Illusive Blog August 11, 2022

What is ITDR? “Identity Threat Detection and Response” Explained

By Mark Jaffe
ITDR

At the highest level, ITDR is short for identity threat detection and response, a new class of cybersecurity solutions designed to protect identity systems. ITDR shares a similar naming convention to endpoint detection and response (EDR) and extended detection and response (XDR) solutions, but many of its capabilities require a more nuanced understanding of why identity deserves its own detection and response category of solutions.

The press release titled, “Gartner® Identifies Top Security and Risk Management Trends for 2022” states, “Gartner introduced the term “identity threat detection and response” (ITDR) to describe the collection of tools and best practices to defend identity systems.”

In this PR, Gartner Research Vice President Peter Firstbrook contends, “Organizations have spent considerable effort improving IAM capabilities, but much of it has been focused on technology to improve user authentication, which actually increases the attack surface for a foundational part of the cybersecurity infrastructure. ITDR tools can help protect identity systems, detect when they are compromised and enable efficient remediation.”

We believe that despite their shared nomenclature, some capabilities of ITDR seem like a broad departure from the EDR and XDR solutions that came before it.

In the meantime, we believe the closest analog to ITDR is Active Directory threat detection and response (AD TDR). According to Gartner, “AD TDR tools typically support some combination of the following:

  • Configuration, policy and identity data analysis to assess the security posture of an organization’s Active Directory environment
  • Attack path management and impact analysis
  • Risk scoring and prioritization
  • Real-time monitoring of runtime behaviors for common indicators of compromise
  • Machine learning or analytics to detect abnormal behaviors or events
  • Automated remediation and incident response
  • Dashboards, alerts, reports, search and incident management
  • Integration with security information and event management (SIEM) and security orchestration automation and response (SOAR) tools
  • Integration with MFA solutions to deliver step-up authentication in response to risk events
  • Risk signal sharing with additional modules (for suite providers) and third-party tools. (Gartner “Implement IAM Best Practices for Your Active Directory,” by Paul Rabinovich, March 14, 2022.)

You can easily correlate AD TDR and ITDR to surmise that threats also include risks such as misconfigured policies and other identity security vulnerabilities. Detection also includes the discovery and prioritization of these risks. And response actions should include automated remediation, not just of run-time events but also of these admin risks. That’s all in addition to the expected features of a detection and response solution (i.e. real-time threat detection).

Understanding Identity – Identity is the new Perimeter

Illusive is a strong proponent that identity is the new perimeter because even if your network and devices are secure, all an attacker needs to compromise your enterprise resources is one set of exposed privileged credentials (check out the threats section below for a recent example of how).

The traditional network security model has been likened to a castle. The firewall is like a bulwark, protecting the crown jewels. However, more than a decade of cloud computing, mobile devices, and remote workers have eroded the effectiveness of this perimeter. When employees are accessing third-party services from personal devices and private networks, organizations need to reimagine how to secure access.

Learn why identity is the #1 attack vector

Most organizations are now turning to Zero Trust security to secure this new perimeter. According to Microsoft, “Identities – whether they represent people, services, or IoT devices – define the Zero Trust control plane.”

As it turns out, there are quite a few solutions to help manage these identities, such as Active Directory, IAM, and PAM, but there are quite fewer solutions that can secure these identities in the first place. Make no mistake, these are all GREAT solutions for managing identities, access and authentication, but ITDR is required to really validate and optimize the effectiveness of PAM solutions.

Learn how to optimize the effectiveness of your PAM deployment

When it comes to ITDR solutions, it is imperative that they deliver a top-down view of directory structures since they set policy. But an ITDR solution also needs to provide a bottom-up view of the endpoint to understand how effectively this policy is enforced. Illusive frequently discovers discrepancies between the directory structure and the endpoint, indicative of a security blind spot or a policy gap that may be easily exploited during an attack. If an ITDR solution only examines directory structures, then it cannot provide any more visibility than existing identity management solutions do.

Understanding Threats – Identity is the new Vulnerability

If identity is the new perimeter, then identity is also the new vulnerability. Identity systems are generally designed to minimize friction once a user has been authenticated, which makes it much more difficult to detect an attack that exploits a vulnerable identity.

Learn how 1 in 6 endpoints contains identity security vulnerabilities

 

1 in 6 Endpoints Has Identity Risk Illustration

 

For example, a typical ransomware attack may leverage credentials stolen in a phishing attack or purchased on the dark web to establish initial access. Attackers then use a variety of tools to escalate privileges and dump privileged credentials. In fact, according to Enterprise Strategy Group, the theft of credentials from system memory is the most common source of a breach.

Learn how ransomware attacks exploit identity security vulnerabilities

Attackers can easily exploit these unmanaged, misconfigured, and exposed identities; something most cybersecurity professionals would classify as a vulnerability or a risk. Of course, it can be difficult to distill so many technical concepts into just a few words, so “threat” has become an all-encompassing umbrella for identity website risks, vulnerabilities, and threats that exists along a spectrum of admin issues and run-time events.

  • Identity Risks – Include unmanaged, misconfigured, and exposed identity vulnerabilities, such as local admins that are not enrolled in PAM, shadow admins with unknown and unintended privileges, and cached credentials that are easily stolen from memory.
  • Identity Threats – Encompass run-time events, such as unauthorized access and suspicious or malicious behavior.

Learn how Shadow Admins gain unintended and unmanaged privileges

Understanding Detection – You Cannot Protect What you do not Know Exists

Another disambiguation that needs to be made between ITDR and EDR/XDR is that detection is not limited to the real-time monitoring and behavioral analysis of run-time events. Certainly, the detection of these threats is a valuable use case for ITDR (just like EDR/XDR), but ITDR also enables a much more proactive approach to discovering identity security vulnerabilities.

Much like any vulnerability and risk management program, the discovery capabilities of ITDR enable organizations to inventory their identity “assets,” so to speak. This sort of asset inventory is a fundamental of cybersecurity when it comes to device management, but many organizations struggle to gain this same sort of visibility when it comes to their identities, in part because previous discovery tools were manual and static. The most effective ITDR solutions deliver automated, continuous, and comprehensive identity discovery, such as discovering unmanaged admin accounts.

Of course, detection also includes the real-time monitoring of run-time events, but again it may be valuable not to limit your thinking to the traditional behavioral analysis approach of EDR/XDR. Certainly, there are ITDR solutions that leverage behavioral analysis to detect suspicious and malicious behavior, but the problem with these sorts of solutions is that they are prone to false positives and tend to be deployed as a software agent. Unfortunately, when an attacker escalates their privileges – which is one of the first steps in an attack – they can usually disable these agents.

Deception-based detection is more effective than behavioral analysis when it comes to high-fidelity alerting. ONLY an attacker would interact with deception-based detection because of the way its decoy endpoints, servers, and accounts are deployed. Furthermore, Illusive uses a dissolvable binary to deploy and manage its platform, which leaves no trace for attackers to discover or disable.

Understanding Response – Proactive Risk Assessment vs. Reactive Incident Response

Compared to the concepts of threats and detection, the response actions of ITDR are more similar to EDR/XDR in the sense that all of these solutions are intended to alert, to automate remediation actions, and to integrate into other incident response solutions. Of course, the difference with ITDR is that the focus is on identities, and again, if we broaden the aperture beyond a baseline understanding of threat detection to include risk discovery then even more benefits become apparent.

For example, the response to an identity security vulnerability or an admin risk may be to enforce enrollment into a PAM or MFA solution, or to automatically cleanse cached credentials off of an endpoint, whereas the response to a real-time event may be to restrict access or to integrate into a SIEM or SOAR solution to further execute incident response playbooks.

Of course, threat detection and response to real-time events is critical to preventing data breaches, but a more proactive approach to risk assessment enables organizations to close attack paths before they are even attacked. As the dwell time for attacks has reduced from months to weeks to days, organizations can no longer afford to spare the time needed for reactive incident response.

When ITDR solutions focus exclusively on real-time events, they are leaving a giant blind spot that could be addressed by a more proactive risk assessment and threat hunting approach. From the discovery of admin risks to the detection of real-time events, and the associated responses for each, ITDR solutions should span this full lifecycle to be considered truly effective.

*Gartner Press Release, “Gartner Identifies Top Security and Risk Management Trends for 2022”, March 7, 2022.

GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.

Learn how you can discover, mitigate, and protect against privileged identity risk in just three steps with Illusive and Microsoft:

Illusive & MISA Whitepaper

Subscribe for the Latest from Illusive

Subscribe to receive the latest updates, news, and events.