Failure Pattern
Remote command tools like SSH or automation frameworks rely on credentials rather than workload identity. Attackers weaponize them using stolen keys.
What We See in the Field
Attackers use SSH keys or automation credentials to run a remote command across systems. Logs show valid activity. No alert triggers because everything looks authenticated.
Underlying Causes
SSH keys not bound to devices
Shared automation credentials
Broad remote execution privileges
Blind trust in authenticated sessions
No per-session identity enforcement
Trust-Native Network Resolution
DTL requires verified TrustKeys for remote command sessions. Even with valid SSH keys or tokens, untrusted devices cannot issue commands across the environment.
Broken Trust Assumption
The attacks that exposed this failure pattern were not stealthy break-ins. They were trusted operations.
During incidents such as SolarWinds, Capital One, and Okta, malicious activity was carried out using valid identities and approved execution paths. Certificates were valid. Tokens were accepted. Sessions were authenticated. From the system’s point of view, nothing appeared wrong.
This is the risk of trust inferred from credentials, location, or prior authentication.