What is ITDR (Identity Threat Detection Response)

The past couple of decades have seen an immense evolution in the cyber threat landscape and how organizations and enterprises utilize IT. Threat actors develop new cyber exploitation techniques, and concurrently cybersecurity solution vendors develop new technologies and methodologies. Those new technologies and methodologies often get branded with a new acronym that soon became part of the vernacular of SOC analysts everywhere.

In 2005, SIEM solutions emerged to analyze entire networks for Indicators of Compromise, combining security information and event management. This was followed by the introduction of EDR solutions for endpoint detection and response. Soon after, XDR, an extended detection and response solution, was marketed. Some CISOs were left wondering if it was any better than the previous solutions.

That’s just the tip of the iceberg of solutions that vendors offer that they didn’t have twenty years ago, and some of these emerging technologies are only five years old or less. It’s understandable that some people might be skeptical that it’s all marketing buzz with no substance. Some cybersecurity terminology has had a real impact on the security posture of all kinds of enterprises. IAM stands for identity and access management, and the cybersecurity practice focuses on user and machine identities and how they authenticate with computer networks.

The focus on IAM is crucial because user and machine identities are used to perform actions within computer networks. Cyber attackers usually hijack existing accounts or create new ones maliciously, often with escalated privileges. Administrative access is the ultimate goal for attackers, but even accounts with limited access can cause significant damage to an organization's computer networks and sensitive data, resulting in expensive consequences.

In the past, some individuals considered zero-trust network security to be nothing more than a buzzword. However, since the beginning of the 21st century, cloud networks have experienced rapid growth in adoption. Many older cybersecurity experts were well acquainted with the traditional perimeter model of network security. This model involved verifying and authenticating user and machine identities when they entered the internal network from an external network, such as the internet. There was a clearly defined network perimeter, and once accounts were authenticated and authorized at that perimeter, they were granted access to do whatever they wanted in the internal network based on their privileges. Authentication and authorization were only carried out at the perimeter, meaning that once someone gained access, they could move around freely without undergoing any further checks.

Many organizations have adopted cloud services in their networks, which has blurred the traditional boundaries of network perimeters used in the past. This means that the traditional perimeter network security measures are no longer sufficient to prevent internal attackers from accessing and exploiting sensitive data. Internal attackers can pose a significant threat to the organization's cybersecurity, and it's essential to prioritize identity management to mitigate these risks. In this new reality, it's crucial to have a comprehensive IT disaster recovery (ITDR) plan that accounts for this shift in security priorities.

Zero trust security is a simple concept where no user or machine is automatically trusted, regardless of their origin, whether internal or external. In such a network, every possible network vector requires the accounts to go through an authentication process, including both north-south traffic (internal to external) and east-west traffic (between different internal networks). This security measure is necessary for any network that implements cloud services, and it also has the potential to prevent internal attackers from accessing sensitive information.

ITDR is not just a buzzword but rather a combination of important security controls and measures, much like SIEM, IAM, and zero trust. Like many cybersecurity acronyms, ITDR was coined by Gartner. They started using the term in 2022, and ITDR is becoming increasingly relevant in 2023 and beyond. They define it as: “A security discipline that encompasses threat intelligence, best practices, a knowledge base, tools, and processes to protect identity systems. 

ITDR works by implementing detection mechanisms, investigating suspicious posture changes and activities, and responding to attacks to restore the integrity of the identity infrastructure.” ITDR works with IAM systems, and ITDR approaches are especially effective in networks with zero trust security. Here’s what you need to know about ITDR:

• Identity sprawl is a bigger problem than ever with the prevalence of cloud networks, containerization (Docker and Kubernetes), and also with application development methodologies that make good use of the cloud and containerization, namely DevOps. Containers are dynamically generated to provide for an application’s needs at any given time, and some containers may only be deployed for a few hours. There are numerous machine identities that are used for a short period of time. Each of those identities is tied to keys that can decrypt sensitive data, and each of those identities has some sort of privileged access. In the past, user accounts were often left active despite the person no longer working for the company, and employees' accounts would have more permissions than needed due to changing roles. Now identity sprawl and privilege creep is an especially bad problem given how accounts are provisioned in newer computer networking technologies. One major feature of an ITDR solution is to automate the process of detecting accounts and privileges that should no longer exist, significantly reducing an organization’s cyber attack surface.
  
  
• Phishing is a growing problem and a common point of entry for ransomware attacks and data breaches. ITDR solutions can automate the process of phishing detection, so accounts that appear to be subject to phishing attacks can be stopped in their tracks. ITDR solutions can also use algorithms to detect suspicious account behavior, whether or not they’re been subjected to phishing. ITDR solutions also have ways to prevent privilege escalation.
  
  
• Many organizations have multi-cloud networks, which means they use more than one cloud provider. For instance, they may have a combination of AWS, GCP, and Azure services in their network. Many cloud providers offer good IAM solutions, but sometimes gaps can appear in the security capabilities between different vendors’ IAM solutions. ITDR can provide enhanced security while data moves between different cloud providers and on-premises networks.
  
  
• ITDR uses the MITRE ATT&CK framework to defend known attack vectors. MITRE ATT&CK’s knowledge database is always evolving as the techniques deployed by cyber threat actors evolve. ITDR leverages the power of automation to find security misconfigurations through Active Directory and other IAM platforms.

By implementing detection mechanisms, investigating suspicious posture changes and activities, and responding to attacks, ITDR can help restore the integrity of the identity infrastructure. Prioritizing identity management and implementing a comprehensive ITDR plan is critical for organizations to safeguard their sensitive data and networks from cyber threats. Grant ITDR a prized position in your ever-growing collection of cybersecurity acronyms.