Failure Pattern: Machine Identities
Machine identities platforms validate certificates but not actual workload identity. Attackers exploit this gap by cloning machine certificates.
What We See in the Field
A compromised container uses the same certificate as the original workload. All downstream systems treat it as legitimate.
Underlying Causes
Certificates reused
No device binding
Static identity assumptions
Service mesh identity flaws
Certificate automation reissuing too broadly
Trust-Native Network Resolution
DTL ties identity directly to workload fingerprints. Even if certificates are cloned, they cannot establish trusted sessions without the correct TrustKey.
Broken Trust Assumption
The attacks that exposed this failure pattern were not stealthy break-ins. They were trusted operations.
During incidents such as SolarWinds, Capital One, and Okta, malicious activity was carried out using valid identities and approved execution paths. Certificates were valid. Tokens were accepted. Sessions were authenticated. From the system’s point of view, nothing appeared wrong.
This is the risk of trust inferred from credentials, location, or prior authentication.