The Identity Threat Detection and Response Lifecycle

Identity pros have long understood that identity is the new security perimeter. Identity systems like Active Directory (AD)—the primary identity store in use today—are primary targets for cyberattacks. By gaining access to AD, attackers can eventually grab the types of elevated privileges necessary to steal company and user data and intellectual property and to lock down or destroy systems in attempted ransomware attacks. 

This year, Gartner acknowledged the importance of identity security by devising a new category: Identity Threat Detection and Response (ITDR). As ITDR solutions proliferate, many organizations are realizing that along with strong endpoint security, hybrid AD (i.e., AD and Azure AD) security plays a central role in identity protection—and the ability to maintain operational resilience.

What does this mean for IT and identity pros tasked with evaluating ITDR solutions? The most efficient approach to mitigating attacks against AD is one that considers the three stages of the AD attack cycle: before, during, and after.

Securing identity before a cyberattack

We recently talked about ITDR with attendees of the Gartner Identity & Access Management Summit in Las Vegas. Not surprisingly, more than three-quarters of those we polled expected that a cyberattack would result in a severe impact to their organization, which aligns with the 2022 Trends in Securing Digital Identities research that indicated 78% experienced a business impact as the result of an identity-related breach. Many, if not all, of these respondents have a disaster recovery solution. However, they do not have a specific plan or solution to protect and recover AD. 

Detailed, tested identity security solutions and processes are a vital part of any effective recovery plan. Successful recovery of the identity store requires a proactive approach to AD backups, identity security assessments, and AD recovery procedures. 

Regular assessment of the security stance of your hybrid AD environment is also important. One problem is that many modern cyberthreat tactics, techniques, and procedures (TTPs) are designed to bypass traditional security monitoring tools, which rely on security and event logs. Security incident event management (SIEM) solutions, for example, have been rendered “blind” by attacks such as DCShadow. The “detection” aspect of ITDR, then, should include methods to monitor alternate data sources, such as the AD replication stream, to look for indicators of exposure or compromise that could otherwise go undetected.

Protecting identity from active cyberthreats

More than three-quarters of those we spoke with have a hybrid identity environment. Yet only one-third of respondents were “very confident” that they could remediate on on-prem attack, and just over one-quarter felt the same about their ability to protect Azure AD.

If your organization uses Office 365, it uses Azure AD. Many companies also maintain on-prem AD. If attackers do manage to breach your defenses, the synchronization of AD and Azure AD creates a potential pathway for attackers to move from on-prem to the cloud or vice versa, as was the case in the SolarWinds cyberattack, in which Azure AD was leveraged to access the on-premises identity store. 

Automatic remediation solutions that enable organizations to halt suspicious changes to AD can help to quickly shut down attacks that have infiltrated the environment. The difference between thwarting an attack and failing to do so can be a matter of minutes; the NotPetya attack on Maersk in 2017 infected an entire network within that time span. Those we spoke with noted that automated remediation of malicious changes was top of their wish list for remediation capabilities.

Restoring identity services and operations after an attack

“Recovery” is one aspect of ITDR that has received less attention than detection and prevention. In a worst-case scenario, getting back to business as normal requires manual recovery, often from system-state backups that can re-introduce malware, depending on how long attackers have been present in the environment. The result can be days or even weeks of lost data and business revenue. An automated, multi-forest AD recovery solution can save not only time, but resources and reputation. Organizations would be well advised not to neglect this final stage of the ITDR equation.

The increasing interest in ITDR is good news for those of us dedicated to identity security. Including AD and Azure AD in cybersecurity and disaster recovery planning is a smart move. By considering challenges at every part of the attack cycle—before, during, and after—organizations will be well-prepared to fend off threats.

Read more about protecting Active Directory in a blog by my colleague Gil Kirkpatrick.

About the Author: Itay Nachum, Semperis Director of Product Management, is a passionate technology evangelist, public speaker, and cybersecurity SME with 16+ years of experience in leading sales engineering and enablement, customer and product strategy operations, global solution architecture, and technical alignment in both startup and global enterprise environments.



Let's work together to help everyone become more secure.