Going Beyond Detection: How to Counter Iranian Nation-State TTPs with AI-Powered Insights

Why Iranian TTPs Require a More Proactive Identity Security Approach

Cyberattacks continue to occur at alarming rates, despite significant investments by organizations in detection capabilities. The reality is current detection methods are often reactive, noisy, and unreliable. They yield low fidelity results, false-positives, and all too often detect threat activity too late in the ATT&CK lifecycle. This is largely due to the growing amount of data these tools need to process to detect threat actors’ activities.

In response, the industry has begun to explore artificial intelligence (AI), hoping it will accelerate detection capabilities, reduce the noise, and improve the accuracy of telemetry data.

Detection telemetry is valuable for understanding threat actor behaviors and provides a wealth of indicators for cyber defenders, but it, too, is typically reactive and collected post-breach. As threats become stealthier and more sophisticated, organizations must adopt a more proactive approach, using early warning telemetry around identity security posture to prevent attacks before they happen.

This blog explores the importance of using a proactive, prevention-first approach to identity security that leverages AI-driven insights to model threats, early warning telemetry to disrupt cyberattacks, and other proactive approaches to help harden your defenses against nation-state tactics, techniques, and procedures (TTPs).

Prevention Is the New Detection

In other words, prevention is now just as critical (if not more so) than detection because it disrupts threat actors’ behaviors and activities. Preventative approaches, such as improving identity hygiene and reducing the identity attack surface, increase resiliency against cyberattacks. Most breaches begin with a simple compromised password, which threat actors use as a starting point to gain elevated privileges, move laterally, and establish persistence.

This is why using early warning telemetry around your identity security posture is essential for prevention. It allows organizations to understand and visualize how poor identity hygiene and exposures in the identity attack surface can be exploited by threat actors to launch cyberattacks, enabling them to implement mitigations to protect themselves.

These preventative approaches align perfectly with “defend and protect forward” philosophies adopted by the Department of Defense (DoD) and CISA’s “Shields Up” campaign. These philosophies recognize that cyber engagement is persistent and requires proactive capabilities, like prevention, to disrupt threat actors effectively.

Cyber Resiliency Approaches

Strategy	Focus	Role of Prevention
Protect Forward	Civilian, defensive	Hardens networks and improves resilience before attack
Defend Forward	Military, offensive	Disrupts adversaries before they can act
Prevention	Both	Reduces attack surface, blocks known vectors, raises adversary costs

Identity Insights: Strengthening Your Infrastructure and Environment

As attacker dwell time shrinks and exploits accelerate, relying solely on detection is no longer enough to prevent a compromise. Just as the military uses early warning signs to defend and protect forward, formalizing and codifying that approach in daily cyber operations is essential to prevent and disrupt cyberattacks, especially concerning your identity security posture.

This is where BeyondTrust Identity Security Insights® comes in. This AI-powered solution provides early warning telemetry into an organization’s identity security posture, illuminating critical areas such as:

1) Identity Hygiene

Identity Security Insights helps you improve identity hygiene by pinpointing:

Misconfigurations in your identity infrastructure
Excessive privileges and standing privileges
Exposed passwords and secrets
Vulnerable human and non-human accounts

2) Identity Attack Surface

Identity Security Insights has the ability to:

Map your True Privilege™, showing the actual, effective access an identity (human, machine, or workload) holds. This means visualizing complex interactions across your identity estate from a threat actor’s perspective, illuminating hidden attack paths, and answering “What an identity can ultimately do”.

Identify your Paths to Privilege™, detailing how an identity or account can gain elevated access. This involves mapping exploitable pathways in your identity security posture, focusing on connections, entitlements, and configurations, and addressing “How an identity can get to do what it can ultimately do”.

3) Behavior Analytics

Identity Security Insights uses behavior analytics to detect suspicious activity and threats targeting an organization’s identity security posture. This includes identifying:

Session hijacking attempts
Kerberos and password spray attempts
Anomalous activity associated with privileged sessions and accounts

Sourced Threat Intelligence for Iranian Nation-State Actors

Recently, Unit 42, the threat intelligence component of Palo Alto Networks, provided a Threat Briefing on state-sponsored Iranian capabilities, mapping Tactics, Techniques, and Procedures (TTPs) to specific threat groups. This was complemented by a joint statement from CISA, FBI, Department of Defense Cyber Crime Center (DC3), and the National Security Agency (NSA), warning about potential cyber activity from Iranian nation-state actors and their affiliates. Intelligence suggests that critical infrastructure organizations are being targeted and need to remain vigilant. Unit 42’s threat intelligence categorizes the initial access methods used by these threat actors and their operations in the following ways:

Figure 1: Behavior analytics mapped to Iranian threat actors’ TTPs, sourced from Unit 42's Threat Research Center, June 25, 2025: https://unit42.paloaltonetworks.com/iranian-cyberattacks-2025/

Above, we’ve mapped behavior analytics to Unit 42's threat intelligence to allow organizations to see how early warning telemetry can disrupt threat actors' behaviors. This also helps cybersecurity defenders contextualize known threats based on the specific TTPs employed by these actors. Connecting behavior analytics with TTPs in this novel way, as shown in Figure 1, significantly elevates an organization's cyber defense posture and responsiveness to cyberattacks.

To build resilience against identity-based attacks, it’s essential to disrupt the initial access methods commonly used by threat actors. Threat actors are known to strike during periods of geopolitical tension and conflict, primarily focusing on espionage and targeting various sectors, especially critical infrastructure. Unit 42’s threat intelligence observed that these threat actors employ TTPs, such as targeted spear-phishing, password attacks, and the exploitation of known vulnerabilities (CVEs). They also use sophisticated social engineering tactics, often deploying custom malware to gain remote control of infected devices. This backdoor through remote access capabilities allows threat actors to deploy additional payloads and retrieve information about the infected devices, which is then sent to a command and control (C2) server.

Leaning in With Identity Security Insights

Staying vigilant and understanding the impact of geopolitics on cybersecurity is important for calibrating your organization’s situational awareness around emerging threats. However, for organizations that heavily rely on indicators of compromise (IoCs), codifying threat intelligence from situational awareness into daily cyber operations can be challenging. By connecting threat intelligence to and across your identity attack surface, Identity Security Insights provides early warning telemetry that cyber defenders can use to prevent imminent cyberattacks. This disruption is needed to shift the balance of power back to cyber defenders.

Figure 2: Snapshot of Identity Security Insights hygiene detections

One way to implement proactive hardening is to lean in with Identity Security Insights. This allows you to map precisely how your identity security posture can be used by threat actors to launch cyberattacks. Identity-related telemetry provides telltale signs of threat actor engagement, and using it to inform cyber operations, such as managing and eliminating identity hygiene issues before threat actors can leverage them (as shown in Figure 2), is essential for preventing and disrupting identity-related attacks.

You cannot protect what you do not know. Given the complexity and rapid changes in IT environments where misconfigurations and shadow IT are prone to happen, illuminating these issues as early warning signs aligns with a “defend and protect forward” mindset. This helps organizations prioritize remediation and mitigation based on threat intelligence from TTPs. Building resistance against these TTPs is a preventive approach that shifts left in the MITRE ATT&CK lifecycle, disrupting the initial access capabilities identified for Iranian nation-state actors and affiliates.

What’s even more powerful is demonstrating how an identity can get to do what it can ultimately do, highlighting the escalation paths within a True Privilege graph, as seen below in Figure 3. This visualization gives cyber defenders context and understanding of how a threat actor could compromise an account or identity. Modeling identity threats is a novel way for organizations to take control of their identity security posture, well before a threat actor shows up.

Figure 3: True Privilege graph, powered by Identity Security Insights, revealing exposures and pathways

This graph shows the True Privilege of an identity, with the orange highlighting unintended Paths to Privilege. In this specific example, a user’s Entra ID is assigned to a directory role in Application Admin. The Application Admin directory role allows for the impersonation of a service principal and the abuse of its API permissions, to do things like adding privileged roles to users, or changing passwords, MFA factors, and more.

Using behavior analytics to identify real-time threats to users provides additional context to help cyber defenders pivot to what matters the most. As shown in Figure 1, behavior analytics can be used to build situational awareness around nation-state actors who leverage sophisticated social engineering campaigns, password attacks, and spear-phishing in initial attack vectors. Knowing how to codify this intelligence into daily cyber operations not only builds resiliency against cyberattacks but also helps cyber defenders reduce the blast radius within their identity security posture.

Figure 4: Behavioral detections provided by Identity Security Insights

If initial access methods were successfully used against the account in the True Privilege™ graph, the threat actor could gain unauthorized access to service principals. This would allow them to access resources and perform actions within a cloud environment or enterprise network. This presents a significant security risk because service principals often have broad permissions to automate tasks or integrate applications.

Connecting behavior analytics (as shown in Figure 4) to your overall identity security posture is a powerful way to contextualize identity-related attacks in real-time. These are common attack vectors that cyber defenders must hunt for and be aware of within their operational environment. Ultimately, Identity Security Insights provides organizations with a powerful tool to operationalize proactive threat hunting to find and fix identity-related issues before being exposed by threat actors.

Identity Insights: The Context That Matters

Identity security is the context that cyber defenders need to elevate awareness around cyberattacks. A compromised account and elevated privileges are common attack vectors that threat actors leverage in their attack chains to launch cyberattacks. Being vigilant with continuous monitoring around your identity security posture will help prevent and disrupt these attacks.

BeyondTrust’s Identity Security Insights product provides a wealth of telemetry that drives crucial context about an identity. This includes insights into its associated hygiene, potential threats that can target it, and most importantly, the risk an identity poses to an organization if it is overprivileged or poorly managed. Illuminating these aspects of identity security provides early warning telemetry to help organizations better understand ways in which their identity security posture can be used and abused by threat actors. Contextualizing these threats and risks is foundational for preventing and accelerating the disruption of cyberattacks.

Ready to gain critical insights into your own identity security posture and proactively defend against advanced threats? Take the first step towards elevating your cyber defense with a no-cost Identity Security Risk Assessment today.

About the Author

Kevin E. Greene, BeyondTrust

Chief Cybersecurity Technologist, Public Sector

Kevin E. Greene is an experienced leader, champion and advocate for advancing the state of practice in cybersecurity. He has successfully led multiple federally funded R&D projects in his career that were commercialized and transitioned into practice.

Kevin is currently the Chief Cybersecurity Technologist, Public Sector at BeyondTrust. Leveraging his innovative and strategic expertise, he drives customer engagement around cyber capabilities in federal agencies for digital transformation, software supply chain, zero trust and evolving threat defense.

Prior to joining BeyondTrust, he worked at OpenText as the Public Sector CTO and at the MITRE Corporation supporting DevSecOps and cyber defense initiatives. Kevin also spent time serving our nation as a federal employee at the Department of Homeland Security, Science and Technology Directorate, Cyber Security division.

He holds a Master of Science and Bachelor of Science in Information Systems from the New Jersey Institute of Technology and supports several external advisory boards in formalizing cybersecurity curriculum and initiatives.

Watch Product Demos

Buyer's Guide for Complete PAM

Gartner® Magic Quadrant™ for PAM

See what customer success looks like

Find a Partner

Leader in Privilege-Centric Identity Security

Watch Product Demos

Going Beyond Detection: How to Counter Iranian Nation-State TTPs with AI-Powered Insights

Why Iranian TTPs Require a More Proactive Identity Security Approach

Prevention Is the New Detection

Cyber Resiliency Approaches

Identity Insights: Strengthening Your Infrastructure and Environment

1) Identity Hygiene

2) Identity Attack Surface

3) Behavior Analytics

Sourced Threat Intelligence for Iranian Nation-State Actors

Leaning in With Identity Security Insights

Identity Insights: The Context That Matters

About the Author

Products

Solutions

Resources

Free Tools

Customers

Partners

About