August 15, 2024The Hacker NewsIdentity Security / Threat Detection

The Rise of Identity Threat Detection and Response

Identity Threat Detection and Response (ITDR) has become a critical component to effectively detecting and responding to identity-based attacks. Threat actors have demonstrated the ability to compromise identity infrastructure and move laterally across IaaS, SaaS, PaaS, and CI/CD environments. Identity Threat Detection and Response solutions help organizations better detect suspicious or malicious activity in their environments. ITDR solutions empower security teams to help teams answer the question, “What’s happening in my environment right now – what are my identities doing in my environments.”

Human and non-human identities

As outlined in the ITDR Solution Guide, comprehensive ITDR solutions cover both human and non-human identities. Human identities include the workforce (employees), guests (contractors), and vendors. Non-human identities include tokens, keys, service accounts, and bots. Cross-environment ITDR solutions can detect and respond to all identity entity risks, for example from the IdP to the IaaS and SaaS layers, as opposed to securing identities at a fragmented, layer-specific level.

Core ITDR Capabilities

The essential capabilities of an ITDR solution include:

1. Developing a universal identity profile for all entities, including human and non-human identity, activity across cloud service layers, and on-premises applications and services.
2. Coupling static analysis, posture management, and configuration of those identities to the runtime activity of those identities in the environment.
3. Monitoring and tracking direct and indirect access paths and monitoring the activity of all identities in the environment.
4. Orchestrate identity tracking and detections across multiple environments spanning identity providers, IaaS, PaaS, SaaS, and CI/CD applications, so identity can be tracked throughout the environment.
5. High-fidelity detection and response across multiple environments, enabling organizations to take action against identity threats as they emerge across the entire attack surface, rather than responding to large numbers of atomic alerts based on individual events.

For a complete overview of ITDR capabilities, please see the complete Identity Threat Detection and Response Solution Guide.

Identity Threat Use Cases

To effectively protect against identity attacks, organizations should choose an ITDR solution with advanced capabilities to detect and mitigate attacks. These capabilities should address a range of use cases for both human and non-human identities, including but not limited to:

1. Account Takeover Detection: Detect one of the many variants that indicate an identity has been compromised.
2. Credential Breach Detection: Identify and alert people to the use of stolen or compromised credentials within the environment.
3. Privilege escalation detection: Detect unauthorized attempts to escalate privileges within systems and applications.
4. Detection of abnormal behavior: Check for deviations from normal user behavior that could indicate malicious activity.
5. Insider Threat Detection: Identify and respond to malicious or negligent actions by internal users.

For a complete overview of identity threat use cases, please see the complete Identity Threat Detection and Response Solution Guide.

Questions an effective ITDR solution must answer

1. IDENTITY INVENTORY AND ACCESS MANAGEMENT

What entity identities are present in our environment?

• Comprehensive inventory of human and non-human identities in all environments.

What roles and rights do these identities have?

• Details about roles, groups, and specific permissions each identity has across cloud and on-premises environments.

What role/group has given a particular user access to a resource? What is the permission scope for that access?

• Specific information about roles/groups and permissions that grant access to resources.

2. RISK ASSESSMENT AND ANOMALY DETECTION

What are the top 10 riskiest identities in my cloud services tier? What would be the explosion radius if any of those identities were compromised?

• Identifying the identities most at risk and assessing the potential impact of their breach.

Are there deviations in identity behavior?

• Detection of deviations from normal behavior patterns for each identity, flagging potential malicious activity.

Have any login credentials been compromised?

• Alerts about the use of stolen or compromised credentials within the environment.

3. AUTHENTICATION AND ACCESS PATTERNS

How are identities verified and obtained?

• Maintaining authentication methods and access paths for all identities, including federated and non-federated access points.

What are the sources and locations of login attempts?

• Detailed logs of login attempts, including IP addresses, geographic locations, and device information.

How do different types of entities (human and non-human) access my current environment?

• Monitor access patterns for different types of entities in the environment.

How broadly is MFA enforced across the application and cloud service layers in my environment?

• Assessment of the implementation and enforcement of Multi-Factor Authentication (MFA) across the environment.

4. ACTIVITY MONITORING AND CHANGE TRACKING

What changes have just been made in my environment, who is responsible for those changes, and have similar changes been made in other layers of cloud services?

• Tracking and reporting recent changes, responsible users, and consistency across layers.

Which identities have been granted access to sensitive data or critical systems?

• Monitoring and reporting on identity access to sensitive data repositories, critical systems, and high-risk applications.

5. INCIDENT CORRELATION AND RESPONSE

How do identity-related incidents relate to different environments?

• Correlate identity activities and incidents across IdP, IaaS, PaaS, SaaS, CI/CD, and on-prem environments for a unified picture.

What measures should be taken to mitigate the identified threats?

• Actionable recommendations and automated response options to mitigate detected identity threats and prevent future incidents.

For a full list of questions and business use cases, please see the complete Identity Threat Detection and Response Solution Guide.