Towards Identity-Centric Security: Elevating IAM to ITDR Security for Cyber resilience
Despite investing in IAM tools at an incredible pace, 90% of organizations have experienced at least one identity-based attack in the past year alone.
Adversaries are increasingly relying on identity-based attacks that involve compromising legitimate credentials to invade systems undetected. As digital identities become the prime target for attackers, relying on traditional threat detection tools like EDR, IAM, and NDR is no longer sufficient to address the unique challenges of identity-based attacks ranging from credential theft to insider threats. These staggering numbers emphasize the significance of integrating ITDR solutions into the existing IAM according to their technical infrastructure and needs.
This blog delves deep into the potential impact of identity-based attacks across industries, emphasizing the critical role of ITDR solutions in defending its multifaceted nature and ensuring robust threat detection and prevention.
Evolving Identity-Based Threat Landscape
Over the past few years, identity-based attacks have taken center stage as attackers are evolving with advanced tactics and technologies like phishing, social engineering, and buying legitimate credentials from access brokers that can even bypass MFA (Multi-factor Authentication), impeding the defender’s ability to differentiate between a legitimate user and a breach.
Let’s understand the primary types of identity-based attacks.
- Cached Credentials: Cached credentials are commonly stored on endpoints, in memory, in the registry, or on disk. Attackers use a variety of tools and techniques to harvest them and gain access to more privileged identities. Once collected, they can use them to move laterally and log into different applications.
- Credential Stuffing: This involves acquiring stolen login credentials from adversaries directly to gain unauthorized access. Consequently, they can automate login attempts across multiple platforms, exploiting users who reuse passwords across different sites without proper management and oversight.
- API Keys and Secrets: Stolen APIs and secrets allow adversaries to steal sensitive information. If these API keys are not updated and revoked, the attacker could retain access indefinitely.
- Session Cookies and Tokens: By using session cookies and tokens, attackers can masquerade them as legitimate users and authenticate to the application.
- Kerberoasting: Kerberoasting targets service accounts in Active Directory (AD) environments by requesting service tickets for these accounts and then attempting to crack their passwords offline. 50% of identity-related breaches stem from Microsoft Active Directory, as most enterprises rely on AD as the primary method for user authentication for both on-premises and in the cloud.
Potential Consequences of Identity-Based Threats
The ramifications of identity-based attacks can be severe and multifaceted:
- Financial Loss: Organizations may face direct financial losses due to fraud, theft, or remediation costs associated with breaches.
- Reputational Damage: Successful attacks can erode customer trust and damage an organization’s brand reputation, leading to long-term consequences.
- Regulatory Penalties: Non-compliance with data protection regulations (such as GDPR and CCPA) can result in hefty fines and legal repercussions if organizations fail to protect sensitive information adequately.
- Third-Party Relationship Exploitation: As threat actors are increasingly targeting third-party relationships with a motivation of ROI, one compromised organization can lead to thousands of follow-on targets, opening doors for exploiting hardened end targets.
Real-World Incidents: Capita Phishing Attack Costing $26 million Loss
Capita is a leading provider of third-party administrators in the UK, managing over 450 pension schemes and memberships of over 4.3 million. The black Basta ransomware gang had sent phishing mail in the form of a .zip file, and when an employee clicks it, it gives initial access to actors. As a consequence, they used Mimikats to extract Microsoft 365 credentials. By leveraging stolen identities, they disabled security tools. Initial access into Capita’s systems took place on March 22, and attackers were able to move around undetected until March 31. As part of the fallout from the breach, Capita is expected to pay more than $26 million due to its loss of supplier and customer data.
This incident clearly underscores how identity-based attacks can have severe consequences, especially when privileged accounts are compromised when organisations lack strong MFA and IAM practices. It emphasizes the significance of expanding the role of IAM, enforcing MFA, managing privileged access, and performing regular access audits to mitigate the risks associated with identity-based attacks.
Why do we need ITDR Security?
As we are witnessing a seismic shift in security perimeter towards identity-centric security, there is a pressing need to inventory critical assets, prioritize risks, and continuously monitor identities to prevent misconfigurations and vulnerabilities.
Limitations of IAM: IAM couldn’t detect malicious activities once a bad actor has entered the right credentials and authenticated as they can easily vanish from sight. It can only provide preventive control through access provisioning and authentication, often lacking in detecting identity-based threats.
Stopping Lateral Movement: While advanced threat intelligence tools such as EDR, SIEM, and SOAR are significantly hardening organizations’ security posture, they often fail to detect mid-attack-chain activities such as privilege escalation and lateral movement of attackers. Once they gain initial access, no one can track and stop them from doing lateral movement. Moreover, they may bog down security teams by generating high numbers of false positives as they are highly sensitive to suspicious behavior.
What is ITDR Security?
ITDR can bridge this gap that encompasses threat intelligence, behavioral monitoring, tools, and processes for effective mitigation, ensuring integrity across all verticals and regions.
ITDR is an integrated security solution that can proactively detect, investigate, and respond to identity-based threats across various verticals of organizations, including Active Directory, Entra ID, IAM, PAM, and endpoints. It solely focuses on protecting digital identities and critical infrastructure of organizations when they are compromised and accelerates effective remediation against evolving threats and vulnerabilities, including credential theft, account takeover, and insider threats.
A good ITDR strategy not only prevents and detects but also investigates and coordinates responses to restore integrity in the face of identity infractions.
ITDR Vs. EDR
EDR can detect any suspicious activity by continuously monitoring and analyzing system and network log records in the organization’s system. However, it is crucial to figure out how the attacker gained access to the network via leaked credentials. Here, ITDR comes into play, where it can provide actionable insights into identity-related incidents by matching the credentials used by authorized users. This level of visibility helps security teams identify and prioritize the most dangerous identities first. It also accelerates incident response while identifying root cause analysis, paving the way for preventing such incidents in the near future.
ITDR Security Framework in a Nutshell: Breaking the Middle Age of Attack Chain
According to Gartner’s prediction, “ITDR has made significant strides to improve organization’s IAM systems.
Gartner identified the ITDR as one of the top cybersecurity trends in 2022, emphasizing the growing concerns of evolving identity-based attacks. ITDR complements the existing IAM and TDR systems rather than completely replacing them. An ITDR system continuously monitors all endpoints, including clients, servers, IAM systems, and identity repositories, to identify unmanaged, misconfigured, and exposed identities. This comprehensive data provides actionable insights into your unique identity risks.
Let’s explore how Gartner’s ITDR Security framework effectively catches the attackers.
Prevention: Stopping Threat Actors Before Exploitation
With continuous monitoring of endpoints of both clients and servers and enforcing conditional access policies, IAM systems can detect unmanaged, misconfigured, and exposed identities, providing greater visibility for security analysts to identify unique identity risks. By leveraging insights from advanced threat intelligence, ITDR can detect atypical travel, leaked credentials, and unfamiliar login attempts. By categorizing and prioritizing risk based on risk score, ITDR can trigger pre-defined remediation efforts such as blocking user access.
Detection: Real-Time User Behaviour Monitoring
Organizations can strengthen their detection and response capabilities, emphasizing identity tactics, techniques, and procedures. This involves continuous monitoring of user accounts and activities to identify suspicious behavior as it occurs. By leveraging AI and machine learning and correlating identity data from other security domains, ITDR can analyze user behavior to establish baseline patterns such as unusual login attempts and privilege escalations, ensuring early threat detection and mitigation.
Rapid and Automated Incident Response- Halt Lateral Movements
When a breach occurs, every second matters. Time is money for adversaries. The ultimate goal of the ITDR security is to stop the in-progress attacks and halt the lateral movement of attackers. ITDR empowers SOC with AI and machine learning algorithms that can disrupt attacks at unprecedented speed. Meanwhile, it can automate incidence response and remediation workflows that drastically reduce the response time from hours to minutes or seconds. However, it doesn’t replace human security experts rather than empowering them to focus more on strategic tasks while automating only prioritizing risk alerts, configurations, and posture management.
BottomLine: Strengthening IAM with ITDR
As we stand on the cusp of the threat landscape of 2024, the statistics and trends highlighted a paradigm shift towards a proactive, identity-centric security strategy. Implementing robust security measures is not just defending against evolving threats but in predicting and neutralizing future threats. The integration of ITDR security into IAM helps you to clean up vulnerabilities before attackers discover them by creating a large maze of invisible traps across your environment that distracts attackers. Moreover, ITDR offers robust security controls that stop attacks before they turn into breaches, enabling you to secure your crown jewels by cutting off attacker’s pathways.
At iLink Digital, we are at the forefront of advanced cybersecurity services and solutions with 360-degree risk assessments. From continuous infrastructure surveillance to rapid threat neutralization, we bolster your defenses to combat evolving threats, ensuring a secure, resilient digital future.
