What is identity threat detection and response (ITDR)?

User identities are a significant part of the enterprise attack surface today, as cybercriminals increasingly prefer to log in rather than hack in. The IBM® X-Force® Threat Intelligence Index reports that identity-based attacks make up 30% of total intrusions. Threat actors use phishing attacks and infostealing malware to harvest credentials, which they then use to take over valid accounts.

ITDR systems can help mitigate these identity-based cyberattacks by monitoring user activity and identity systems across an enterprise network. ITDR tools can detect brute force attacks, credential stuffing, login anomalies and other cyberthreats, and they can automatically respond to stop attackers from accessing sensitive data and systems. 

An ITDR system continuously monitors an enterprise network for anomalous or suspicious activity connected to user identities. When an ITDR solution detects potentially malicious behavior, it alerts the security team and triggers an automated response, such as immediately blocking account access to sensitive data.

An ITDR system works by combining multiple functions in a comprehensive solution. Core ITDR functions include:

• Data collection and activity modeling
• Continuous monitoring and anomaly detection
• Incident response and remediation

To recognize suspicious activity, an ITDR system first needs to know what normal and authorized activity looks like.

ITDRs gather information from sources such as:

• User access policies that detail access levels for different types of users and data.
• User behavior records, such as normal login times, locations and devices used.
• Threat intelligence feeds detailing current attack techniques.

The ITDR uses behavioral analytics and relationship mapping to process all of this data and create a baseline model of normal behavior for users, their accounts and the systems they access. 

An ITDR system monitors identity activity and infrastructure throughout the network to detect threats, exposures and vulnerabilities. ITDRs track logins, authentications, identity providers (IdPs), access requests and directories such as Active Directory, comparing them to the baseline model. ITDR tools flag meaningful deviations from the baseline as potential threats.

Deviations can include activities such as login attempts from unusual locations, lateral movement of a user across unrelated datasets or unusual requests for privilege escalation.

Some ITDR systems use machine learning (ML) to analyze historical threat patterns—from company records, threat intelligence feeds and other sources—and identify different types of attacks. That way, the ITDR can more easily detect novel identity risks that it has not previously encountered directly.  

When an ITDR system detects a potential intrusion, it flags the activity to the security operations center (SOC) and triggers an immediate response to the anomaly. Response capabilities can include isolating the system being attacked, disabling compromised accounts, requesting additional user authentication and other means of stopping unauthorized or suspicious activities. 

Identity-based attacks are cyberattacks that take advantage of user identities to gain unauthorized access to a network. Identity-based attacks often involve taking over a legitimate account and abusing its privileges to steal data, plant ransomware or cause other damage.

Examples of common identity-based attacks include:

• Brute force attacks
• Privilege escalation
• Lateral movement
• Phishing 

In a brute force attack, hackers try to gain access to an account through trial and error, attempting several login credentials until they find the one that works.

Privilege escalation is a cyberattack technique where a threat actor alters or elevates their permissions in a system, such as by moving from a lower-privilege user account to a higher-level administrator account.

Lateral movement is a tactic that cybercriminals use to advance deeper into an organization’s network after gaining unauthorized access. Broadly speaking, lateral movement attacks have two parts: an initial breach followed by internal movement.

Phishing is a type of social engineering that uses fraudulent emails, text messages, phone calls or websites to trick people into sharing sensitive data or downloading malware.

Hackers can use phishing to take control of user accounts in a few different ways. They might trick a user into giving up their credentials by posing as a trusted brand and directing them to a fake website. Or they might use phishing messages to spread infostealer malware that secretly records the user’s password.

Identity risks and threats do not always originate from malicious actors. Misconfigurations, simple oversights, human error and authorized users misusing their permissions can all compromise identity security. Risks include:

• Weak passwords that can be cracked with little effort. Some ITDR tools can analyze password strength and detect weak ones.
  
  
• Insider threats where valid users intentionally or accidentally misuse their legitimate access for unauthorized purposes.
  
  
• Insufficient account protections, such as missing or misconfigured multifactor authentication (MFA).
  
  
• Risky authentication protocols, such as the unencrypted connections of hypertext transfer protocol (HTTP) or lightweight directory access protocol (LDAP).

As identity-based attacks grow more common and identity systems become more complex, ITDR tools can help organizations improve their security posture and gain more control over identity infrastructure.

For many organizations, software-as-a-service (SaaS) solutions, hybrid multicloud architectures and remote work are the norm. Their networks contain a multivendor mix of cloud-based and on-premises apps and assets serving various users in various locations. These apps often have their own identity systems, which might not readily integrate with one another.

As a result, many organizations deal with fragmented identity landscapes with gaps that threat actors can and do exploit for malicious ends. 

By monitoring identities rather than devices or assets, ITDRs can provide enhanced visibility into user activity across cloud environments, SaaS tools and on-premises systems. While different apps and assets might have different identity systems, ITDR enables organizations to monitor them all in one place.

ITDRs can detect not only active attacks, but also potentially dangerous misconfigurations and vulnerabilities. For example, some ITDR tools can detect weak authentication mechanisms, inactive accounts and even the use of certain shadow IT assets.

By continuously monitoring identity infrastructure, ITDR tools can detect cyberattacks before hackers have had the chance to do real damage.

In addition to flagging these attacks to security teams, ITDRs can also automatically respond in real time, stopping hackers and malicious insiders from proceeding. As a result, ITDR enables faster threat mitigation and the remediation of vulnerabilities before they can be exploited. 

Organizations have a veritable alphabet soup of overlapping threat detection and response technologies to contend with. While these tools might have similar features, they offer different protections for different facets of an enterprise network. They are often used as complements to one another in a multilayered defense-in-depth cybersecurity strategy.

Identity and access management (IAM) tools manage the user identity lifecycle, from account creation to disposal. While ITDR aims to detect and thwart the malicious activity of unauthorized users, IAM focuses on ensuring that authorized users have the right permissions and use them appropriately.

Core IAM functions include creating user identities, assigning privileges, enforcing access policies and retiring old identities. IAM and ITDR systems often work together. IAM facilitates access for authorized users, while ITDR tools monitor user activity for threats such as account compromise or misuse of permissions.

Privileged access management (PAM) systems govern and secure the accounts and activities of privileged users, such as system administrators. While ITDR tools monitor all identities, PAM tools cover privileged ones.

PAM tools provision privileged accounts, manage how and when users obtain elevated privileges, and monitor privileged activity for suspicious behavior and noncompliance.

PAM predates ITDR as a formally defined cybersecurity practice, and PAM tools are usually considered to be their own distinct category. However, in some ways, PAM can be considered a targeted version of ITDR. ITDR monitors identity-based threats to all users, while PAM specifically protects privileged accounts. Both can work together to provide advanced security controls to a network.

The core difference between endpoint detection and response (EDR) and ITDR is that EDR tools protect devices, while ITDR tools protect identities.

EDRs monitor endpoints such as servers and PCs to detect malicious activity happening on the device. ITDR focuses on identity-based threats, detecting malicious activity at the level of users and accounts.

ITDR and EDR systems are complementary aspects of an organization’s security operations. For example, when EDR discovers suspicious activity at an endpoint, an ITDR system can help connect that activity to a specific identity.

Where ITDR has a narrower focus on user identities, extended detection and response (XDR) solutions integrate security tools and operations across all security layers—users, endpoints, applications, networks, cloud workloads and data.

XDR tools enable the interoperation of security solutions that aren’t necessarily designed to work together for seamless threat prevention, detection and response. Alongside other tools, ITDRs integrate with XDRs, feeding data on identities and identity-based systems into a unified security architecture.

Together, ITDRs and XDRs can give organizations a more comprehensive view of their networks, enabling more effective security measures and identity governance models.