ITDR - The new buzzword

Findings are consistent: 84% of businesses experienced an identity-related breach in the past year (see IDS Alliance report here), while the Verizon Data Breach Investigation Report for 2023 (DBIR) states the vast majority of breaches are caused by the human element, i.e. stolen credentials or phishing.

These stats are not surprising: by gaining control of a single privileged account, a malicious actor can navigate through a company's network without being detected, wreaking havoc along the way. When appearing indistinguishable from a legitimate employee, they possess the liberty to engage in a wide range of activities, including pilfering sensitive data and initiating ransomware attacks.

Standard directory services (such as Active Directory), Identity Access Management (IAM) or Identity-as-a-service (IDaaS) solutions typically don’t detect malicious activity after a “legitimate” user has been authenticated and authorized.

That problem is compounded by attacks now increasingly targeting machine or application identities, as opposed to employee accounts - see example here.

SIEM systems are usually designed to alert on abnormal or malicious user activity. But they typically do not implement domain knowledge on attack techniques used when compromising an organization's identity: lateral movement and privilege escalation events are usually missed, while the tools tend to generate false positive detections, which overwhelm security teams.

That's why a new class of solutions is emerging, one that Gartner calls Identity Threat Detection and Response or ITDR, addressing the new security perimeter: identity.

From Compliance Scans to Active Deception

ITDR tools are designed to continuously monitor user behavior patterns across systems. They scan every endpoint—clients and servers, PAM systems and identity repositories (typically Active Directory and Entra ID)— to look for unmanaged, misconfigured and exposed identities.

Some ITDR tools even rely on deception technology i.e. planting deceptive content, or trip wires, throughout the organization environment that only attackers would interact with. And once they trip those alarms, the tool provides the security team with details about exactly where to find them along with other forensic information.

Security vendors are already incorporating ITDR technologies into their portfolios. Some examples include:

• Crowdstrike Falcon Identity Protection: an agent based approach fully integrated with its XDR platform, involving agents installed on Active Directory domain controllers. The agents collect and detect events at the identity store level, which effectively extends telemetry to unmanaged endpoints trying to authenticate against AD. That gives the opportunity to apply policies on endpoints generating suspicious activity: for ex. automatically labeling suspicious usernames and blocking access from unmanaged endpoints attempting RDP access.

• Proofpoint Spotlight and Shadow products part of its ITDR platform (result of Illusive acquisition): an agentless approach which scans servers (AD), cloud based Azure Entra ID, PAM solutions and endpoints to discover: incorrect PAM configuration; improper management of service, local admin and privileged domain credentials; unintentional creation of shadow admin accounts that have excessive privileges; user applications such as browsers, SSH, FTP, PuTTY that cache credentials and cloud access tokens on endpoints.

Identity-based attacks are poised to increase in the future as attackers seek to circumvent existing XDR, SIEM, and MFA authentication defenses. Industry research and reports consistently confirm that an initial foothold is usually established following successful phishing or other identity compromise attempts. Hence, there is ample opportunity for businesses to enhance how they protect identities and mitigate identity risks.