expected policy enforcement, indicating policy gaps or exploitation.
04
Non-Interactive Sign-In Abuse
Service principal or application authentication patterns inconsistent with legitimate automation or DevOps workflows.
Identity Threat Detection Logic Library (ITDLL)
Target Audience & Application
Primary Users
ICTAM serves security professionals requiring authoritative intelligence on identity-focused threat actors for strategic planning and tactical operations.
CISOs and security executives
Identity and access management architects
Threat intelligence analysts
Red team operators
Cloud security engineering leads
SOC and detection engineering teams
Strategic Value
These models enable teams to anticipate adversary behavior rather than react to incidents, improving security posture through proactive defense.
By understanding how specific threat actors weaponize identity infrastructure, organizations can prioritize controls, tune detection, and validate defenses against real-world adversary techniques.
 
About  
Created by Claudiu Tabac — © 2026
Find me on LinkedIn
Buy Me a Coffee
This framework is open for educational and research use. Commercial use without explicit permission from the author is not allowed.
Navigation
Home
 