What are identity-based attacks on endpoint management systems?

Identity-based attacks on endpoint management systems occur when attackers compromise administrative credentials to use management tools as weapons rather than exploiting software vulnerabilities. Instead of deploying malware or finding zero-days, attackers use stolen or phished credentials to push destructive configurations, wipe devices, or modify security policies across an entire device fleet.

How do I protect administrative access to my endpoint management platform?

Start by enforcing phishing-resistant MFA for all administrative accounts using FIDO2-level assurance. Implement least privilege by auditing who has elevated access and removing permissions that are no longer justified. Enable multi-admin approval for high-impact actions such as device wipes and policy changes. Monitor for identity drift, where permissions accumulate over time without review, using step-up authentication for sensitive operations.

Why is phishing-resistant MFA important for privileged accounts?

Traditional MFA methods, including push notifications and SMS codes, are vulnerable to MFA fatigue attacks and adversary-in-the-middle interception. Phishing-resistant MFA uses cryptographic authentication tied to a physical device, such as FIDO2 security keys or proximity-based verification, which cannot be intercepted or replayed. CISA specifically recommends FIDO2-level assurance for all privileged accounts that manage endpoint infrastructure.

What is identity threat detection and response?

Identity threat detection and response (ITDR) focuses on detecting compromised credentials and identity-based threats before they can be used for destructive operations. ITDR tools surface indicators such as dormant accounts with elevated privileges, sudden changes in administrative behavior, behavioral anomalies like off hours logins or unusual command scope, and identity drift between HR systems and directory services. For endpoint management environments, ITDR provides the early warning that traditional malware detection misses.

What should security leaders do after a CISA alert about endpoint management?

Conduct an immediate audit of who has administrative access to your endpoint management platform and verify that every account with elevated privileges is protected by phishing-resistant MFA. Review whether multi-admin approval is enabled for destructive actions such as device wipes and configuration pushes. Assess your visibility into identity drift across all identity providers using an identity security platform that provides a unified view of administrative access.

Industry News

Your endpoint management system has an identity problem

Janet Ho

April 16, 2026 7 minute read

How the Stryker attack proved that identity governance is the real endpoint security gap

Endpoint management platforms sit at the intersection of identity and device control. A compromised administrator does not need to find a zero-day or write custom malware. They already have the keys to push configurations, wipe devices, and modify security policies across an entire fleet.

This is not a theoretical risk. It is a documented pattern, and it has a name: identity-based attacks on management infrastructure. Every time an attacker compromises administrative credentials for platforms like Microsoft Intune or Entra ID, they turn the tool designed to protect endpoints into a weapon. No malware required. No vulnerability exploited. Just identity governance that was not working the way it should.

For a deeper look at why administrative access is vulnerable when it is not governed properly, read Cisco Duo's guide to privileged access management risks.

What happened at Stryker

In early 2026, a cyberattack hit Stryker Corporation, a major U.S. medical technology firm, and disrupted operations globally. No ransomware was deployed. No novel malware was found. Attackers compromised administrative credentials for Microsoft Intune and Entra ID, turning Stryker's own endpoint management infrastructure into a weapon for destructive wiper operations.

Following the attack, CISA issued an alert urging U.S. organizations to strengthen their endpoint management configurations. All three of CISA's recommendations, least privilege, phishing-resistant multi-factor authentication (MFA), and multi-admin approval, point to the same underlying problem: identity governance for the systems that manage devices and access is not keeping pace with how attackers operate.

What the data shows about identity-based attacks

The Stryker incident is not an outlier. It fits a pattern that security teams should recognize.

Expel's 2026 Annual Threat Report found that 68.6% of all security incidents last year were identity-based attacks, with nearly half resulting in successful authentication using stolen credentials. Endpoints accounted for 29% of all incidents. The overlap between these two categories, where compromised identities meet device management infrastructure, is where the greatest risk lives.

The compounding problem is dwell time. IBM's 2024 Cost of a Data Breach Report found that breaches involving stolen credentials take an average of 292 days to identify and contain. Apply that timeline to a compromised endpoint management administrator, and the attacker has nearly 10 months of access to push policies, modify configurations, and stage destructive payloads, all through legitimate tooling that will not trigger traditional malware detection.

Meanwhile, most organizations still treat endpoint management consoles with less rigor than they apply to their cloud infrastructure. Only 6% of organizations report fully automated endpoint management, according to Automox's 2026 State of Endpoint Management Report. Forty-three percent of IT teams spend more than 10 hours per week on manual endpoint tasks, time that is not being spent auditing who has administrative access or whether those permissions are still appropriate.

Identity threat detection and response (ITDR) for management infrastructure is not a feature most organizations have implemented. The gap between how attackers exploit administrative credentials and how organizations monitor those credentials remains wide.

Three CISA recommendations that all point to identity

CISA's alert reads like an endpoint management checklist. But every recommendation maps directly to identity and access management. You cannot harden endpoint management without first hardening identity.

Least privilege for administrative roles

Least privilege means ensuring people have only the access they need, only for as long as they need it. That starts with knowing who has elevated access, what they can do with it, and whether those permissions are still justified.

Most organizations over-provision MDM administrators because privileges accumulate on accounts over time and are rarely audited, largely due to limited visibility across the identity landscape. Step-up authentication, where administrators must verify their identity again before performing high-impact actions, adds a dynamic control layer that static role assignments cannot provide.For a comprehensive framework on implementing least privilege for administrative accounts, see Cisco Duo's privileged access management best practices guide.

Phishing-resistant MFA for privileged access

Phishing-resistant MFA goes beyond push notifications and SMS codes. Organizations that enforce phishing-resistant MFA block over 99% of identity-based attacks. It relies on cryptographic authentication tied to a physical device, blocking the credential interception techniques that made the Stryker attack possible.

Traditional MFA approaches, including app-based push notifications, are increasingly vulnerable to adversary-in-the-middle attacks and MFA fatigue. In a fatigue attack, an attacker triggers repeated push notifications until the user approves one out of frustration. In an adversary-in-the-middle attack, the attacker intercepts the authentication session in real time, capturing both the credentials and the MFA approval. Neither attack works against FIDO2-based authentication because there is nothing to intercept or approve.

CISA is specifically calling for FIDO2-level assurance for privileged accounts. To learn more about what phishing-resistant MFA is and how to implement it, see Cisco Duo's guide to phishing-resistant MFA.

Multi-admin approval for high-impact actions

Multi-admin approval means a single compromised identity cannot unilaterally execute destructive operations. This is the control that could have limited the blast radius at Stryker. But it only works if the identities approving those actions are themselves verified through strong, phishing-resistant methods.

Without multi-admin approval, an attacker with one set of compromised administrative credentials can wipe devices, push malicious configurations, and modify security policies with no second check. With it, destructive actions require verification from multiple verified administrators, reducing the blast radius of any single compromised account.

What to look for in an identity security approach

The Stryker attack and the CISA alert point to a set of capabilities that any identity security platform should provide for organizations managing endpoint infrastructure. The question is not whether to strengthen identity controls for administrative access, but what those controls should look like.

Phishing-resistant authentication without hardware keys. FIDO2-level assurance has historically required expensive hardware key rollouts. Cisco Duo's proximity verification uses Bluetooth Low Energy between a user's laptop and mobile device to establish phishing-resistant authentication at FIDO2-level assurance without shipping and managing hardware tokens. Cisco reports 50%+ cost savings compared to traditional hardware key deployments. This covers the full authentication lifecycle: OS login, application access, and mid-session verification.

Post-authentication session protection. Authentication does not end at login. Attackers increasingly steal session cookies to bypass MFA entirely, no credentials needed. Duo Desktop replaces traditional session cookies with cryptographic challenges that cannot be replayed, closing the post-authentication gap that most identity solutions leave open.

Unified identity visibility across fragmented environments. Most enterprises run multiple identity providers, including on-premises Active Directory, Entra ID, and often a third cloud provider. Duo Identity Intelligence creates a converged identity graph across these sources, surfacing dormant accounts, excessive privileges, and identity drift between HR systems and directory services. This is exactly the visibility needed to implement CISA's least-privilege recommendation at scale, not just for Intune but across the entire administrative landscape.

Risk-based access policies driven by user trust scores. Rather than static role assignments, Duo continuously evaluates user trust based on behavior, device posture, and cross-platform signals, then enforces differentiated access policies in real time. Administrators flagged as high-risk can be automatically stepped up to stronger verification or temporarily restricted.

Cisco secures its own global workforce of 125,000 users and 285,000 devices with Duo, and has been recognized as a Gartner Peer Insights Customers' Choice for User Authentication two years running.

To understand the foundational principles behind this identity-centric security approach, see Cisco Duo's guide to identity security.

Two questions every security leader should ask this week

The Stryker attack was not exotic. It was predictable and preventable with identity controls that already exist. The CISA alert confirms what security architects have known: endpoint management systems are critical infrastructure, and they deserve the same identity rigor as your most sensitive applications.

Every security leader should be asking two questions this week:

Who has administrative access to our endpoint management platform?
Would we detect it if one of those credentials was compromised?

If the answers are not immediate and confident, the hardening work starts with identity.

Download the Guide to Restoring Trust in Identity to learn more about strengthening identity controls for administrative access and reducing risk in your environment.