Identity-based threats specifically target the digital identities of individuals and the identity infrastructure of organizations.
Growth in this type of cyberattack goes hand in hand with the increase in the number of digital identities. In fact, a recent report by the Identity Defined Security Alliance (IDSA) revealed that 90% of organizations with over 1,000 employees reported at least one security incident related to digital identities over the past year. The number of stolen credentials available for sale on the dark web exceeded 24 billion during this period, and for those keeping score, that's three credentials per human being on the planet. Unfortunately, no one is immune to this threat. Moreover, the Dark Web Price Index shows that credentials can be obtained for as little as $1. These alarming figures strongly indicate a new approach is needed to combat the rapid spread of identity-based attacks.
What is Identity Threat Detection & Response (ITDR)?
Identity Threat Detection & Response (ITDR) is a security discipline that seeks to protect identity systems. This strategy emerged in 2022 as a Gartner proposal following a series of attacks on IAM infrastructure and encompasses threat intelligence, best practices, a knowledge base, tools, and processes.
The goal of ITDR is to improve security around identity-centric infrastructure by detecting, analyzing, quarantining, and eliminating or mitigating suspicious activity that targets identity systems, as well as by identifying vulnerabilities on the attack surface before a threat occurs. This approach can be implemented as a part of an XDR strategy.
How to implement an ITDR strategy in your organization
The following steps will help your business implement an effective ITDR strategy and program:
- Define your organization's IAM guidelines: First, you need to identify your organization's identity security objectives and the policies and procedures needed to achieve them.
- Deploy identity security: Controls can include password managers, multi-factor authentication, web single sign-on and zero trust risk-based policies. Note that even before developing an ITDR strategy, it is advisable to implement identity security controls to protect user identities.
- Set detection controls: These controls identify suspicious identity-related activities. They include configuration monitoring in IAM systems, monitoring of identity-related user activity, dark web credential monitoring, detection of anomalies in habitual user behavior patterns, classification of the risk profile of different individuals or events, and real-time alerts.
- Establish response controls: These controls include measures such as isolating and disabling synchronization between systems, gathering information to investigate the severity of the threat, restoring compromised credentials, and blocking suspicious accounts or IP addresses. They also include restoring data from backups, logging access management and remediation actions after an event such as removing fraudulent accounts, excessive permissions, and patching systems.
ITDR is the future of digital identity security and that's why it should be the next area your business focuses its efforts on to strengthen identity and access management. Like EPDR, MDR and NDR, ITDR is an integral part of a complete XDR strategy. At WatchGuard we are exploring ways for our new and existing products to provide ITDR capabilities across our four product lines with our ThreatSync solution. This step will enable us to provide correlation and risk scores, as well as event remediation to deliver ITDR to MSPs and, in turn, to small and midsize businesses.