Identity-based attacks are on the rise. Research from the Identity Defined Security Alliance found that 84% of businesses experienced an identity-related breach in the past year. While that’s a huge percentage, it’s not all that surprising. Just consider how focused attackers have been in recent years on gaining access to your user’s identities. In the latest Verizon 2023 Data Breach Investigations Report, Verizon found that 40% of all data breaches in 2022 involved the theft of credentials which is up from 31% in 2021.
With access to just one privileged account an attacker can move around undetected on a company’s network and cause havoc. When they look like the right employee, they have the freedom to do almost anything, from stealing sensitive data to launching ransomware attacks. What’s worse, attackers usually have tools that make it fast and easy to exploit stolen credentials, escalate privilege and move laterally. That makes this type of attack all the more appealing.
There are a bevy of cybersecurity tools that are supposed to protect companies from these attacks. So why do they fall short? The simple answer is that it’s not their job—at least not completely.
Take tools used for identity access management (IAM) as an example. Their role is to administer identities and manage their access to applications and resources. They don’t detect malicious activity after a “legitimate” user has been authenticated and authorized. And tools for anomaly detection, like security information and event management (SIEM) systems, alert on abnormal or malicious user activity. But they are even less capable of flagging attempts at lateral movement and privilege escalation. As a result, these tools tend to generate high levels of false positives, which overwhelm security teams.
However, there is a way to address the security gaps these solutions aren’t well equipped to cover. It’s called identity threat detection and response, or ITDR for short.
What is ITDR?
ITDR is an umbrella term coined by Gartner to describe a new category of security tools and best practices that companies can use to detect and respond more effectively to identity-based attacks.
ITDR protects the middle of the attack chain—the point where enterprise defenses are usually the weakest. ITDR tools offer robust analytics, integrations and visibility that can help you to:
- Detect, investigate and respond to active threats
- Stop privilege escalations
- Identify and halt lateral movement by attackers
- Reduce the identity-centric attack surface before the threat actor even arrives
When you use ITDR, you’re not replacing existing tools or systems for IAM and threat detection and response like privileged access management (PAM) or endpoint detection and response (EDR). Instead, you’re complementing them. Those tools can continue to do what they do best while ITDR addresses the identity security gaps they’re not designed to cover.
How ITDR solutions work—and help to prevent identity-based attacks
ITDR tools are designed to continuously monitor user behavior patterns across systems. They scan every endpoint—clients and servers, PAM systems and identity repositories—to look for unmanaged, misconfigured and exposed identities. With a holistic view of identity risks, your security team can remove key attack pathways through Active Directory (AD) that threat actors use to install ransomware and steal data.
ITDR tools can help defenders stop identity attacks and proactively get rid of risks. They allow defenders to see exactly how attackers can access and use identities to compromise the business. Essentially, ITDR provides answers to these three critical questions:
- Whose identity provides an attack path?
- What is the identity threat blast radius, and the impact to my business?
- Are there any identity-based attacks in progress?
Leading ITDR tools can help you catch adversaries in the act by planting deceptive content, or trip wires, throughout your environment that only attackers would interact with. And once they trip those alarms, the tool provides the security team with details about exactly where to find them along with other forensic information.
Adopting ITDR: steps for success
Using ITDR is about more than simply implementing new technology to cover security gaps that other tools don’t cover. It’s about changing how you manage your identities. In short, you must treat identities just as you would other valuable resources that you need to secure, like networks, endpoints and applications.
To improve your security posture, you first need to understand your weaknesses. Here are some steps that can help you lay the foundation for ITDR success:
- Audit PAM coverage gaps. This includes taking an inventory of all privileged users in your environment (both human and machine). You’ll also want to confirm that you have continuous monitoring in place so you can stay on top of active threats—both malicious and accidental.
- Find and remediate AD identity misconfigurations. Most businesses use AD, which is susceptible to misconfiguration and compromise. AD can provide attackers with unparalleled access to a company’s computing infrastructure. When you eliminate AD misconfigurations, you can slow down a bad actor from using vulnerable identities to get into a domain and gain access to more identities and resources.
- Identify and address endpoint exposures. Look for cached credentials and stale remote connections on your endpoints. These can be critical ways that an initial compromise leads to privilege escalation and lateral movement. Also, don’t assume that your EDR tools can stop identity-based attacks and other mischief that may follow. They are an important part of your overall defense strategy. But know that an adversary with privileged access could turn them off or bypass them.
Another tip for ITDR success is to provide security awareness training to your users. This will help them learn how to identify and respond to identity-based attacks, like credential phishing, that lead to the initial compromise in the first place. And it will reinforce why it is essential for them to prioritize protecting their credentials.
The future of cybersecurity with ITDR
The emergence of ITDR marks an important turning point in the history of cybersecurity. It confirms that identity really is the new security perimeter. As companies shift their focus from protecting endpoints and networks to protecting user identities, these are some trends we are likely to see:
- Increased use of advanced authentication methods. More companies may even start using biometrics as part of the multifactor authentication process to verify user identities instead of relying on “something you have” as the second factor.
- A continued shift toward continuous threat monitoring. Keeping tabs on employees’ activities and responding to unusual incidents in real time can minimize the impact of identity-based threats.
- Expanded use of artificial intelligence (AI) and machine learning (ML). AI/ML can analyze large datasets to detect and prioritize anomalous behavior and patterns that may indicate active identity threats.
- A continued shift toward continuous identity vulnerability discovery and automated remediation. It’s always better to eliminate your available attack paths than trying to catch attackers in the act.
As ITDR spreads, you can also expect security operations center (SOC) teams to become more effective—and less fatigued—in the future. As noted earlier, ITDR tools can set lures across your environment that only attackers will interact with. That means SOC teams will need to manage far fewer (or near zero) false positives and false negatives. They won’t need to analyze whether a signature is complete or a behavior sequence is truly malicious. None of those things will matter in a world where ITDR is common.
Bolster your defenses against identity-based attacks with ITDR
Identities play a central role in many attacks. In fact, research from Proofpoint shows that exploitable identities are present in one in six enterprise endpoints. So, there is ample room for businesses to improve how they protect identities and address identity risks.
Tools that focus on access control or anomaly detection have limited capabilities that can help you prevent or halt bad actors who compromise and abuse privileged credentials. ITDR tools and practices provide an innovative and much-needed approach to stopping identity attacks before they become major breaches.
Proofpoint provides a solution to help you discover identity vulnerabilities and detect and respond to attacks in real time with automated remediation and responses. The Proofpoint Identity Threat Defense platform includes:
- Proofpoint Spotlight, which can help your business to discover and remediate identity vulnerabilities on endpoints and in your identity repositories
- Proofpoint Shadow, which uses modern deception technology to help you detect and stop attackers before they know that you’re onto them
Learn more about how Proofpoint can help you to secure and protect privileged identities, reduce your risk of identity attacks and break the middle of the cyberattack chain.