One of the largest data breaches of 2024 didn’t require advanced tactics, techniques, and procedures (TTPs), or an escalating chain of successful attacks. It simply required purchasing credentials on the dark web and using them to log in and steal data, once again highlighting the vital need for robust, proactive protection against the growing surge of identity-based attacks.
Threat actors were able to access at least 165 organizations through their Snowflake instances, using compromised credentials harvested from infected devices using infostealer malware. Snowflake, an American cloud-based data storage company, was not found to have been breached. Rather, the threat actors used the compromised credentials to log into organizations’ Snowflake instances individually, allowing them to view and exfiltrate data for a treasure trove of global organizations, alleged to include AT&T, Santander Bank, and Live/Nation Ticketmaster.
And this attack, while massive, is far from an outlier. Many incidents could have been stopped with proper password hygiene, better identity security, and the implementation of real-time monitoring through identity threat detection and response (ITDR).
When it comes to modern systems and networks, identities are the new perimeter. With the rise of hybrid work models, cloud computing, and rapid digitalization across industries that made premises-based defenses obsolete, it’s a user’s identity that holds increasing power over a network’s function and security.
It’s no surprise then, that as digital identities and credentials become increasingly valuable to cybercriminals who need those usernames, passwords, and emails to hack into networks and launch attacks, both security professionals and threat actors have their sights set on identity.
What Are Identity Threats?
Identity threats are any cyber threat to a specific user’s identity or your organization’s identity infrastructure, which consists of the technologies and processes that help your organization manage the digital identities of every user and device.
These infrastructures are a rich target for threat actors because, if a threat actor can impersonate a known user, they can not only gain initial access to your environment, but they can also move laterally, escalate privilege, and launch devastating attacks from the inside, all while evading detection. On average, security breaches that leverage valid credentials take longer to detect and inflict bigger damage. According to IBM’s 2024 Cost of a Data Breach report, it takes an average of 229 days to detect an attack based on stolen, valid credentials — longer than any other type of breach.
If we look at the MITRE ATT&CK framework, utilizing valid accounts is a technique that appears in every stage of the kill chain, meaning at least at some point, threat actors need credentials to conduct attacks — and evidence shows they’re adept at gaining those credentials. According to Verizon’s 2024 Data Breach Investigation Report, compromised credentials are the most common attack action threat actors take.
These numbers show that identity-based attacks are a serious and growing threat.
Common identity-based threats include:
- A threat actor utilizing previously stolen credentials for a stage of an attack
- A threat actor using phishing or spear phishing tactics to gain credentials and access
- A threat actor buying credentials from an initial access broker
- A threat actor exploiting a vulnerability or using another method to hack into an organization’s identity infrastructure — such as Microsoft Active Directory — to gain credentials or change access rules.
These kinds of threats can occur at multiple stages of attack, though credentials are commonly used for initial access, which makes them the first line of defense against a cyber attack.
In addition, these threats are multifaceted, as they can originate in different ways. For example, social engineering can be used to gain initial access by tricking an unsuspecting user, the dark web can be used to buy already stolen credentials, or an organization’s identity infrastructure, like Active Directory, can be attacked. Traditionally, each of these avenues would, and in some ways still do, require different avenues of defense.
But, as organizations adapt to these new threats that focus on individual users in place of a traditional firewall, a new strategy has emerged to help monitor and respond to identity threats — identity threat detection and response (ITDR).
What Is Identity Threat Detection and Response (ITDR)?
Identity threat detection and response (ITDR) is a discipline that combines threat intelligence, identity best practices, and tools and processes to protect identity systems.
The term was first coined by Gartner® in their 2022 “Top Security and Risk Management Trends” report. The analyst organization defines ITDR as “the collection of tools and best practices to defend identity systems.” ITDR can be both a strategy — such as the implementation of certain access controls — as well as tool-based, like the use of privilege access management (PAM) or managed detection and response (MDR).
As its name suggests, ITDR is related to established detection and response tools and solutions, such as EDR, XDR, and MDR. The KuppingerCole Identity Threat Detection and Response (ITDR) 2024: IAM Meets the SOC report makes note of the emerging nature of the market by stating that, “ITDR is not really a standalone product – it’s more of an activity that requires a Platform,” and that today, “few products are currently sold purely as ITDR solutions.” The report goes on to note that the ITDR market “hasn’t yet coalesced around a well-defined set of features.”
While exact features of the category are not fully defined, there are core capabilities required of an ITDR solution, whether that solution carries the name ITDR or not. ITDR is achieved through implementing detection mechanisms (such as 24×7 monitoring of identity sources), responding to and investigating suspicious identity behavior (such as unusual logins or rule changes), and responding to incidents in a swift, comprehensive manner (such as deactivating a certain user account or isolating an endpoint). This discipline works in proactive and reactive ways as monitoring and response occur in parallel.
In addition to essential detection and response capabilities, an ITDR implementation should, at minimum, include:
- Analyzing current permission and identity configurations
- Implementing multi-factor authentication (MFA) across the network
- Deploying privileged access management (PAM) to prevent unauthorized privileged access
- Hardening and monitoring of Active Directory
- Consistently performing security gap analysis and remediation
How Does ITDR Fit into Identity and Access Management (IAM)?
ITDR is part of a robust identity and access management (IAM) program. Whereas IAM can control user access, it doesn’t reduce identity-based attacks or threats. It limits lateral movement and prevents access creep. IAM is one piece of the identity puzzle, and ITDR is another.
In addition, IAM is solely proactive, like PAM, whereas ITDR is both proactive and reactive. It has more in common with other detection and response strategies like managed detection and response (MDR), such as 24×7 monitoring and alerting to specific behavior patterns.
How Does ITDR Fit into MDR?
While it’s provider dependent, some MDR solutions now include identity sources as part of their monitoring and detection capabilities. This means an organization gains 24×7 monitoring to their identity infrastructure, and the full detection and response capabilities — with security experts — that they already receive for their endpoint, network, and other sources. This helps mitigate threats while helping an organization understand their own infrastructure and security gaps, allowing them to harden their attack surface and improve their security posture.
How Does ITDR Fit into EDR?
Endpoint detection and response (EDR) records critical activity like process executions, command line activity, running services, network connections, and file manipulation on endpoints to observe behaviors and flag suspicious ones that fall outside the normal behavior. However, it doesn’t address other parts of a modern organizational environment, like cloud, software-as-a-service (SaaS) or identity. EDR is a crucial part of holistic, proactive security operations, but as threat actors continue to target identity infrastructure with account compromise tactics such as credential stuffing, the ability to swiftly contain and mitigate identity risks at scale is critical in defending crucial data assets and protecting users. ITDR capabilities are just as necessary as a core function of holistic security operations as EDR, but they perform radically different functions.
The Benefits of ITDR in Reducing Identity Risks
It may feel paradoxical, but by implementing IAM, an organization is expanding their attack surface. Suddenly there’s more identities, more users, and more MFA login points for threat actors to launch MFA fatigue attacks on. ITDR adds security to this expanded attack surface by deploying identity monitoring, detection, and response, allowing organizations to stop identity threats before a cybercriminal can launch an attack.
For example, say a threat actor bought a stolen credential from an initial access broker, as in the breach mentioned above. They try to use it and are met with MFA. They try to launch an MFA fatigue attack, but the multiple requests alert the security team that something is off with this user account. Or say the threat actor is able to gain access through this credential but is entering a U.S.-based company’s environment at 2 a.m. from eastern Europe. The ITDR monitoring integrated with telemetry from identity security sources would also pick that up as suspicious and be able to respond by investigating and ultimately locking down the account before moves are made.
Adding that extra layer to your organization’s identity security can make a major difference when an incident occurs.
ITDR and Arctic Wolf
Arctic Wolf, as a security operations platform, takes a holistic approach to identity, offering customers not only 24×7 monitoring and the assistance of our Security Teams, but works with organizations to implement ITDR strategies such as hardening Active Directory or expanding their MFA coverage.
Additionally, the Arctic Wolf Aurora Platform includes essential capabilities to provide proactive ITDR protection, including:
- Active Response for Identity: Narrows the detection gap for threats in identity infrastructure, leveraging response actions to quickly disable impacted user accounts, revoking access to potentially sensitive information or systems and reducing risk for organizations.
- Microsoft Defender for Identity Integration: Protects user identities and reduces attack surfaces, increasing visibility into identity infrastructure for earlier detection of identity-based attacks, including business email compromise (BEC).
- Okta Impossible Travel Detection: Expanded detection capabilities for our Okta integration enhance cross-attack surface coverage with detection of compromised accounts using indicators of compromise (IOC) based on velocity alerts from Okta.
Discover the ways our experts predict threat actors will attempt to exploit weaknesses in identity in the Arctic Wolf Labs 2025 Predictions Report. Learn how we provide proactive protection for identity infrastructure with real-time detection and response for identity-based attacks.
