What is identity threat detection and response (ITDR)?

ITDR relies on a combination of advanced detection techniques and rapid response strategies to safeguard sensitive data.

As cyber criminals shift their focus from firewall breaches to attacks that comprise user credentials, IDTR helps businesses understand the nuances of identity threats and their importance as part of a broader cybersecurity plan.

Why is IDTR important?

The sophistication, diversity and volume of identity-based attacks have left many businesses unprepared and exposed.

The level of concern around these attacks was made clear by Gartner when it identified IDTR as its top security trend for 2022. The research firm explained that “acceleration of credential misuse continues, leading to a tragic increase in security incidents” and “more-sophisticated attackers are now actively targeting the IAM infrastructure itself.”

CrowdStrike’s Global Threat Report, also from 2022, found that 80% of all cyberattacks leveraged identity-based techniques to evade detection. The company’s subsequent release in 2023 also reported that criminal use of stolen credentials had increased by 112% over the previous 12 months.

The speed with which cyberattacks are carried out is also on the rise. The average breakout time – or the time it takes for a criminal to exploit a system and position themselves to attack – fell to just 62 minutes in 2023.

While criminals are ready to cause harm in a little more than an hour, businesses take far longer to detect a compromised system. Mandiant, a cybersecurity-focused subsidiary of Google, reported that despite recent improvements, the median detection was a much more pedestrian 10 days.

Key elements of the IDTR approach

The most effective IDTR approaches are multifaceted and utilise a combination of technology and best practices to:

• Detect identity-based threats.
• Protect identity-based data and the identity and access management (IAM) infrastructure that surrounds it.
• Respond effectively to mitigate organisational damage, and
• Adapt to new and evolving cyber threats.

Let’s take a look at how the above is achieved in practice via three key elements.

1 – Prevention

At the heart of prevention are robust controls that protect the IAM infrastructure. These controls identify, prioritise and even rectify identity-related vulnerabilities before they can be exploited.

Similar to a traditional risk management approach, IDTR provides an overview of the risks associated with each of the company’s identity assets.

Multi-factor authentication (MFA)

MFA requires users to verify more than one form of identification. This could take the form of a push notification from an app or biometric (passwordless) authentication from a facial scan.

Continuous authorisation

As part of continuous authorisation, a user’s identity and access privileges are evaluated in real-time and not just at login or periodically.

Central to this process is role-based access control (RBAC) and attribute-based access control (ABAC), where employee access privileges are defined by authority level, responsibility, job title and status.

Some organisations may also opt to use policy-based access control (PBAC) if they desire a flexible, context-driven approach. PBAC is an effective enforcer of granular access control policies and can also support risk-based decision-making.

Enterprise-wide AI and ML

IAM frameworks must also incorporate AI and machine learning to monitor login requests for anomalies and identify threats.

To assist with ITDR, machine learning algorithms deploy user and entity behaviour analytics (UEBA) to look for anomalies in not only user behaviour but also a corporate network’s servers, routers and endpoints.

Ultimately, enterprise-wide deployment of AI and ML enables businesses to leverage the full data analysis capabilities of these technologies.

2 – Detection

With this deployment, the company has a centralised point from which it can control levels of access, monitor user activity and detect anomalous behaviour.

In an IDTR framework, controls alert key personnel the moment a possible breach or risk to the organisation has been detected. These controls help identify and manage risks that cannot be prevented and allow personnel to respond quickly and accurately.

Here is how threat detection is facilitated:

• Configuration monitoring – systems can be monitored for suspicious activity such as the addition of an unusual account or authentication device.
• Identity surveillance – ITDR systems monitor various processes and activities such as network traffic, access attempts, user activities and system logs.
• Anomaly detection – as we noted above, behavioural anomaly detection is primarily the domain of AI and ML. One example of an anomaly could be successive login attempts from different locations.
• Risk scoring – using data from an established baseline of normal user behaviour, a score can be calculated to quantify the potential risk associated with an identity-based activity.
• Real-time alerts – system administrators are notified of anomalies in real-time, which enables them to limit lateral movement – a process where criminals search a compromised network for vulnerabilities and sensitive information.

3 – Response

Effective identity protection requires the ITDR and IAM infrastructure to communicate with each other in a coordinated effort. This is otherwise known as interoperability.

However, if the data or the infrastructure has been comprised, there are some ways the organisation can respond:

• Contain and eradicate – where the threat is isolated and the synchronisation of directors, on-premise targets and cloud user repositories is disabled.
• Investigation – where threat severity is determined via user interviews, forensic evidence gathering and analysis of log files. Root cause analysis and identification of compromised assets are also important.
• Mitigation – a key part of identity response, mitigation involves a raft of measures such as blocking suspicious IP addresses, resetting compromised credentials and quarantining certain high-risk users.
• Recover and remediate – patches and updates should be applied to systems where vulnerabilities have been exposed, and if necessary, data can be restored from backups.
• Report – to encourage a transparent and accountable culture, the appropriate staff must be notified of identity attacks as soon as possible. Employees should also feel safe to report incidents without fear of retribution.

The role of identity threat detection and response

As a framework, identity threat detection and response encompasses various processes, tools and best practices.

Note that it does not replace other security tools that form the backbone of IAM such as:

1. Privileged Access Management (PAM).
2. Identity Governance and Administration (IGA).
3. Access Management (AM), and
4. Active Directory Management (ADMgmt).

Instead, think of the ITDR framework as an additional layer of security that provides a business with advanced threat detection capabilities.

The vulnerabilities that ITDR addresses

So what does advanced identity management and detection look like?

ITDR frameworks allow the business to take proactive measures on privileged account identities that are either misconfigured, unmanaged or exposed.

Misconfigured identities

Misconfigured identities are those that have been set up incorrectly or inadequately.

An obvious example is an identity that is established with a weak password or encryption. Service accounts with privileged access granted to machine identities may also be misconfigured to allow humans to log in.

Unmanaged identities

Unmanaged identities describe user or service accounts that are not properly maintained, controlled or overseen.

Orphaned accounts are one such example. These are accounts that remain active despite being associated with an individual or service that either no longer exists or is no longer in use.

Since orphaned accounts are not regularly monitored or updated, they may be targeted by criminals.

Exposed identities

Exposed identities are those that have been maliciously or inadvertently made accessible to unauthorised individuals.

Credentials are often leaked or stolen in data breaches, but cached credentials stored in an endpoint’s memory are also a weakness in identity security.

One other example is a remote application session that has not been closed. In this case, an attacker leverages the open session and its privileged access to cause harm.

In summary:

• Identity threat detection and response (IDTR) is a broad cybersecurity framework focused on the identification, analysis and swift response to identity-based threats.
• IDTR is a crucial defence as the speed, complexity, volume and sophistication of identity-based cyberattacks increases.
• Prevention, detection and response are the three core elements of identity threat detection and response. Each of these is facilitated via various controls, best practices and technology.
• IDTR systems add another layer of security on top of tools that form part of identity and access management (IAM). These systems offer comprehensive protection against misconfigured, unmanaged and exposed identity vulnerabilities.