Taking The Fight To Identity Thieves With ITDR

Michael Byrnes, Director of Solutions Engineering iMEA at BeyondTrust highlights that identity theft has become one of the biggest cybersecurity threats and to stop identity theft in the region Michael shares a new methodology, Identity Threat Detection & Response (ITDR). 

The global cybersecurity discipline is rapidly moving away from traditional perimeter-based strategies. The surge in attacks that occurred in the Arab Gulf during pandemic lockdowns was a wake-up call to the SOC. Security leaders know hybrid work has become a permanent fixture and identity is our new perimeter. The hacker has been replaced by the credentials thief. No need to break a rear window and enter by stealth when you can disguise yourself as someone who belongs and stroll brazenly through the front door.

It is easier to steal identities now because there are more identities available. Mass cloud adoption and the proliferation of non-human accounts has given rise to a ludicrous situation in which — in a very real way — identities are strewn about the floor just waiting to be picked up by nefarious parties. Because so many different tools are used to manage credentials, account supervisors may be unaware that an account is lying unused and overprovisioned. And threat actors are keen to use these accounts because they can creep through systems as a logged-on user, running no malicious code, biding their time. Such attack methods are exceedingly difficult to stop, especially when security teams lack the visibility to spot them.

Given these factors, is it any wonder that identity compromise is the cause of almost every cyberattack? Our methods for countering these kinds of incursions are not cutting it. Endpoint solutions focus on the detection of malicious code, for the most part, and are inadequately designed for discovering identity compromise, lateral movement, and privilege escalation. Calling for just-in-time (JIT) access models is all well and good, but if the relationship between users, privileges, and systems is poorly understood because of a lack of visibility, then JIT cannot be implemented effectively.

The case for Identity Threat Detection & Response (ITDR)
So, out with the old. And to replace siloed tools, we turn to something that is really more of a methodology than a product. We call it identity-threat detection and response (ITDR). We combine security tools and processes to allow us to zero in on suspicious in-session activity and respond to attacks as they happen. ITDR is able to do this through a deeper understanding of permissions, configurations, and the relationships between accounts. And this deeper understanding comes from uniting best-in-class solutions already available in the market.

The level of insights available in ITDR opens the door to predicting likely attack paths. This is because visibility at scale allows the suite to flag compromised systems by uncovering exposed identities and a list of all the systems they can access. It also has an audit trail of where those identities have been used and has control over them; it can revoke privileges and rotate logon details, for example.

Adoption of ITDR should be undertaken carefully. Because it is more a practice than a product, integration plays a significant role in implementation. Investments can easily be squandered if stakeholders do not pay due attention to the fundamentals. Before any detection or response can take place, organizations must claim back visibility and control of the hardware and software that comprise their identity infrastructure. This visibility and control must also apply to accounts themselves. Security personnel must be able to see at a glance all current access so they can sift out overprivileged accounts.

Automated effectiveness
Identity governance, identity-lifecycle management, privileged-access management, and cloud-infrastructure entitlements management will all be important in delivering this visibility. There are platforms on the market that automate discovery of identities and privileges and enforce best practices. This can be useful when working with disparate systems across cloud and premises. Automated discovery solutions are better equipped to keep pace with a rapidly changing threat landscape. They integrate seamlessly into a range of ecosystems and automate data exchange to give a comprehensive unified view of the identity environment, regardless of technology mix. The recommendations that spring from these platforms can mean the difference between a timely discovery and a costly outage.

So far, we have been talking about visibility — about discovering the identities in place and establishing, through policy, which ones are a risk to the enterprise, and which are necessities. Next, we look at detection. With its newfound visibility, the business can bridge the gaps between its identity solutions and its security tools. Simply pouring your discovered identity data into SIEM and XDR tools is insufficient. The system used to manage identities must know information such as levels of privilege and relationship with other accounts.

Assuming everything comes together as it should, ITDR will have implemented the right basics and the security team can build on its foundation to deliver IdP/SSO services, privileged access management (PAM), identity governance and administration (IGA), and multi-factor authentication. The organization should also regularly audit every policy, process, and control to ensure they conform to current best practices. Constant vigilance and ongoing review will prevent the emergence of gaps or shadow infrastructure. If an integrated ecosystem is built in layers, this can greatly help an SOC to proactively reduce the attack surface.

Tight control
With ITDR in place, identities are there for all to see instead of hidden or obscured by IT complexity. With the right tools, signals, and integrations in place, threat hunters do not even need to respond to many identity security threats as the security suite will do this automatically. Organizations can build out identity security indicators of attack/compromise (IACs), and leverage user and entity behavior analytics (UEBA) to better detect attacks as a secondary layer of defense. They can also build out their identity threat playbooks so that all stakeholders know how to respond to an incident.

Identity compromise must become the priority in cybersecurity. It is simply too common to ignore. Through ITDR, a path emerges — one of comprehensive visibility and tight control. One of finally taking the fight to the identity thief.