When it comes to modern systems and networks, identities are the new perimeter. Long gone are the days of singular office-bound systems with a set server room and endpoints that stayed on desks. With the rise of hybrid work models, cloud computing, and rapid digitisation in industries like healthcare and manufacturing, it’s a user’s identity that holds increasing power over a network’s function and security.
It’s no surprise then, that digital identities, and credentials, have become increasingly valuable to cybercriminals who need those usernames, passwords, and emails to hack into networks and launch attacks. In 2023, 39% of non-BEC incidents investigated by Arctic Wolf involved an attacker using credentials to log into an exposed application, and 20% of identity-based observations by Arctic Wolf® Managed Detection and Response (MDR) led to ticketed incidents.
As it tends to go in the world of cybersecurity — as technology advances, so do threats that seek to exploit that technology. And right now, both security professionals and threat actors have their sights set on identity.
What are Identity Threats?
Identity threats are any cyber threat to a specific user’s identities or your organisation’s identity infrastructure, which consists of the technologies and processes that help your organisation manage the digital identities of every user and device.
These infrastructures are a rich target for threat actors because, if a threat actor can impersonate a known user, not only they get a key to the kingdom, but they can also move laterally, elevate privilege, and even “mint their own keys” to while evading detection. On average, security breaches that leverage valid credentials take longer to detect and inflict bigger damage.
If we look at the MITRE ATT&CK framework, utilising valid accounts is a technique that appears in every stage of the kill chain, meaning at least at some point, threat actors need credentials to conduct attacks — and evidence shows they’re adept at gaining those credentials. According to Verizon, 40% of breaches in 2023 involved credential misuse and 76% of social engineering attacks resulted in compromised credentials. In addition, according to Identity Defined Security Alliance, 90% of organisations have experienced at least one identity breach in the past 12 months.
These numbers show that this threat is a serious one that can affect organisations of different sizes and industries.
Common identity-based threats include:
- A threat actor utilising previously stolen credentials for a stage of an attack
- A threat actor using phishing or spear phishing tactics to gain credentials and access
- A threat actor buying credentials from an initial access broker
- A threat actor exploiting a vulnerability or using another method to hack into an organisation’s identity infrastructure — such as Microsoft Active Directory — to gain credentials or change access rules.
These kinds of threats can occur at multiple stages of attack, though credentials are commonly used for initial access, which makes them the first line of defense against a cyber attack.
In addition, these threats are multi-faceted, as they can originate in different ways. For example, social engineering can be used to gain initial access by tricking an unsuspecting user, the dark web can be used to buy already stolen credentials, or an organisation’s identity infrastructure, like Active Directory, can be attacked. Traditionally, each of these avenues would, and in some ways still do, require different avenues of defense.
But, as organisations adapt to these new threats that focus on individual users in place of a traditional firewall, a new strategy has emerged to help monitor and respond to identity threats — identity threat detection and response.
What Is Identity Threat Detection and Response?
Identity Threat Detection and Response (ITDR) is the discipline that combines threat intelligence, identity best practices, and tools and processes to protect identity systems.
The term was first coined by Gartner in their 2022 “Top Security and Risk Management Trends” paper. The analyst organisation defines ITDR as “the collection of tools and best practices to defend identity systems.” ITDR can be both a strategy — such as the implementation of certain access controls — as well as tool-based, like the use of privilege access management or managed detection and response.
ITDR is achieved through implementing detection mechanisms (such as 24×7 monitoring of identity sources), responding to and investigating suspicious identity behavior (such as unusual logins or rule changes), and responding to incidents in a swift, comprehensive manner (such as deactivating a certain user account or isolating an endpoint).
This discipline works in proactive and reactive ways as monitoring and response occur in parallel.
ITDR implementation should, at minimum, include:
- Analysing current permission and identity configurations
- Implementing multi-factor authentication (MFA) across the network
- Deploying privileged access management (PAM) to prevent unauthorized privileged access
- Hardening and monitoring of Active Directory
- Consistently performing security gap analysis and remediation
ITDR and Identity and Access Management
ITDR is part of a robust identity and access management (IAM) program. Whereas IAM can control user access, it doesn’t reduce identity-based attacks or threats. It limits lateral movement and prevents access creep. IAM is one piece of the identity puzzle, and ITDR is another.
In addition, IAM is solely proactive, like PAM, whereas ITDR is both proactive and reactive. It has more in common with other detection and response strategies such as 24×7 monitoring and alerting to specific behavior patterns.
How Does ITDR Reduce Identity Risks?
It may feel paradoxical, but by implementing IAM, an organisation is expanding their attack surface. Suddenly there’s more identities, more users, and more MFA applications for threat actors to launch MFA fatigue attacks on. ITDR adds security to this rapidly expanding attack surface by deploying monitoring, detection, and response, allowing organisations to stop identity threats before a cybercriminal can launch an attack.
For example, say a threat actor bought a stolen credential from an initial access broker. They try to use it and are met with MFA. They try to launch an MFA fatigue attack, but the multiple requests alert the security team that something is off with this user account. Or say the threat actor is able to gain access through this credential but is entering an application at 2 a.m. in eastern Europe. The ITDR monitoring would also pick that up as suspicious and be able to respond by investigating and ultimately locking down the account before moves are made.
Adding that extra layer to your organisation’s identity security can make a major difference when an incident occurs.
ITDR and MDR
While it’s provider dependent, many managed detection and response (MDR) solutions now include identity sources as part of their monitoring and detection capabilities. This means an organisation gains 24×7 monitoring to their identity infrastructure, and the full detection and response capabilities — with named security experts — that they already receive for their endpoint, network, and other sources. This helps mitigate threats while helping an organisation understand their own infrastructure and security gaps, allowing them to harden their attack surface and improve their security posture.
Arctic Wolf, as a security operations platform, takes this holistic approach to identity, offering customers not only 24×7 monitoring and the assistance of our Security Teams, but works with organisations to implement ITDR strategies such as hardening Active Directory or expanding their MFA coverage.
Learn more about the capabilities of an MDR solution with the 2023 Gartner Market Guide for MDR Services.
Explore how a concierge approach to security operations can help your organization both respond to threats and improve your security posture.
