Thiago N. Felippe, CEO of Aiqon, tells us how Identity Threat Detection and Response (ITDR) can help limit the threats posed by identity theft.
In the age of cloud computing and full remote access, identity is the ultimate perimeter. Gone is the locally configured perimeter – for example, the network of an organization’s headquarters.
In a hyper-distributed world, it is the user’s identity that determines the reach and depth of access the employee will have to the company’s critical applications and data.
The new perimeter needs protection against cyberattacks. Attackers aim to steal the user’s identity in order to carry out increasingly profitable crimes in possession of access rights. This is done through leaked credentials, overprivileged users and gaps in visibility over the cloud.
It’s arguable that the compromise and misuse of identities is central to almost every cyberattack. A 2022 Gartner study indicates that stolen credentials are behind 61% of all data breaches that occur in the US.
There are reasons for this: according to the 2023 Identity Breach Report, attackers target personal information tied to the user’s identity. In 2022, 72% of leaks in the US contained date of birth and Social Security (SSN) numbers, a 20% increase from 2021.
This data, along with other leaked credentials, is used by malicious bots to try to gain access to critical data – a treasure trove that generates wealth for attackers.
The report on identity breaches demonstrates that unauthorized access remains the top attack vector, accounting for 49% of all data breaches.
Interdependence between identity theft and data leaks
It is an evil that is increasingly present in the digital journeys of organizations. A 2022 survey sponsored by the Identity Defined Security Alliance (IDSA) found that 79% of respondents had experienced an identity-related breach in the past two years, and that 99% of respondents believed that identity-related breaches could have been prevented if the company had a different security posture around that asset.
This is where a new concept created by Gartner comes in: Identity Threat Detection and Response (ITDR) describes the security discipline that protects the identity infrastructure. It’s an approach that encompasses threat intelligence, best practices, a knowledge base, tools and processes to secure identity systems.
ITDR works by implementing detection mechanisms, investigating posture changes and suspicious activity, and responding to attacks to restore the integrity of the identity infrastructure. This discipline can be implemented with the help of ITDR solutions that perform these actions in an automated way, in a distributed environment, in the cloud.
Microsoft Active Directory and Azure AD are identity stores
This concept was introduced two years ago and is now being widely used to describe a discipline and solutions that protect identity systems such as Microsoft’s Active Directory (AD) and Azure AD.
These directories receive records of the identity of each user, releasing and blocking access according to the position of the person and the work that has to be performed by this professional. A cybercriminal who gains access to AD or Azure AD – among other identity stores – can use legitimate data to perform illegitimate actions.
The ITDR approach therefore protects the identity infrastructure. And because it’s the central identity warehouse for 90% of organizations worldwide, Active Directory (AD) is one of the biggest targets for cybercriminals (Gartner data).
Widely used in Brazil as well, AD is often a resource with thousands of legacy identities with vulnerabilities that are not always easy to protect against. This explains why AD is routinely compromised in cyberincidents, including the Colonial Pipeline attack and the SolarWinds hack in 2021 and 2022.
The consultancy Mandiant points out that AD is involved in nine out of 10 attacks investigated by it in 2021.
Threat actors can use AD to escalate their access privileges, evade defensive measures, and perform persistence techniques, among other tactics. AD has become a popular target for attackers because it is so essential.
A recent survey revealed that 80% of respondents use a hybrid of AD and Azure AD, and 16% use on-premises AD as their primary data warehouse. Only 4% of the organizations participating in the poll don’t use AD or Azure AD. And 77% of respondents indicated that they would suffer a severe or catastrophic impact if AD went down.
All of this makes AD and Azure AD critical battlefronts in 2024. The CISO who examines the value that the ITDR discipline adds to this context may gain unprecedented resilience on this point.
Steps leading up to the leap toward identity protection
This type of result, however, requires maturity from the user company. Identity threat detection and response refers to protecting credentials, privileges, rights, and the systems and policies that manage them. The search for alignment with the ITDR discipline depends on some steps having been fulfilllled before making the leap towards best practices in ITDR.
In the identity threat detection arm of ITDR, Identity Access Management (IAM) policies and procedures are critical. It is the IAM platform that will require, for example, MFA, PAM and profile-based access controls to release access.
Stepping into ITDR can leverage IAM intelligence by detecting misconfigurations or overly broad permissions in AD accounts, making IAM enforcement more effective.
ITDR also helps organizations review and update firewalls, intrusion detection and prevention systems, and other devices. ITDR can also increase the accuracy of anti-phishing, anti-virus, anti-malware and other security applications.
Another gain brought by ITDR is the continuous monitoring of threats for suspicious activity on user accounts. Those who already have a SIEM (Security Information Event and Management) will see this platform add suspicious action alerts to the ITDR that, with the help of this new platform, will be inserted in a 360º view that goes far beyond the original SIEM environment.
From there, ITDR can trigger a process to automatically and temporarily revoke credentials until a human studies the alert.
In the ‘response’ arm to attempted identity breaches, the ITDR also shows its strength. Organizations that seek to align with this discipline and rely on intelligence to map threats and automate responses can easily put into action a new incident response plan focused on tackling criminal activities such as ATO (Account Takeover).
The vision brought by ITDR helps the incident response plan automate actions to deal with stolen credentials, account takeover and privilege escalation.
People and processes
As with everything related to cybersecurity, however, it is essential to invest in processes and people for ITDR to show its full strength.
It is necessary to reinvent processes and build knowledge bases that glue digital security policies to the support of the business. And, finally, to carry out training and awareness actions for employees so that the protection of identity begins with the person himself.
In 2024, user identity is one of the most valuable digital assets for businesses, and for cybercriminals. Advancing the protection of this treasure is critical to sustaining Brazil’s digital economy.