Lepide Blog: A Guide to IT Security, Compliance and IT Operations

What is Identity Threat Detection and Response (ITDR)?

Identity Threat Detection and Response

Identity Threat Detection and Response Definition

Identity Threat Detection and Response (ITDR) is a new security term that was coined by Gartner in order to highlight the growing concern of cybercrime targeting identity and access management (IAM) infrastructure. ITDR focuses on detecting and preventing credential and privilege account abuse, and other identity-related threats.

Why is ITDR important?

Cyberattacks against IAM solutions are on the rise, and it looks as though this trend is set to continue. After all, if an adversary is able to compromise an IAM solution they will likely have privileged access to the target network, thus potentially enabling them to cause a lot of damage.

Adversaries will usually try to bypass IAM systems using stolen credentials with privileged access. From there, they will try to move laterally to other systems, stealing sensitive data and/or disrupting systems without being detected. Preventing credential theft is a huge challenge in itself.

According to a report by Verizon, stolen credentials are the cause of 61% of data breaches. This problem has been compounded by the fact that increasingly more organizations are using cloud-based services, which means that the traditional moat/castle approach to securing a network is not as relevant as it once was.

Companies must adopt a different approach, which means that they must focus more on securing identities, and the data they have access to, as opposed to the devices that connect to the network.

How do ITDR Solutions Differ from EDR Solutions?

ITDR and Endpoint Detection & Response (EDR) solutions use similar techniques to prevent unauthorized access, such as real-time 24/7 monitoring, rule-based automated responses, and various analytical tools. However, EDR solutions, as you might expect, are designed to monitor endpoints as opposed to identities. Some ITDR solutions can also use “honeypots” to lure in adversaries with fake data, which the administrator (and/or the solution itself) can act on.

The Three Types of Identity Vulnerabilities

There are three main categories that identity vulnerabilities fall into, which include;

Unmanaged Identities: These include Service Accounts, Local Admins and Privileged Accounts.

Misconfigured Identities: These include Shadow Admins, Service Accounts, weak passwords, and poor encryption practices.

Exposed Identities: These include credentials stored in memory, which adversaries can access using various hacker tools, and also includes cloud access tokens and open RDP sessions.

What to Look for in an ITDR Solution

There are many ITDR solutions on the market. Your chosen solution should be able to:

  • Monitor all access to privileged accounts, and how those privileged accounts are used. This includes focusing on how sensitive data is accessed, moved, modified, destroyed, and shared.
  • Detect and alert on identity-related misconfigurations. For example, it is important to identify any misconfigured Active Directory accounts with vulnerable Kerberos tickets that can be exploited by attackers to brute-force-guess credentials.
  • Establish a baseline of normal user behavior and test against this baseline to identify anomalous activities. For example, if a user logs-on to the network during hours that are not typical for that user, and alert can be sent to the administrator who will investigate the situation.
  • Detect and respond to events that match a pre-defined threshold condition. If an attacker tries to brute-force-guess an account password, for example, they will inevitably fail multiple times in the process. A solution that is capable of threshold alerting will identify anomalous failed logon attempts and execute a custom script that may disable the account, shut down the affected server, or anything else that will help to prevent the attack from advancing.
  • Discover and classify sensitive data across all IT environments, as this will make it easier to assign the appropriate access controls and keep track of who has access to what data.

Most ITDR solutions will aggregate and correlate event data from a broad range of platforms, and display a summary of events via a single dashboard. From there, the administrator can perform searches and generate reports that can be customized to meet the requirements of the relevant data privacy laws. Many ITDP solutions can also integrate with security information and event management (SIEM) and security orchestration automation and response (SOAR) solutions, and other relevant IT security tools.

How Lepide Helps with Identity Threat Detection and Response

Lepide Data Security Platform combines identity and data security into a single console, giving you visibility into threats across Active Directory / Azure AD and your file stores. With Lepide, you can identify who your privileged users are, see what data they have access to, and determine whether their access levels are appropriate or excessive.

Lepide uses machine learning to determine what normal user behavior looks like with your employees, and can alert you in real-time when abnormal or anomalous behavior is identified. Lepide also comes with pre-defined threat models that detect the symptoms of an attack, such as when a threshold condition is met that indicates ransomware (large numbers of file modifications in a short period of time). Automated responses can be triggered whenever a threat is detected, to perform any number of actions, including shutting down the affected user account.

With in-built data classification, Lepide can also give your threat detection and response context, telling you whether sensitive/regulated data is affected by a threat, and giving you the tools to govern access to your most sensitive data.

If you’d like to see how the Lepide Data Security Platform can help with Identity Threat Detection & Response (ITDR), schedule a demo with one of our engineers.