Identity threat detection and response (ITDR) is a broad framework that protects user identities and identity-based systems from cyber threats. ITDR relies on a combination of advanced detection techniques and rapid response strategies to safeguard sensitive data. As cybercriminals shift their focus from firewall breaches to attacks that compromise user credentials, ITDR helps businesses understand the nuances of identity threats and their importance as part of a broader cybersecurity plan.
Why is IDTR Important?
The sophistication, diversity, and volume of identity-based attacks have left many businesses unprepared and exposed. The level of concern around these attacks was made clear by Gartner when it identified IDTR as its top security trend for 2022. The research firm explained that “acceleration of credential misuse continues, leading to a tragic increase in security incidents” and “more-sophisticated attackers are now actively targeting the IAM infrastructure itself.”
CrowdStrike’s Global Threat Report, also from 2022, found that 80% of all cyberattacks leveraged identity-based techniques to evade detection. The company’s subsequent release in 2023 also reported that criminal use of stolen credentials had increased by 112% over the previous 12 months.
The speed with which cyberattacks are carried out is also on the rise. The average breakout time – or the time it takes for a criminal to exploit a system and position themselves to attack – fell to just 62 minutes in 2023. While criminals are ready to cause harm in a little more than an hour, businesses take far longer to detect a compromised system. Mandiant, a cybersecurity-focused subsidiary of Google, reported that despite recent improvements, the median detection was a much more pedestrian 10 days.
Key Elements of the IDTR Approach
The most effective IDTR approaches are multifaceted and utilize a combination of technology and best practices to:
Detect identity-based threats
Protect identity-based data and the identity and access management (IAM) infrastructure that surrounds it
Respond effectively to mitigate organizational damage
Adapt to new and evolving cyber threats
Let’s take a look at how the above is achieved in practice via three key elements.
1 – Prevention
At the heart of prevention are robust controls that protect the IAM infrastructure. These controls identify, prioritize, and even rectify identity-related vulnerabilities before they can be exploited. Similar to a traditional risk management approach, IDTR provides an overview of the risks associated with each of the company’s identity assets.
Multi-factor Authentication (MFA)
MFA requires users to verify more than one form of identification. This could take the form of a push notification from an app or biometric (passwordless) authentication from a facial scan.
Continuous Authorization
As part of continuous authorization, a user’s identity and access privileges are evaluated in real-time and not just at login or periodically. Central to this process is role-based access control (RBAC) and attribute-based access control (ABAC), where employee access privileges are defined by authority level, responsibility, job title, and status. Some organizations may also opt to use policy-based access control (PBAC) if they desire a flexible, context-driven approach. PBAC is an effective enforcer of granular access control policies and can also support risk-based decision-making.
A comparison of access control types in the IDTR approach (Source: Heimdal)
Enterprise-wide AI and ML
IAM frameworks must also incorporate AI and machine learning to monitor login requests for anomalies and identify threats. To assist with ITDR, machine learning algorithms deploy user and entity behavior analytics (UEBA) to look for anomalies in not only user behavior but also a corporate network’s servers, routers, and endpoints. Ultimately, enterprise-wide deployment of AI and ML enables businesses to leverage the full data analysis capabilities of these technologies.
2 – Detection
With this deployment, the company has a centralized point from which it can control levels of access, monitor user activity, and detect anomalous behavior. In an IDTR framework, controls alert key personnel the moment a possible breach or risk to the organization has been detected. These controls help identify and manage risks that cannot be prevented and allow personnel to respond quickly and accurately.
Here is how threat detection is facilitated:
Configuration monitoring – systems can be monitored for suspicious activity such as the addition of an unusual account or authentication device
Identity surveillance – ITDR systems monitor various processes and activities such as network traffic, access attempts, user activities, and system logs
Anomaly detection – as we noted above, behavioral anomaly detection is primarily the domain of AI and ML. One example of an anomaly could be successive login attempts from different locations
Risk scoring – using data from an established baseline of normal user behavior, a score can be calculated to quantify the potential risk associated with an identity-based activity
Real-time alerts – system administrators are notified of anomalies in real-time, which enables them to limit lateral movement – a process where criminals search a compromised network for vulnerabilities and sensitive information
3 – Response
Effective identity protection requires the ITDR and IAM infrastructure to communicate with each other in a coordinated effort. This is otherwise known as interoperability. However, if the data or the infrastructure has been compromised, there are some ways the organization can respond:
Contain and eradicate – where the threat is isolated and the synchronization of directories, on-premise targets, and cloud user repositories is disabled
Investigation – where threat severity is determined via user interviews, forensic evidence gathering, and analysis of log files. Root cause analysis and identification of compromised assets are also important
Mitigation – a key part of identity response, mitigation involves a raft of measures such as blocking suspicious IP addresses, resetting compromised credentials, and quarantining certain high-risk users
Recover and remediate – patches and updates should be applied to systems where vulnerabilities have been exposed, and if necessary, data can be restored from backups
Report – to encourage a transparent and accountable culture, the appropriate staff must be notified of identity attacks as soon as possible. Employees should also feel safe to report incidents without fear of retribution
The Role of Identity Threat Detection and Response
As a framework, identity threat detection and response encompasses various processes, tools, and best practices. Note that it does not replace other security tools that form the backbone of IAM such as:
Privileged Access Management (PAM)
Identity Governance and Administration (IGA)
Access Management (AM)
Active Directory Management (ADMgmt)
Instead, think of the ITDR framework as an additional layer of security that provides a business with advanced threat detection capabilities.
Some of the functions and associated benefits of the IAM framework (Source: tenfold)
The Vulnerabilities That ITDR Addresses
So what does advanced identity management and detection look like? ITDR frameworks allow the business to take proactive measures on privileged account identities that are either misconfigured, unmanaged, or exposed.
Misconfigured Identities
Misconfigured identities are those that have been set up incorrectly or inadequately. An obvious example is an identity that is established with a weak password or encryption. Service accounts with privileged access granted to machine identities may also be misconfigured to allow humans to log in.
Unmanaged Identities
Unmanaged identities describe user or service accounts that are not properly maintained, controlled, or overseen. Orphaned accounts are one such example. These are accounts that remain active despite being associated with an individual or service that either no longer exists or is no longer in use. Since orphaned accounts are not regularly monitored or updated, they may be targeted by criminals.
Exposed Identities
Exposed identities are those that have been maliciously or inadvertently made accessible to unauthorized individuals. Credentials are often leaked or stolen in data breaches, but cached credentials stored in an endpoint’s memory are also a weakness in identity security. One other example is a remote application session that has not been closed. In this case, an attacker leverages the open session and its privileged access to cause harm.
In summary:
Identity threat detection and response (IDTR) is a broad cybersecurity framework focused on the identification, analysis, and swift response to identity-based threats
IDTR is a crucial defense as the speed, complexity, volume, and sophistication of identity-based cyberattacks increase
Prevention, detection, and response are the three core elements of identity threat detection and response. Each of these is facilitated via various controls, best practices, and technology
IDTR systems add another layer of security on top of tools that form part of identity and access management (IAM). These systems offer comprehensive protection against misconfigured, unmanaged, and exposed identity vulnerabilities
