Use Identity Threat Detection and Response to Better Prepare for Cyberattacks

By Henrique Teixeira, Sr Director Analyst, Gartner

Security and risk management (SRM) leaders must add identity threat detection and response (ITDR) capabilities to their security infrastructure to enhance cyberattack preparedness. ITDR is a security discipline that encompasses threat intelligence, best practices, tools and processes to protect identity systems. Now is the time to add ITDR capabilities, as conventional identity and access management controls are insufficient when it comes to protecting identity systems from attacks.

Identity is both a foundational aspect to cybersecurity, and fundamental to business. ITDR unifies tools and best practices to protect the integrity of identity systems, which is necessary even for mature identity access management (IAM) and infrastructure security deployments.

Prepare for ITDR by understanding what it is

An identity threat is a potential cyberattack related to identity infrastructure, such as access management tools, directory servers, certificate authorities and other IAM systems. An identity threat attempts to circumvent, bypass or abuse identity systems in order to enable a cyberattack.

Prevention must be a foundational part of every cyberattack preparedness plan. SRM leaders need to be documenting key elements of their identity infrastructure and assess whether proper preventative controls are in place. However, there is no such thing as infallible prevention.

ITDR works as the second and third layers of defense, after the foundational preventive mechanisms previously identified are in place.

SRM leaders must understand the differences between prevention controls and ITDR. Doing so can make better plans to implement “defense in depth,” with a focus on identity.

Enhance identity detection and analysis controls

Identity attack techniques are diverse, and attackers probe all aspects of identity infrastructure. There are major detection gaps between IAM and infrastructure security controls. IAM is traditionally used mainly as a preventive control, whereas infrastructure security (including traditional SOC tools) is used broadly but has limited depth when it comes to detecting identity-specific threats.

It’s important to be agile in detecting new techniques. SRM leaders should enhance detection controls by choosing a focal point for identity alert correlation and detection logic that prioritizes identity tactics, techniques and procedures (TTPs) above other detection mechanisms. The MITRE ATT&ACK framework is a great source for those TTPs.

Know how to respond to an identity threat

ITDR requires a much more intensive interoperability with the IAM toolset during the response phase in comparison to other types of threat response approaches. The initial phase requires user identity, device and possibly network isolation to contain the threat. ITDR responses may trigger manual or semi automated processes, if the IAM infrastructure is compromised.

The response to an identity threat must enable interoperability between IAM and security operations. This requires integration of procedures and security operation tools for facilitating investigation and automating response actions.

SRM leaders should not only be prepared for and detecting threats and attacks, but should also prepare a response playbook for common identity threats. SRM leaders should take the following actions:

  • Contain and eradicate: Isolate the threat by disabling command and control traffic, disable ID sync jobs between directories, on-premises targets and cloud user repository targets and use automated threat containment approaches, such as risk-based adaptive access.
  • Recover: Restore from backups and collect evidence for investigation and preservation.
  • Report: Notify people early, adhere to applicable regulations and send events to endpoint tools for incident response processing and for enhancement by adding details to them.
  • Remediate: Reset affected credentials, remove rogue accounts, patch systems and update prevention controls.

It is important for SRM leaders to recognize they must invest in best practices for preventive IAM infrastructure security, while also evaluating the ITDR tools that are available. This will enhance preparedness for, and responsiveness to, an attack if IAM infrastructure is compromised.

Henrique Teixeira is a Sr Director Analyst at Gartner, Inc. where he provides insights about the latest IAM trends, predictions and actionable best practices.

LEAVE A REPLY

Please enter your comment!
Please enter your name here