What is ITDR? How to Prevent and Detect Identity Threats
ITDR is short for identity threat detection and response, a new class of cybersecurity solutions designed to protect identities, which are central to all modern IT systems. ITDR shares a similar naming convention to endpoint detection and response (EDR) and extended detection and response (XDR) solutions, but many of its capabilities require a more nuanced understanding of why identity deserves its own detection and response category of solutions.
The press release titled, “Gartner® Identifies Top Security and Risk Management Trends for 2022” states, “Gartner introduced the term “identity threat detection and response” (ITDR) to describe the collection of tools and best practices to defend identity systems.”
In this press release, Gartner Research Vice President Peter Firstbrook states, “Organizations have spent considerable effort improving IAM capabilities, but much of it has been focused on technology to improve user authentication, which actually increases the attack surface for a foundational part of the cybersecurity infrastructure. ITDR tools can help protect identity systems, detect when they are compromised and enable efficient remediation.”
Illusive believes that despite their shared nomenclature, some capabilities of ITDR are a broad departure from the EDR and XDR solutions that came before it.
In the meantime, we believe the closest analog to ITDR is Active Directory threat detection and response (AD TDR). According to Gartner, “AD TDR tools typically support some combination of the following:
- Configuration, policy and identity data analysis to assess the security posture of an organization’s Active Directory environment
- Attack path management and impact analysis
- Risk scoring and prioritization
- Real-time monitoring of runtime behaviors for common indicators of compromise
- Machine learning or analytics to detect abnormal behaviors or events
- Automated remediation and incident response
- Dashboards, alerts, reports, search and incident management
- Integration with security information and event management (SIEM) and security orchestration automation and response (SOAR) tools
- Integration with MFA solutions to deliver step-up authentication in response to risk events
- Risk signal sharing with additional modules (for suite providers) and third-party tools. (Gartner “Implement IAM Best Practices for Your Active Directory,” by Paul Rabinovich, March 14, 2022.)
We believe that the advent of AD TDR and ITDR indicates that identities deserve the same level of management and control that organizations have applied to their hosts, networks, systems, and software – if not more. This is more important now than ever since identities have become the predominant attack vector for cyberattacks. As has been the case in all other aspects of IT risk, identity risk should be managed via both preventative and detective controls.
Identity is the new Perimeter
Identity has been described as the new perimeter because even if a network, endpoint and all other devices are secured, an attacker only needs access to one privileged account to be able to compromise enterprise resources.
More than a decade of mobile devices, cloud computing, outsourcing, and remote workers, further expedited by the COVID-19 pandemic, have eroded the traditional network security perimeter. When employees are accessing third-party services from personal devices and private networks, organizations need to reimagine how to secure access.
Identity is the new Vulnerability
If identity is the new perimeter, then identity is also the new vulnerability.
According to NIST, a vulnerability is a “weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source,” which applies to how threat actors are commonly exploiting unmanaged, misconfigured and exposed identities – identity security vulnerabilities have become the greatest enterprise risk.
Identity and access management systems have been designed to enforce the principle of least privilege, but also seek to minimize friction once a user has been authenticated. These very different goals have made it made it much more difficult to detect when a threat actor successfully compromises and uses a valid user’s credentials. Consequently, account takeover attacks (ATO) have become the top attack vector.
Despite the deployment of privileged account management (PAM), multi-factor authentication (MFA), and other identity and access management (IAM) solutions to protect identities from being exploited by threat actors, research from Illusive reveals that exploitable identity risks are present on 1 in 6 enterprise endpoints.
There are numerous techniques which threat actors use to gain access to account credentials, which frequently leverage open source attack tools. By compromising identities in this way, they are more easily able to hide their nefarious activities and more quickly move through the stages of their attack before completing their final action.
Typical ransomware attacks often leverage credentials stolen in a phishing attack or purchased on the dark web to establish initial access. Attackers then use a variety of attacker tools, such as Mimikatz, to escalate privileges and dump privileged credentials. In fact, according to Enterprise Strategy Group, the theft of credentials from system memory is the most common identity technique used in attacks.
Three Types of Identity Vulnerabilities
Illusive’s research has revealed that exploitable identity risks are present in every organization at a rate of 1 in 6 endpoints. The causes of identities being vulnerable fall into three (3) categories: unmanaged, misconfigured, and exposed identities. Examples include:
- Service Accounts – Machine identities go unmanaged by PAM because they were undiscovered during implementation and because not all applications are compatible with PAM, such as legacy applications for which the cost of modernization is cost-prohibitive.
- Local Admins – Local admin privileges facilitate a variety of IT support requests, but often go undiscovered or forgotten after their creation, leaving them unmanaged.
- Privileged Accounts – Many other privileged accounts go unmanaged by PAM or MFA solutions because they remained undiscovered during deployment.
- Shadow Admins – The complexity of nested identity groupings make it extremely difficult to see the complete rights and entitlements of all identities, causing accounts to be granted unintended excessive privileges.
- Weak Encryption and Passwords – Identities configured to leverage weak or missing encryption or do not enforce strong password policies.
- Service Accounts – Machine identities with privileged access rights may be misconfigured to incorrectly allow for interactive login by humans.
- Cached Credentials – Account and credential information which is commonly stored on endpoints memory, registry and disk, where they are easily exploited by commonly used attacker tools.
- Cloud Access Tokens – Cloud access tokens stored on endpoints are a common means for attackers to gain access to cloud assets.
- Open RDP Session – Remote applications sessions may be improperly closed, enabling attackers to leverage an open session and its privileges, largely without the risk of detection.
It’s important to note that any given identity can be vulnerable in numerous ways, and across these three vulnerability categories. These identities often expose organizations to the greatest level of identity risk.
For instance, a single identity can be misconfigured to hold unintended Shadow Admin rights, which by its nature causes this identity to go unmanaged due the lack of IT knowledge that would typically trigger the extra level of access management protection intended for accounts with the rights it holds (PAM, MFA, etc), and this same identity can be further used in ways that cause its credential to become exposed.
You Cannot Protect What you do not Know Exists
The management of identity risk requires organizations to be able to gain continuous visibility into their identity posture from a cyber threat perspective. IT best practices today include asset discovery and vulnerability management to continuously track and measure risks around assets and systems, but they do not include the continuous discovery of identity risk.
The lack of this visibility into identity risks has caused identities to become increasingly vulnerable and is largely the reason why cyber attackers and security red teams have shifted their attack tactics and techniques to exploit them. Unfortunately, achieving this visibility has largely depended on costly, manual, time-consuming process for IT and security teams and have provided only a limited view of an organization’s identity vulnerabilities.
What is a Complete Identity Threat Detection and Response (ITDR) System
Complete ITDR solutions should include preventative capabilities that discover and remediate gaps in an organization’s identity posture to prevent identity exploitation, as well as detective capabilities that accurately alert on indicators of compromise as they are occurring.
ITDR Preventative Controls
ITDR preventative controls discover and remediate identity vulnerabilities before threat actors attempt to exploit them.
Much like traditional vulnerability and risk management programs, the discovery capabilities of ITDR enable organizations to inventory the risks of their identity “assets.” The most effective ITDR solutions deliver automated, continuous, and comprehensive identity discovery that includes visibility into unmanaged, misconfigured and exposed privileged accounts.
This visibility enables effective IT and Infosec decision-making to mitigate these risks in the large, multi-phased deployments of disparate identity management systems, such as IGA, PAM, MFA, SSO, and others. In fact, we’ve known this continuous scanning for issues is required for the effective management of any complex system, and identity management is no exception.
ITDR Detective Controls
ITDR detective controls alert at the moment there is an indication of a threat actor or insider attempting to compromise or leverage an identity in a way that creates risk for the organization. Detective controls are needed to mitigate risks that are unable to be prevented, so that the correct team members can be alerted and quickly respond if necessary in the event of an attack.
The accurate detection of identity threats before an attack is completed has proven to be difficult to achieve for a number of reasons:
- Shorter amount of time to detect attacks: Attacker dwell times in many attack types, such as ransomware, have dropped from months to days in many cases. By moving their focus to the compromise of identities for performing system intrusions, Attackers have been able to move much more quickly thru the stages of their attack to perform discovery, move laterally, collect data and complete their attack.
- Reduced effectiveness of existing security controls: As attackers focus has shifted to exploit identities as their primary target, attackers have all but abandoned many previous techniques, rendering security tooling for these techniques irrelevant. Attackers have also regularly demonstrated that once they escalate their privileges, they are able to disable security controls, including endpoint agents, intended to detect them.
- Inability to accurately detect nefarious from acceptable privileged account activity: Signature and behavioral-based analysis of privileged users has proven ineffective in accurately detecting nefarious privilege escalation and lateral movement, as evidenced by the continued increase in successful attacks. The lack of sufficient consistency in the acceptable behaviors of privileged admin accounts (what data scientists call high data entropy) has led to difficulties in building effective baselines that are required to minimize false positive and false negatives alerts.
As such, more accurate detection of compromised privileged accounts is needed. Deception and its deterministic approach of planting deceptive content to lure attackers, offers a viable and proven alternative to behavioral analytics for accurately detecting privilege escalation and lateral movement. When implemented well, this approach plants lures that ONLY an attacker would interact with, based on the understanding of the attacker’s techniques and tooling and leaves no clues for the attacker to believe they are being trapped (such as a service or agent running on the host).
Learn More About Illusive’s Complete ITDR Solution
Illusive’s products include:
- Illusive Spotlight™ is a preventative control that continuously discovers and remediates identity vulnerabilities in advance of their exploitation, providing a cost-effect way to reduce the identity risk and reduce the burden, dependency and cost on detecting identity risks in runtime, when it’s often too late.
- Illusive Shadow™ a detective control that leverages deceptive techniques to more accurately detect privilege escalation, account takeover and lateral movement activities by threat actors as they are occurring.
**Gartner Press Release, “Gartner Identifies Top Security and Risk Management Trends for 2022”, March 7, 2022.
* Gartner “Implement IAM Best Practices for Your Active Directory,” by Paul Rabinovich, March 14, 2022
GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.