Table of Contents
ITDR is short for identity threat detection and response, a new class of cybersecurity solutions that focuses on protecting identity-based systems from cyber threats. ITDR involves a combination of security tools, processes, and best practices to effectively detect and respond to identity-related threats.
Identity has been described as the new vulnerability perimeter because even if a network, endpoint, and all other devices are secured, a cyber-attacker only needs access to one privileged account to compromise enterprise resources. For this reason, Gartner named ITDR one of the top security and risk management trends for 2022.
Cybersecurity Education and Training Begins Here
Here’s how your free trial works:
- Meet with our cybersecurity experts to assess your environment and identify your threat risk exposure
- Within 24 hours and minimal configuration, we’ll deploy our solutions for 30 days
- Experience our technology in action!
- Receive report outlining your security vulnerabilities to help you take immediate action against cybersecurity attacks
Fill out this form to request a meeting with our cybersecurity experts.
Thank you for your submission.
The emergence of ITDR highlights that identities deserve the same level of management and control that organisations have applied to their hosts, networks, systems, and software – if not more. This is now more important than ever since identities have become the predominant attack vector for cyber-attacks.
In addition to the measures above, IAM principles can also be leveraged to enhance ITDR by providing audit trails and user activity logs. These logs can be used to detect anomalous behaviour that may be indicative of a security threat. For example, if a user attempts to access a resource they are not authorised to access, IAM can log this activity and alert ITDR personnel to investigate further.
To address these challenges, organisations are turning to ITDR solutions to protect their systems and prepare for specific vulnerabilities that may arise.
ITDR Facts and Trends
With the release of the Gartner report “Enhance Your Cyberattack Preparedness With Identity Threat Detection and Response”, security and risk management professionals now have access to new research, insights, and recommendations for addressing identity security issues. These facts and trends highlight the growing interest and demand in ITDR.
Identity Is the Top Vector for Cyberattacks
Catalysed by COVID-19, attackers capitalised on the identity-based shift in remote work. According to Gartner, “Organisations’ reliance on their identity infrastructure to enable collaboration, remote work, and customer access to services has transformed identity systems into prime targets.” Security teams have grappled with the operational realities of a workforce that could not come to work in the office.
Identity Is the New Vulnerability
With the adoption of cloud computing and the need to support work from home, identity-focused solutions have become a foundation of cybersecurity. Gartner states that “Identity threats are multifaceted. Misconfigurations of, and vulnerabilities in, identity infrastructure can be exploited.” Further, data from Identity Theft Resource Center shows ransomware-related attacks doubled in 2020 and doubled again in 2021, a common identity-based threat.
Attackers Exploit Gaps Between Identity and Security Systems
The deployment of identity systems, such as IAM, PAM, and MFA, are often multi-phased projects, leaving identities exposed until those deployments are fully completed. These deployments are further challenged by the constant changes of identities, which need to be re-discovered over time to make these deployments successful. Furthermore, the process of discovering and auditing accounts is often a time-consuming, manual, and error-prone process.
ITDR Is a Top Cybersecurity Priority
According to Gartner, “Modern identity threats can subvert traditional identity and access management (IAM) preventive controls, such as multifactor authentication (MFA). This makes identity threat detection and response (ITDR) a top cybersecurity priority for 2022 and beyond.” With attackers now focused on exploiting vulnerable identities, organisations must now work to make securing identities a top priority.
Types of Identity Vulnerabilities
Despite using measures like PAM, MFA, and other IAM solutions to protect identities from being exploited, vulnerabilities often remain present. The causes of identity vulnerabilities fall into three (3) categories: unmanaged, misconfigured, and exposed identities.
- Service Accounts – Machine identities go unmanaged by PAM because they were undiscovered during implementation, and not all applications are compatible with PAM, such as legacy applications for which the cost of modernisation is cost-prohibitive.
- Local Admins – Local admin privileges facilitate a variety of IT support requests but often go undiscovered or forgotten after their creation, leaving them unmanaged.
- Privileged Accounts – Many other privileged accounts go unmanaged by PAM or MFA solutions because they remain undiscovered during deployment.
- Shadow Admins – The complexity of nested identity groupings make it extremely difficult to see the complete rights and entitlements of all identities, causing accounts to be granted unintended excessive privileges.
- Weak Encryption and Passwords – Identities configured to leverage weak or missing encryption or do not enforce strong password policies.
- Service Accounts – Machine identities with privileged access rights may be misconfigured to incorrectly allow for interactive login by humans.
- Cached Credentials – Account and credential information commonly stored on endpoints memory, registry, and disk, where they are easily exploited by commonly used attacker tools.
- Cloud Access Tokens – Cloud access tokens stored on endpoints are a common way attackers access cloud assets.
- Open RDP Session – Remote application sessions may be improperly closed, enabling attackers to leverage an open session and its privileges, largely without the risk of detection.
It’s important to note that any identity can be vulnerable in numerous ways and across these three vulnerability categories. These identities often expose organisations to the greatest level of identity risk.
For instance, a single identity can be misconfigured to hold unintended Shadow Admin rights, which, by its nature, causes this identity to go unmanaged due to the lack of IT knowledge that typically triggers extra access management protection intended for accounts with the rights it holds (PAM, MFA, etc.). This same identity can be further used in ways to expose its credential.
What to Look for in an ITDR Solution
Comprehensive ITDR solutions should include preventative capabilities that discover and remediate gaps in an organisation’s identity posture, as well as detective capabilities that accurately alert on indicators of compromise as they occur.
ITDR Preventative Controls
ITDR preventative controls discover and remediate identity vulnerabilities before threat actors attempt to exploit them.
Much like traditional vulnerability and risk management programs, the discovery capabilities of ITDR enable organisations to inventory the risks of their identity “assets”. The most effective ITDR solutions deliver automated, continuous, and comprehensive identity discovery, including visibility into unmanaged, misconfigured, and exposed privileged accounts.
This visibility enables effective IT and Infosec decision-making to mitigate these risks in the large, multi-phased deployments of disparate identity management systems, such as IGA, PAM, MFA, SSO, and others. In fact, we’ve known that continuous scanning for issues is required to effectively manage any complex system, and identity management is no exception.
ITDR Detective Controls
ITDR detective controls alert at the moment there is an indication of a threat actor or insider attempting to compromise or leverage an identity in a way that creates risk for the organisation. Detective controls are needed to mitigate risks that cannot be prevented so that the correct team members can be alerted and quickly respond if necessary in the event of an attack.
The accurate detection of identity threats before attack completion is difficult to achieve for several reasons:
- Less time to detect attacks: Attacker dwell times in many attack types, such as ransomware, have dropped from months to days in many cases. By focusing on compromising identities for system intrusions, attackers can move much more quickly through their attack.
- Reduced effectiveness of existing security controls: As attackers continue to exploit identities as their primary targets, they’ve all but abandoned many previous techniques, rendering security tooling for these techniques less effective. Attackers have also regularly demonstrated that once they escalate their privileges, they can disable security controls, including endpoint agents responsible for detecting them.
- Inability to accurately detect nefariousness from acceptable privileged account activity: Signature and behavioural-based analysis of privileged users has proven ineffective in accurately detecting nefarious privilege updates and lateral movement. The lack of sufficient acceptable behaviours of privileged admin accounts (what data scientists call high data entropy) has led to difficulties in establishing effective baselines required to minimise false positives.
As such, more accurate detection of compromised privileged accounts is needed. Deception and its deterministic approach of planting deceptive content to lure attackers offer a viable and proven alternative to behavioural analytics for accurately detecting privilege escalation and lateral movement.
When properly implemented, this approach plants lures that only an attacker would interact with, based on the understanding of the attacker’s techniques and tooling, leaving no clues for the attacker to believe they are being trapped.
How Proofpoint Can Help
Helping meet the growing demands of effective identity threat detection response, Proofpoint provides complete ITDR solutions for organisations and teams. Leverage preventative controls to continuously discover and remediate identity vulnerabilities before their exploitation. Utilise detective controls that employ deceptive techniques to accurately detect privilege escalation, account takeover, and lateral movement activities by threat actors as they occur. Learn more about how Proofpoint can help improve your ITDR.