The Case for Identity Threat Detection and Response
Although people usually associate ransomware with malicious code performing encryption, that is only the final outcome of an attack.
Practice shows ransomware threat actors will focus on compromising identities, i.e. trick users to reveal credentials or exploiting weak authentication (such as lack of MFA). Once gaining a foothold into an organization as a legitimate user, it's much easier to move laterally, escalate privileges, etc.
A case can be made that ransomware is mainly an identity attack problem. That is confirmed by most industry analyses such as Verizon's Data Breach Report, which consistently finds most attacks (over 75%) start with stolen credentials or phishing accounts.
While posing as legitimate users, attackers typically have plenty of time for reconnaissance: according to IBM's Cost of Data Breach Report, compromised credentials take the longest to detect and contain, with an average of 250 days to detect.
So it only makes sense to focus more on activities happening inside the identity provider an organization relies upon, and combine that with endpoint telemetry.
Complementing endpoint inspection (i.e. EDR) with some kind of identity store inspection can dramatically increase visibility and improve response times during an attack.
For example, consider Active Directory (AD) on-premise, the main identity store unfortunately still used perhaps by more than 90% of organizations worldwide.
It is a legacy technology, so it does not include out-of-the-box monitoring capabilities to detect malicious activity or compromised accounts. In fact, Active Directory was architected at a time when there were few highly motivated and sophisticated threat actors using adversary toolkits.
Not only is AD widely popular and therefore an attractive target, but it's also being used for decades in some organizations. That leads to accumulating risks such as stale accounts, build-up of over-privileged users, unmanaged service accounts, and so on. With time, bad AD hygiene typically expands the organization attack surface, without IT management being aware.
As a result, Active Directory is now the great ransomware enabler for most organizations, and the weakest link in their cyber defense strategy.
Fortunately, many XDR/EDR vendors are getting the point: endpoint focused solutions are being complemented by agents which can analyze Active Directory activity in real-time and significantly augment detection and response capabilities. Benefits include:
detect logon events from unmanaged devices i.e. those that for some reason do not have the EDR agent installed. Unmanaged assets are a huge risk and focusing on identity allows indirect telemetry from those assets.
Detect suspicious logon activities from unusual locations, hours, roles, etc.
Add endpoints with suspect logons to a watch list that can be re-used to dynamically respond, for example limit RDP connections or block the endpoint to authenticate at all.
Report on risky accounts: those with passwords never expiring, shared by multiple users, having compromised passwords (based on threat intel), stale or not being used, etc.
Such solutions are being also promoted by Gartner as Identity Threat Detection and Response (ITDR) in its latest Hype Cycle for Security Ops - so you can add ITDR to the list of acronyms to remember ;)
An example of EDR featuring ITDR integration is Crowdstrike's Falcon platform: by having agents with monitoring capabilities installed on AD domain controllers, Crowdstrike is able to significantly broaden the detection and response scope within its policy engine.
Detecting events at the identity store level has the advantage of extending detection to unmanaged endpoints. For example, below are some detections of Active Directory related actions which threat actors will typically attempt to elevate privileges: domain data replication, golden ticket attack, suspicious LDAP searches, etc.
Keep in mind in this example the actions are launched from a host which does not have EDR installed, and yet we see the activities, as these are being recorded at the domain controller level:
Now the username performing these activities is automatically labeled as suspicious (or Watched). That gives the opportunity to respond on specific activity such as the compromised user attempting RDP access from an unmanaged endpoint.
Extending control to unmanaged endpoints is the outcome of monitoring activity at the identity store level (Active Directory). See below the example policy:
Another outcome is the ability to monitor identities as if they were assets with risks attached. Below you can see an example timeline of telemetry from Active Directory, which is normally not obvious to administrators: accounts with passwords that never expire, shared and stale accounts, compromised passwords, etc.
Attaining such visibility represents a crucial stride in enhancing situational awareness and serves as an important tool for mitigating identity risks:
As seen from the examples above, having ITDR features integrated with EDR significantly expands detection and response capabilities.
This is especially relevant for today's threat actors launching ransomware attacks: in most cases these adversaries will compromise identity as a first step, so it makes sense to include telemetry from identity stores into the EDR strategy.
More on identity threat detection with Crowdstrike - here.
