Identity Threat Detection and Response (ITDR)

Identity Threat Detection and Response (ITDR) is an emerging category of cybersecurity solutions focused specifically on protecting the identity layer of an organization's infrastructure. It is a set of capabilities designed to detect and respond to attacks that compromise user and service identities (like accounts, credentials, and access keys) and exploit them to gain unauthorized access, escalate privileges, and move laterally within a network.

Core Components and Focus

ITDR focuses on the entire lifecycle of an identity-based attack, from initial compromise to post-breach remediation.

• Discovery and Posture Management: ITDR solutions begin by identifying and assessing the security posture of an organization's identity infrastructure, including systems such as Active Directory (AD), Azure AD/Entra ID, and Identity Providers (IdPs). This involves continuously identifying and prioritizing vulnerabilities and misconfigurations (e.g., legacy protocols enabled, stale accounts, excessively privileged accounts) that an attacker could exploit to initiate a breach.

• Detection of Identity-Based Attacks: This is the core function of ITDR. It uses sophisticated analytics and machine learning to monitor identity activity and detect suspicious behavior in real time. This includes:

  • Compromised Credentials: Detecting the use of stolen passwords or keys, often through analysis of login patterns (time, location, device) or abnormal service account activity.

  • Lateral Movement and Privilege Escalation: Identifying when an attacker uses a compromised identity to move from one system to another (e.g., Kerberoasting, DCShadow, or Golden Ticket attacks in an AD environment) or attempts to gain higher levels of access.

  • Manipulation of Identity Infrastructure: Alerting on unauthorized changes to core identity systems, such as altering group memberships, creating new privileged accounts, or modifying trust relationships.

• Response and Containment: Upon detecting a threat, ITDR capabilities provide automated or semi-automated actions to stop the attack and contain the damage. Response measures may include:

  • Automated Remediation: Disabling or resetting the compromised account's credentials.

  • Isolating Systems: Restricting network access for suspicious devices or accounts.

  • Reversing Malicious Changes: Rolling back unauthorized modifications to the identity infrastructure.

• Integration: A crucial aspect of ITDR is its ability to seamlessly integrate with other security tools, such as Security Information and Event Management (SIEM), Security Orchestration, Automation, and Response (SOAR), and Extended Detection and Response (XDR) platforms, to provide a unified and coordinated security response.

The Need for ITDR

Traditional security tools often struggle to secure the identity layer because they are ineffective.

1. Endpoints/Workloads vs. Identities: While Endpoint Detection and Response (EDR) focuses on the device itself, ITDR focuses on the accounts accessing the device and the core directories that host them.

2. Perimeter Erosion: With the rise of cloud services and remote work, the network perimeter has largely dissolved. Identities have become the new control plane or security perimeter, making them the primary target for attackers.

3. Authentication Abuse: Attacks often do not involve malware but rather the abuse of legitimate credentials (known as living-off-the-land techniques), which traditional network or endpoint security tools may overlook.

In essence, ITDR fills a critical gap by providing specialized security for the foundational identity systems that control access to an organization's most valuable assets.

ThreatNG's capabilities, centered on External Attack Surface Management (EASM) and Digital Risk Protection (DRP), are highly complementary to a comprehensive ITDR strategy, particularly in the initial phases of attack preparation and compromise. ThreatNG excels at providing an external adversary's view of identity-related vulnerabilities and leaks that an attacker would exploit to launch an identity-based attack.

How ThreatNG Aids Identity Threat Detection and Response (ITDR)

ThreatNG helps an organization's ITDR program by focusing on external indicators of compromise and attack preparation that precede breaches of internal identity infrastructure (such as Active Directory or Okta).

1. External Discovery

ThreatNG performs purely external unauthenticated discovery to map an organization’s digital footprint. In the context of ITDR, this means discovering all exposed assets and technologies that could contain credentials or be used as a launchpad for identity attacks.

2. External Assessment: Highlighting Identity-Related Risks

ThreatNG's external assessment capabilities provide a deep, outside-in analysis of specific risks directly related to identity compromise and abuse. The security ratings (A-F) clearly indicate the severity of these exposures.

• BEC & Phishing Susceptibility: This rating is crucial for anticipating social engineering attacks targeting employee identities. It is based on Compromised Credentials discovered on the Dark Web, which are immediately usable in a credential stuffing attack. It also checks for Domain Name Permutations (typosquatting domains) with mail records, indicating a high likelihood of malicious look-alike domains being used for phishing to harvest new employee credentials. Furthermore, the lack of DMARC and SPF records makes an organization highly susceptible to email spoofing, in which attackers send emails that appear to come from internal sources to trick users into providing credentials.

• Data Leak Susceptibility: This identifies sources where credentials or other secrets that grant unauthorized access could be found, specifically flagging Compromised Credentials.

• Cyber Risk Exposure: This comprehensively assesses identity-related exposures, including Compromised Credentials and Sensitive Code Discovery and Exposure (code secret exposure). For example, a code secret exposure could be a hardcoded API key that allows an attacker to impersonate a service identity, thereby bypassing traditional user authentication. It also checks for missing DMARC and SPF records.

3. Reporting and Continuous Monitoring

ThreatNG provides various reports, including Executive and Technical reports, which often include identity-related security ratings (A-F). This allows security leaders to assess their exposure to identity attacks quickly. This external attack surface and digital risk are under Continuous Monitoring, ensuring that any newly leaked credentials or phishing domains are immediately identified.

4. Investigation Modules

The Investigation Modules provide the granular detail needed to act on a threat and integrate the findings into an ITDR program.

• Domain Intelligence (Domain Name Permutations): The system detects domain manipulations like typosquatting, homoglyphs, and dictionary additions across various top-level domains (TLDs) and targeted keywords like login, access, and auth. Example: If an attacker registers myc0mpany-login.com (using a zero for an 'o') and it has a mail record. ThreatNG flags it as a high-risk phishing setup, allowing the ITDR team to block access to that malicious domain and warn employees preemptively.

• Email Intelligence: This module confirms the existence and security of email-related records. It reports on the Security Presence of DMARC, SPF, and DKIM records. A failure here means emails can be easily spoofed, a critical technique in phishing for credentials.

• Social Media (Username Exposure): It performs a Passive Reconnaissance scan across social media and high-risk forums to check if a target username is available or taken. Example: An attacker conducting reconnaissance might check for a privileged user's handle on platforms like GitHub or Twitter. If the username is found, it provides the attacker with a data point for a sophisticated social engineering attack, helping them craft a convincing pretext to obtain credentials from an IT helpdesk.

• Dark Web Presence: This module tracks explicitly Compromised Credentials associated with the organization. Example: If 50 employee emails and hashed passwords are found in a recent dark web breach dump, ThreatNG alerts the ITDR team, allowing them to force password resets for those accounts before an attacker can use the stolen credentials to gain initial access.

• Sensitive Code Exposure (Code Repository Exposure): This discovers publicly exposed code repositories that may contain Access Credentials. Example: ThreatNG might find a public GitHub repository with an old configuration file containing a hardcoded AWS Access Key ID. This key could be used to impersonate an AWS service account identity, leading to a cloud breach and bypassing traditional user-based ITDR controls.

• NHI Email Exposure: This identifies Non-Human-Interaction emails (like admin, security, service, devops, vpn, and ssh) discovered across various sources. Example: Identifying a jenkins@mycompany.com email associated with a compromised credential dump is a high-priority ITDR event, as it points to a likely service account compromise that can have wide-ranging, automated access.

5. Intelligence Repositories (DarCache)

The intelligence repositories provide the foundational data for all identity-related assessments, including DarCache Rupture for Compromised Credentials and DarCache Ransomware for tracking ransomware groups and their activities. This data is essential for an ITDR program to establish a baseline of external risks and prioritize internal remediation of leaked or exposed credentials.

6. Complementary Solutions

ThreatNG's EASM and DRP findings can significantly enhance the effectiveness of internal security solutions.

• Integrating with Security Information and Event Management (SIEM) / Extended Detection and Response (XDR) Platforms: ThreatNG's discovery of a compromised credential or a potential phishing domain can be automatically fed into a SIEM/XDR system. Example: If ThreatNG detects that an executive's corporate email is part of a Compromised Credentials leak, the ITDR program can configure the XDR system to apply a higher risk score and stricter authentication policies (like step-up MFA) whenever that specific account is used for login, even if the password attempt is initially successful. The XDR can then correlate this external threat intelligence with internal login events to confirm exploitation.

• Integrating with Identity and Access Management (IAM) Platforms: ThreatNG findings can drive immediate, automated remediation within an IAM or Identity Governance and Administration (IGA) system. Example: When ThreatNG identifies an exposed service credential (e.g., a hardcoded key in public code), the IGA solution can automatically rotate the key or disable the associated service account until the exposure is confirmed and mitigated, preventing a potential service identity takeover.

• Integrating with Security Orchestration, Automation, and Response (SOAR) Platforms: SOAR can use ThreatNG's structured findings to automate a specific ITDR playbook. Example: Upon detecting a new, highly convincing Domain Name Permutation being used for phishing, the SOAR platform can automatically initiate a playbook to: 1) create a security ticket, 2) send an organization-wide alert with the malicious domain, and 3) update the organization's email filters to block that domain, all without manual intervention.