The InfoSec Guide to ITDR (Identity Threat Detection and Response)
Where would Hollywood thrillers be without the hero stealing an ID card and walking right past the bad guys to save the day? In real life, though, it’s the bad guy who breezes past security with a stolen ID. When a hacker can impersonate a legitimate user, they can bypass all robust (and expensive) countermeasures.
Hackers’ abuse of valid accounts shot up by 71% from 2022 to 2023, with stolen user identities comprising 30% of initial access vectors. Plus, data breaches arising from compromised credentials took 190% more resources to remediate than other forms of attack. Based on these findings, the need for identity threat detection and response (ITDR) to mitigate identity risks proactively is clear and compelling.
What is ITDR (Identity Threat Detection and Response)?
Identity Threat Detection and Response (ITDR) is a security discipline that protects digital assets from identity-based attacks. It combines processes, tools, and best practices to detect and respond to user identity threats and support identity infrastructure.
ITDR goes beyond the functionality of traditional identity and access management (IAM) solutions. IAM and privileged access management (PAM) keep track of user identities and provide user authentication. IAM products provision and de-provision identities but do not monitor activities or flag suspicious cases.
Similarly, while security incident and event management (SIEM) solutions monitor multiple systems for evidence of attacks, most SIEMs are not configured to catch identity-specific threats.
SaaS applications are an excellent fit for ITDR, as their remote user bases and shared security model make them more vulnerable to identity-based attacks. Vulnerability misconfigurations and inconsistent integration with IAM solutions add to SaaS security risks.
Why is ITDR Crucial for InfoSec Professionals?
Information security (InfoSec) professionals should become familiar with ITDR because of the rise in identity-based attacks like phishing, credential stuffing, and privilege escalation. As remote work and outsourcing become more common, organizations are increasingly susceptible to these attacks. Additionally, corporate login credentials are often found on the dark web, making user impersonation easier.
ITDR is also essential due to the rise in attacks on identity infrastructure. Attackers who compromise IAM solutions like Azure AD can access systems undetected and appear as regular users. Using legitimate credentials doesn’t attract much attention from security operations centers (SOC) and avoids triggering alerts. ITDR solutions help detect the subtle signs of these identity-based attacks.
Standard IAM and PAM solutions do not help in this context. Consider social engineering attacks like “MFA bombing” or “MFA fatigue,” where attackers send repeated MFA push notifications to a user’s device. Confused, some users may approve one MFA request and accidentally grant access to attackers. This tactic bypasses typical IAM defenses, but ITDR may help. ITDR tools identify unusual login behavior and take action, such as blocking access and initiating remediation.
Key Components of an Effective ITDR Strategy
What does it take to build an effective ITDR strategy? While an ITDR solution is essential, more is needed to achieve success. For the solution to be effective, it must support these core components of an ITDR strategy:
- Identity Monitoring—Who’s who in your organization, and who can do what? The answers to these two fundamental questions can reveal various identity risks. For example, you may have unmanaged identities in your Workday application that exist outside of IAM and are a source of risk. ITDR monitors all identity activity to flag suspicious activities by such accounts.
- Threat Detection—Identity-based threats include a wide range of attacks, from spear phishing to “pass the hash” password thefts. You need to configure ITDR to detect as many such threats as possible, including threats outside your domain (think looking for stolen cloud access tokens on the dark web).
- Contextual Analysis—Spotting an identity-based attack requires a deep understanding of context, as attacks may resemble regular business activities. An ITDR solution can detect contextual anomalies, such as off-hours log-ins or unexpected privilege escalations, and begin remediation.
- Automated Incident Response—An identity-based attacker can quickly do much damage, so a nearly instant response should follow detection. For this to work, you need an automated workflow for incident response.
5 Steps to Implement ITDR in Your Organization
1. Assess Current IAM Posture to Identify Gaps
Effective ITDR begins with understanding your current identity and access management (IAM) state. Identity-based attacks often exploit gaps, particularly between IAM and PAM solutions. For instance, users may retain unnecessary administrative privileges from temporary provisions, like system reinstalls. Weaknesses in MFA or password policies can also increase identity risks. By evaluating your existing IAM, PAM, MFA, and SSO solutions, you can identify and close these security gaps with ITDR.
2. Choose the Right Tools
Implementing ITDR means acquiring and deploying an ITDR solution. Many robust options are on the market, some focusing on verifying identities while others specialize in monitoring user activity.
Look for an ITDR solution to execute your ITDR strategy across all relevant computing environments. Identity attacks can occur in on-premises systems, the cloud, and its various incarnations, including public and private clouds, infrastructure-as-a-service (IaaS), platform-as-a-service (PaaS), and SaaS.
One of the challenges of defending against identity-based attacks in SaaS is the breadth of SaaS apps in the average enterprise. A robust ITDR solution for SaaS security, such as Suridata, will be able to monitor user behavior in most SaaS apps.
3. Define and Configure Detection Rules
Once you have your ITDR tool, you must define what threats you want this solution to detect and set up its rules. The specifics will depend on your environment and industry, but it’s usually good practice to focus on the most sensitive digital assets first. Consider where you face identity risk in those assets.
For example, in the manufacturing industry, identity risks may involve unauthorized access to material informatics systems that manage material specifications and supply chains. Your detection rule could be, “Monitor user accounts and flag any accounts with elevated permissions that are not regularly reviewed.” You would then set up your ITDR solution to enforce this rule.
4. Integrate with Incident Response frameworks
ITDR will not be a standalone system in your security operations. Instead, it must integrate with your team’s incident response frameworks in the security operations center. This integration might involve feeding alerts from ITDR into SIEMs or security orchestration and automation and response (SOAR) solutions. This way, if ITDR picks up on a possible identity-based attack, it can initiate automated remediation. ITDR can also initiate response workflows to alert SOC analysts and key stakeholders. This capability is crucial if the identity attack is part of a more significant threat, such as ransomware.
5. Regularly Audit and Test Controls
Users’ identity profiles and system deployments change frequently. Within months of implementing an ITDR solution, you may need more coverage for new applications and administrative privileges. Without frequent updates, ITDR controls can quickly become outdated and redundant. Regular auditing and testing of ITDR controls is essential to prevent gaps in your defense against identity-based attacks.
Making ITDR Work For Your Organization
Identity is a significant cyberattack vector. ITDR offers a countermeasure by detecting identity-based attacks and responding quickly and effectively, often through automated processes.
While the ITDR strategy blends process, policy, and tooling, your choice of ITDR solution is essential for success. The right solution will enable your team to discover gaps in IAM and PAM, among other identity risk factors, and integrate seamlessly with incident response workflows. An ITDR solution should mitigate risk in all environments, including the cloud and SaaS.
ITDR is especially important in SaaS, given these technologies’ remote, third-party nature. As an end-to-end SaaS security solution, Suridata offers comprehensive ITDR capabilities, including real-time detection, response, and protection against SaaS vulnerabilities across any of your SaaS applications. Learn more about how Suridata can protect your SaaS environment from identity-based threats.
Co-Founder & COO