• Platformchevron right
  • Solutionschevron right
  • Modern NDRchevron right
  • Resourceschevron right
  • Companychevron right

Identity, AI, and IoT/OT: The New Threats Exposing the Weaknesses in Your SOC

Share blog icon

Back to top

Back to top

October 2, 2025

Identity, AI, and IoT/OT: The New Threats Exposing the Weaknesses in Your SOC

As we move past the midpoint of the year, expert analyses confirm that we've entered an era of uniquely sophisticated, highly evasive, and adaptive cyberattacks. Leveraging every available resource –from compromised identities, to AI tools, and connected devices– threat actors are relentlessly looking for new ways to help themselves move throughout their victims’ networks undetected.

They've learned how to become "ghosts in the machine," leaving minimal trace, and their silent movements were a major theme at this year's Black Hat USA conference. Throughout the event, the consensus was clear: the modern adversary has mastered the art of stealth.

Attackers are Using Stolen Credentials to Spread Throughout The Network

The rise of identity-based attacks has increased acknowledgement of the need for new defense mechanisms. According to the 2024 Data Breach Investigations Report (DBIR), a staggering 24% of initial breach actions involved the use of stolen or abused credentials (rather than relying primarily on malicious software deployment).

A classic example is the Change Healthcare attack, where threat actors used stolen credentials to gain remote access to a network portal. Utilizing this foothold to move laterally through the network, threat actors escalated privileges, spent days exfiltrating data, and ultimately deployed ransomware that crippled healthcare payment systems nationwide. At least 190 million notices were related to the Change Healthcare breach, and despite UnitedHealth Group reportedly paying a $22 million ransom, hackers still offered the stolen healthcare data for sale on the dark web.

Identities are now as valuable as exploitable vulnerabilities, if not more so. The top five infostealers alone had more than eight million advertisements on the dark web and each listing can contain hundreds of credentials. The underground market for compromised credentials is thriving, as an increasing number of attackers recognize their power for lateral movement.

AI is Creating New Vulnerabilities

AI adoption has expanded attack surfaces in ways that enterprises are only beginning to understand. While organizations are embracing AI for its transformative potential, they are also grappling with shadow AI, or the unmanaged and unaccounted for use of AI tools.

When sensitive company data is used in these applications, it often moves to destinations that are beyond the view of the security team, creating a security blind spot, which makes it difficult for cybersecurity teams to adequately protect information.

The financial impact is significant. According to the 2025 IBM Cost of a Data Breach Report, security incidents involving shadow AI accounted for 20% of data breaches globally, with companies experiencing high levels of shadow AI facing an additional $670,000 in breach costs compared to those with low or no shadow AI. More concerning, 97% of organizations that reported an AI-related breach lacked proper AI access controls.

Beyond shadow AI, there's a new challenge that's emerged. As organizations deploy custom AI agents, they are inadvertently creating machine-based, exploitable identities that function as privileged users and require access to tools and company-specific knowledge; however, these identities lack traditional identity and access management protections.

Demonstrating just how easily AI agents can be exploited, a replicated Microsoft customer service agent was tricked into revealing its internal setup and extracting confidential customer information from a CRM system. These new AI identities are giving attackers a formidable and largely unknown way to access and operate within a network.

IoT/OT is Expanding the Attack Surface

The convergence of IoT and OT (operational technology) systems is expanding the attack surface in critical ways; a topic of concern at this year's Black Hat USA conference. Many OT systems, particularly industrial control systems (ICS), were never designed to be internet-enabled. Their increasing connectivity, especially with IoT devices, creates dangerous new attack opportunities that are tough for security leaders to identify, helping attackers stay hidden.

More than half of surveyed organizations have already experienced cyberattacks through OT or IoT devices, and the financial stakes are significant: IoT security failures cost businesses an average of $330,000 per incident.

A key example of this threat vector can be seen in the U.S. port system. Certain foreign-manufactured cranes –devices that were originally designed to function without internet enablement– have been found to contain hidden cellular modems, creating remote entry points that attackers can use to establish footholds in ecosystems.

In 2024, threat groups exploited similar vulnerabilities to manipulate operational processes and disrupt critical infrastructure, including attacks on water treatment facilities and energy systems.

The modems are really just compromised IoT identities, allowing attackers to use IoT in order to bypass established systems and controls. Once inside, attackers can potentially disrupt everyday work, cripple the supply chain, and exfiltrate sensitive operational data.

A Growing Call for East-West Visibility

Today's attackers are increasingly leveraging compromised credentials, malicious AI, and exploited IoT/OT systems to gain an initial foothold within their victims' networks. Once inside, the real danger begins: a silent, relentless "east-west" movement as they navigate laterally through the network, searching for high-value targets.

This internal exploration is often what goes undetected, as many organizations lack the deep visibility to see these subtle movements, leaving them vulnerable to data exfiltration, ransomware, and other devastating attacks. Without a clear picture of what's happening inside their network, security teams are forced to operate in the dark, unable to track or respond to an intruder until it's often too late.

Deep network and packet-level visibility provides forensic-quality evidence that goes beyond basic traffic logs, helping teams see and understand every single connection, data flow, and lateral movement, regardless of the initial entry point. This comprehensive, evidence-based view acts as an always-on security camera for the entire network, giving security teams the ability to pinpoint a threat actor's exact location, understand their actions, and respond with surgical precision.

Organizations with extensive use of security AI and automation identified and contained breaches 80 days faster and saw cost savings of nearly $1.9 million compared to organizations without these capabilities.

When network visibility is combined with automated analysis, security teams can correlate identity anomalies with network behavior, AI usage patterns with data exfiltration attempts, and IoT device communications with command-and-control traffic.

These threats aren't going anywhere, and attackers will continue to find new ways to get in. To stay ahead of them, organizations must prioritize internal visibility now. Waiting for a perimeter breach to happen is no longer a viable strategy; the real battle is being fought inside the network.

Take immediate action today:

  • Implement comprehensive network segmentation to contain lateral movement and prevent credential-based attacks from spreading
  • Deploy real-time packet analysis and behavioral monitoring to detect subtle indicators of compromise that traditional tools miss
  • Establish continuous east-west traffic monitoring with automated alerting for credential abuse patterns and unauthorized lateral movement
  • Create integrated response protocols that combine network forensics with identity correlation to track attacker movement across the entire kill chain

The statistics are clear: comprehensive east-west visibility isn't optional—it's the critical differentiator between detection and devastation.


blog image
Blog author
Raja Mukerji

Chief Scientist and Co-Founder

Raja is the Co-Founder and President of ExtraHop. He co-founded ExtraHop with Jesse Rothstein in 2007.

During their time as Senior Software Architects at F5 Networks, Jesse and Raja played key roles in transforming the load balancer into a new device category known as an application delivery controller, creating a new market in the process. Aware of the massive amount of information that was passing over the network, they realized they could harness gains in processing power to extract valuable real-time insights from this data in motion. Thus, in 2007, the ExtraHop platform was born.

Share
LinkedIn logoX logoFacebook logo

Explore related articles

Experience RevealX NDR for Yourself

Schedule a demo