What Is Identity Threat Detection Response (ITDR)?

ITDR is short for identity threat detection and response, a new class of cybersecurity solutions that focuses on protecting user identities and identity-based systems from cyber threats. ITDR involves a combination of security tools, processes, and best practices to effectively prepare for as well as detect and respond to identity-related threats.

Identity has been described as the new security perimeter because even if a network, endpoint, and all other devices are well secured, a cyber-attacker only needs access to one privileged account to compromise enterprise resources. For this reason, Gartner named ITDR one of the top security and risk management trends for 2022.

ITDR is a security category that’s adjacent to other security solutions such as Endpoint Detection and Response (EDR), Extended Detection and Response (XDR), Network Detection and Response (NDR), and Privileged Access Management (PAM) systems. Despite their important security contributions, many ITDR capabilities are a broad departure from traditional EDR, XDR, and PAM offerings.

The need for ITDR systems requires a nuanced understanding of why identity deserves its own category of security solution. In turn, a complete ITDR system includes a comprehensive set of vulnerability and threat detection and response capabilities that are specifically designed to protect identities and identity systems.

More specifically, an ITDR system should support the following identity-centric security controls:

• Configuration, policy, and identity data analysis to assess the security posture of an organisation’s Active Directory environment.
• Attack path management and impact analysis.
• Risk scoring and remediation prioritisation.
• Real-time monitoring of runtime behaviours for identity-centric indicators of compromise.
• Machine learning or analytics to detect abnormal behaviours or events.
• Automated remediation and incident response.
• Dashboards, alerts, reports, search, and incident management.
• Integration with security information and event management (SIEM), Extended Detection and Response (XDR) and security orchestration automation and response (SOAR) tools.
• Integration with multifactor authentication (MFA) solutions to deliver step-up authentication in response to risk events.
• Integration with Privileged Access Management tools to help find gaps in coverage for highly privileged accounts.
• Risk signal sharing with additional products (for suite providers) and third-party tools to help security practitioners make better risk-informed decisions.

The emergence of ITDR highlights that identities deserve the same level of management and control that organisations have traditionally applied to their endpoints, networks, systems, and applications – if not more. This is now more important than ever since identities have become the predominant attack vector for cyber-attacks.

As a more widely-known ITDR predecessor in the cybersecurity landscape, Identity and Access Management (IAM) refers to the processes and technologies used to manage and control user access to information systems and applications. IAM solutions help to ensure that users have the appropriate permissions and access levels based on their roles and responsibilities. IAM minimises the risk of unauthorised access to sensitive data and systems, thereby reducing the risk of data breaches and other cyber-attacks.

ITDR takes a deeper approach to detecting, responding to, and preparing for security threats and vulnerabilities related to user identity and access. ITDR is an important complement to IAM systems as it extends the IAM framework for controlling and monitoring access to sensitive information and systems. The most effective cybersecurity strategies also include a combination of the following identity-oriented security controls:

• Multifactor authentication: MFA requires users to provide more than one form of identity verification to access a system or application. For example, a user may be required to provide a password as well as a 6-digit PIN sent to their personal mobile device to access sensitive information.
• Role-based access control: As a fundamental component of IAM, role-based access control involves assigning access levels to users based on their roles and responsibilities in the organisation. For example, a junior employee may have limited access to sensitive data, while a senior executive may be granted wider permission to access more data and associated systems.
• Privileged access management (PAM): Similar to role-based access control, users are assigned certain degrees of privilege based on their organisational roles and duties. While it is a particular subset of IAM, it has shortcomings in addressing insider threats in progress.
• Continuous monitoring: This security discipline centres on monitoring user activity in real-time to detect anomalous behaviour. For example, a user attempting to access a system at an unusual time or location may indicate a security threat.
• Threat response planning: This proactive measure involves having an action plan in place to respond to security threats quickly and effectively. This can help minimise the impact of a security breach and reduce the risk of further damage.

In addition to the measures above, IAM principles can also be leveraged to enhance ITDR by providing audit trails and user activity logs. These logs can be used to detect anomalous behaviour that may be indicative of a security threat. For example, if a user attempts to access a resource they are not authorised to access, IAM can log this activity and alert investigators to investigate further.

With the increasing frequency and sophistication of cyber-attacks, ITDR is becoming more critical than ever before. Today’s cybercriminals are increasingly adept at using identity-based tactics to breach accounts and gain unauthorised access to sensitive information. In turn, companies are challenged by a myriad of threat techniques and additional external factors in the digital landscape.

• Open-Source Attack Tools: Cyber-attackers frequently leverage open-source attack (pen testing) tools to compromise identities, hide their nefarious activities, and more quickly move through the stages of their attack before completing their final action.
• Phishing Scams: As another example, cyber-attackers often use phishing emails to trick users into revealing their login credentials or other sensitive data.
• Credential stuffing: A type of cyber-attack where attackers attempt to gain unauthorised access to protected accounts using stolen or leaked usernames and passwords, typically lifted from an earlier data breach.
• Social Engineering Tactics: Cybercriminals can also use social engineering tactics to impersonate authorised users into tricking victims into sharing information and access.
• Remote Work: The rise of remote work has further increased the risk of identity-based attacks. With more employees working from home and using personal devices to access company systems, organisations can struggle to maintain complete visibility and control over user access.
• Regulatory Compliance: ITDR is also becoming more important due to the increasing regulatory requirements around data privacy and security. Many industries, such as healthcare and finance, are subject to strict regulations around data protection. Organisations that fail to comply can face significant fines and reputational damage.

To address these challenges, organisations are turning to ITDR solutions to protect their systems and address specific vulnerabilities that may arise.

Identity Threat Detection and Response (ITDR) and Endpoint Detection and Response (EDR) are both cybersecurity solutions that focus on detecting and preventing cyberattacks, but they differ in their points of focus.

ITDR solutions focus on identifying, reducing, and responding to potential identity-based threats, such as compromised user accounts and leaked passwords, by monitoring user activity and access management logs, flagging any malicious activity, and collecting data from multiple identity and access management (IAM) sources.

On the other hand, EDR solutions focus on monitoring and analysing endpoint devices, such as workstations and laptops, by collecting system logs and network traffic to detect malicious activity in an organisation’s equipment.

Here are some key differences between ITDR and EDR:

• Scope: EDR primarily focuses on monitoring and securing endpoints, such as individual devices like desktops, laptops, and servers, while ITDR is designed to scan for identity-based threats across platforms, environments, and systems.
• Data collected: EDR typically collects data related to process execution, file access, and network traffic, while ITDR collects and analyses user activity logs, access management logs, and IGA system data.
• Threat visibility: EDR offers visibility into endpoint activities, analysing behaviours and events occurring on the user devices, while ITDR offers a comprehensive perspective on identity-based threats, privileged user behaviour, analysing access attempts, authentication patterns, and the principle of least privilege.
• Incident response: EDR primarily focuses on investigating and responding to threats at the endpoint level, while ITDR analyses user behaviours across multiple environments to identify and respond to identity-based threats.

It’s important to note that ITDR and EDR complement each other, providing valuable insights during incident analysis. In a scenario where an attacker has gained access to a network through an endpoint device, an EDR solution would detect suspicious activity on that device, while an ITDR solution would detect any malicious activity related to user identities and access management. In turn, it’s critical to understand the differences between ITDR and EDR and how they can work together to provide comprehensive cybersecurity protection.

With the release of the Gartner report Enhance Your Cyberattack Preparedness With Identity Threat Detection and Response in 2022, security and risk management professionals now have access to research, insights, and recommendations for addressing identity security issues. These facts and trends highlight the growing interest in and demand for ITDR.

Identity Is the Top Vector for Cyberattacks

Catalyzed by COVID-19, attackers capitalised on the identity-impacting shift to remote work. According to Gartner, “Organisations’ reliance on their identity infrastructure to enable collaboration, remote work, and customer access to services has transformed identity systems into prime targets”. Security teams have been grappling with the operational realities of a workforce that could not come to work in the office.

Identity Is the New Vulnerability

With the adoption of cloud computing and the need to support work from home, identity-focused solutions have become an even more central foundation of cybersecurity programmes. Gartner states that “Identity threats are multifaceted. Misconfigurations of and vulnerabilities in identity infrastructure can be exploited”. Further, data from the Identity Theft Resource Center shows ransomware-related attacks, which typically depend heavily on breached identities, doubled in 2020 and doubled again in 2021.

Attackers Exploit Gaps Between Identity and Security Systems

The deployment of identity systems, such as IAM, PAM, and MFA, are often multi-phased projects, leaving identities exposed until those deployments are fully, if ever, completed. These deployments are further challenged by the constant changes of identities, which need to be repeatedly re-discovered over time to make these systems successful. Furthermore, the process of discovering and auditing accounts is often a time-consuming, manual, and error-prone process. And by the time the audit is completed, the identities have often already substantially changed.

ITDR Is a Top Cybersecurity Priority

According to Gartner, “Modern identity threats can subvert traditional identity and access management (IAM) preventive controls, such as multifactor authentication (MFA). This makes identity threat detection and response (ITDR) a top cybersecurity priority for 2022 and beyond”. With attackers now focused on exploiting vulnerable identities, organisations must now work to make securing identities a top priority.

Despite using systems like PAM, MFA, and other IAM solutions to protect identities from being exploited, vulnerabilities often remain. The causes of identity vulnerabilities fall into three (3) categories: unmanaged, misconfigured, and exposed identities.

Unmanaged Identities

• Service Accounts – Machine identities often go unmanaged by PAM systems because they were undiscovered during implementation, and not all applications are compatible with PAM, such as legacy applications for which the cost of modernisation is cost-prohibitive.
• Local Admins – Local admin privileges enable a variety of IT support needs but often go undiscovered or forgotten after their creation, leaving them unmanaged.
• Privileged Accounts – Many other privileged accounts go unmanaged by PAM or MFA solutions because they remain undiscovered (thus unknown) during deployment.

Misconfigured Identities

• Shadow Admins – The complexity of nested identity groupings makes it extremely difficult to see and thus understand the complete rights and entitlements of all identities, causing users to be granted unintended, thus excessive privileges.
• Weak Encryption and Passwords – Identities configured to leverage weak or missing encryption or do not enforce strong password policies.
• Service Accounts – Machine identities with privileged access rights may be misconfigured to incorrectly allow for interactive login by humans.

Exposed Identities

• Cached Credentials – Account and credential information commonly stored on endpoints memory, registry, and disk, where they are easily exploited by commonly used attacker tools.
• Cloud Access Tokens – Cloud access tokens stored on endpoints are a common way attackers access cloud-based systems.
• Open RDP Session – Remote application sessions may be improperly closed, enabling attackers to leverage an open session and its privileges, largely without the risk of detection.

It’s important to note that any identity can be vulnerable in multiple ways and across these three vulnerability categories. These specific identities often expose organisations to the greatest level of identity risk.

For instance, a single identity can be misconfigured to hold unintended Shadow Admin rights, which, by its nature, causes this identity to go unmanaged due to the lack of IT knowledge that typically triggers extra access management protection intended for accounts with the rights it holds (PAM, MFA, etc.).

Comprehensive ITDR solutions should include preventative capabilities that discover and remediate gaps in an organisation’s identity posture, as well as detective capabilities that accurately alert on indicators of compromise as they occur. Only with controls both before and after a breach can identities be considered reliably secure.

ITDR Preventative Controls

ITDR preventative controls discover, prioritise, and often automatically remediate identity vulnerabilities before threat actors attempt to exploit them.

Much like traditional vulnerability and risk management programmes, the discovery capabilities of ITDR enable organisations to see and inventory the risks of their identity “assets”. The most effective ITDR solutions deliver automated, continuous, and comprehensive identity discovery, including visibility into unmanaged, misconfigured, and exposed privileged accounts.

This visibility enables effective IT and Infosec decision-making to mitigate these risks, further leveraging systems such as IGA, PAM, MFA, SSO, and others. In fact, we’ve known that continuous scanning for issues is required to effectively manage any complex system, and identity management is no exception.

ITDR Detective Controls

ITDR detective controls alert at the moment there is an indication of a threat actor or insider attempting to compromise or leverage an identity in a way that indicates risk for the organisation. Detective controls are needed to find and mitigate risks that cannot be prevented so that the incident responders can be alerted and quickly respond in the event of an attack.

The effective detection of identity threats before attack completion is difficult to achieve for several reasons:

• Less time to detect attacks: Attacker dwell times in many attack types, such as ransomware, have dropped from months to days in many cases. By focusing on compromising identities for system intrusions, attackers can move much more quickly through their attack.
• Reduced effectiveness of existing security controls: As attackers continue to exploit identities as their key paths to their ultimate targets, they’ve all but abandoned many previous techniques, rendering security tooling that defends against these techniques less effective. Attackers have also regularly demonstrated that once they escalate their privileges, they can disable security controls, including endpoint (EDR) agents responsible for detecting them.
• Inability to accurately detect nefariousness from acceptable privileged account activity: Signature and behavioural-based analysis of privileged users has proven ineffective in accurately detecting nefarious privilege updates and lateral movement. The lack of sufficient acceptable behaviours of privileged admin accounts (what data scientists call high data entropy) has led to difficulties in establishing effective baselines required to minimise false positives. And, of course, false positives are a major problem if they chew up the security team’s time and focus.

As such, more accurate detection of compromised privileged accounts is needed. Deception and its highly deterministic approach of planting deceptive content to lure attackers offer a viable and proven alternative to behavioural analytics for accurately detecting privilege escalation and lateral movement.

When properly implemented, the deception-based approach plants lures that only an attacker would interact with, based on the understanding of the attacker’s techniques and tooling, also leaving no clues for the attacker to believe they are being trapped.

Helping meet the growing demands of effective identity threat detection and response, Proofpoint provides a comprehensive ITDR solution. The Proofpoint solution provides preventative controls to continuously discover and remediate identity vulnerabilities before their exploitation while also providing detective controls that employ deceptive techniques to accurately detect privilege escalation, account takeover, and lateral movement activities by threat actors as they occur. Learn more about how Proofpoint can help improve your identity-centric security.