Illusive Blog November 3, 2022

5 Things You Should Know About Identity Threat Detection and Response (ITDR)

By Mark Jaffe

This is a pivotal moment for identity security. Gartner® published its first standalone Identity Threat Detection and Response (ITDR) report, “Enhance Your Cyberattack Preparedness With Identity Threat Detection and Response,” on October 20, 2022. Read the full report here. (subscription required)

The many conversations we at Illusive have with cybersecurity leaders and their teams suggest a widespread awareness and concern around the security of identities.

With the release of the Gartner report “Enhance Your Cyberattack Preparedness With Identity Threat Detection and Response,” security and risk management professionals now have access to new research, insights and recommendations for addressing identity security issues. Here are five key takeaways that you should know about ITDR.

#1 Identity is the Top Vector for Cyberattack

According to Gartner, “Organizations’ reliance on their identity infrastructure to enable collaboration, remote work and customer access to services has transformed identity systems into prime targets for threat actors, with credential misuse being the most popular path to security breaches in 2021.1

Over the past few years, organizations have grappled with the operational realities of a workforce that could not come to work in the office. COVID-19 catalyzed what should have been years worth of digital transformation initiatives into months of implementation. As it goes with the adoption of any new technology, attackers turned their attention to capitalize on this shift.

According to the Identity Theft Resource Center, ransomware attacks doubled in 2020 and doubled again in 2021. This increased frequency of ransomware attacks must be partially attributed to the challenges organizations have faced in enabling a work from anywhere philosophy, the expanding sprawl of new cloud-based systems, and zero-trust security initiatives, all with identities at their core; identities that attackers have proven to be vulnerable to exploit.

Illusive research has revealed that privileged account credentials, such as cached RDP sessions that enable remote admins, are left exposed on more than 1-in-10 endpoints. Meanwhile, RDP and VPN credentials are the most popular and valuable accounts among the initial access brokers of ransomware attacks. The theft of cached credentials is the top vector of attack. Account takeover attacks (ATO) are running rampant.

#2 Identity is the New Vulnerability

With the adoption of cloud computing and the need to support work from home, we’ve often heard that identity is the new perimeter – many would argue that identity is the foundation of cybersecurity. As our new perimeter, this implies identity is also the new vulnerability because all an attacker needs to compromise enterprise resources is one set of exposed privileged credentials.

According to Gartner, “Identity threats are multifaceted. Misconfigurations of, and vulnerabilities in, identity infrastructure can be exploited.”1

Illusive Enterprise Endpoints Vulnerabilities Diagram

Illusive research has revealed that these sort of exploitable identity security vulnerabilities are present in 1-in-6 endpoints. We tend to classify these vulnerabilities across three categories:

  • Unmanaged: Privileged accounts should be vaulted in privileged access management (PAM) solutions, but it can be challenging to obtain the visibility needed to fully inventory these accounts. Case in point, 87% of local admins are not enrolled in Microsoft’s “Local Administrator Password Solution.”
  • Misconfigured: Misconfigurations in Active Directory and other identity and access management (IAM) solutions can result in the creation of “shadow admins,” which have obtained unnecessarily elevated privileges through group policy or other configuration errors without visibility into their rights.
  • Exposed: Even when privileged identities are properly provisioned and managed, they can still become exposed during the normal course of business. Cached credentials are frequently stored on endpoints and servers in memory, registry or disk, where they can be extracted by commonly used attack tools.

Because they are multifaceted, identity risk factors can exist across multiple dimensions. It is bad for an identity to be granted unnecessary Admin privileges, it is worse when its password hasn’t been updated in more than a year and worst comes to worst when its credentials become exposed – especially if they haven’t been protected by a PAM solution.

#3 Attackers Exploit Gaps Between Identity and Security Systems

The complexity of an organization’s identities causes the deployment of identity systems, such as IAM, PAM and MFA to each be multi-phased projects, leaving identities exposed until those deployments are fully completed. These multi-year deployments are further challenged by the constant changes of identities, which need to be re-discovered over time to make these deployments successful.

Furthermore, the process of discovering and auditing accounts against IT policies and other compliance-driven requirements, such as password policy and PAM audits, are time-consuming, manual, error-prone processes maintained in spreadsheets. Beyond the cost of these labor-intensive discoveries, they are almost immediately outdated, leaving organizations blind to the scope of their vulnerable identities and unable to prioritize remediation efforts or optimize identity-related projects.

Illusive Access Management Threat Diagram

On the other hand, the behavioral analysis approach increasingly used to detect cyberattacks fails when monitoring privileged accounts for malicious activity because of the difficulty distinguishing between acceptable use of a privileged account by an Admin from nefarious activities by attackers who have compromised the account. This leads to false positive and false negative indicators of compromise (IOC) that leave security teams in the dark. Consequently, account takeover attacks regularly fly below the radar until it is too late to prevent the attack.

By targeting privileged identities, threat actors are also able to speed through the steps of their attack. For example, during a well-known Lapsus$ ransomware attack, RDP access credentials enabled an ATO to establish persistence and escalate their privileges by simply downloading a tool from Github.

According to Gartner, “Conventional identity and access management and security preventive controls are insufficient to protect identity systems from attack. To enhance cyberattack preparedness, security and risk management leaders must add ITDR capabilities to their security infrastructure.1

#4 An Ounce of Prevention is Worth a Pound of Cure

Threat actors leverage automated attack tools, such as Mimikatz, to discover and exploit vulnerable identities. In fact, Mimikatz was precisely the attack tool that Lapsus$ downloaded from GitHub to steal the cached credentials they needed to escalate their privileges.

Although these attacks seem novel, the reality is that Mimikatz is a well-known attack tool that has been documented by the MITRE ATT&CK framework since 2017. This Lapsus$ attack and many others like it serve as evidence of how attacker tools enable threat actors to speed through the steps of their attack.

Illusive Detection Gaps Diagram

Therefore, it stands to reason that if organizations want to achieve a demonstrable reduction in risk, they should focus on eliminating the vulnerabilities with identities that threat actors commonly exploit, which enable them to evade detection, and complete their attacks all in just days. While virtually impossible in the past without automation, this can be achieved today through the availability to ITDR solutions that continuously discover these vulnerabilities, prioritize their remediation based on the risk they pose, and in some cases automate their remediation.

According to Gartner, “Prepare for ITDR with hygiene measures by inventorying their existing prevention controls and auditing their IAM infrastructure for misconfigurations, vulnerabilities and exposures.1

Illusive ITDR Diagram

#5 ITDR is a Top Cybersecurity Priority

According to Gartner, “Modern identity threats can subvert traditional identity and access management (IAM) preventive controls, such as multifactor authentication (MFA). This makes identity threat detection and response (ITDR) a top cybersecurity priority for 2022 and beyond.1

Cybercriminals have made the exploitation of identities infrastructures the primary focus of their attack. Their reasoning for this has become clear through the evidence of their ability to successfully perform privileged ATO attacks quickly without being detected.

Security and IT professionals have worked together over the years to secure networks, endpoints, applications and numerous other layers of their IT infrastructures. With attackers now focused on exploiting vulnerable identities, organizations must now work to make securing identities a top priority.

Illusive ITDR Spotlight™ Product Dashboard

ITDR solutions, such as Illusive SpotlightTM and Illusive ShadowTM enable organizations to defend against the modern automation that threat actors leverage by arming defenders with automation to continuously prevent and detect these attacks. Illusive Spotlight’s continuous discovery delivers contextualized insights into identity vulnerabilities to help prioritize identity risk reduction and remediation efforts. And wherever possible, remediation can be fully automated when there is no risk to interrupting the business. Illusive Shadow acts as a compensating control for identity vulnerabilities and other risks that cannot be prevented, leveraging proven deceptive techniques to provide high-fidelity detection.

Illusive provides this comprehensive visibility by scanning directory structures (e.g., Active Directory), privileged access management (PAM) solutions (e.g., CyberArk, Delinea), endpoints and servers, revealing the broadest range of vulnerabilities between the intention of an organization’s identity security policies and the reality of their environment. In short, Illusive prevents attacks by taking away what attackers need to succeed: privileged account access.

Read More – What is ITDR? How to Prevent and Detect Identity Threats

Learn More – Illusive Spotlight

Request a Demo – Identity Threat Detection and Response: Harden Cybersecurity with Illusive

1 Gartner Enhance Your Cyberattack Preparedness With Identity Threat Detection and Response, 20 October 2022, H. Teixeira, P. Firstbrook, A. Allan, R. Archambault

GARTNER is the registered trademark and service mark of Gartner Inc., and/or its affiliates and has been used herein with permission. All rights reserved.

See Illusive's Identity Threat Detection & Response In Action

Learn how Illusive's ITDR solutions can help your security team protect against the #1 attack vector—identity.