In this article, we will talk about a new effective tool for countering cybercriminals, which allows you to detect vulnerable credentials and attacks on them in real time.
As many studies show, corporate information security services allocate the lion’s share of their budgets to IAM systems as the number of attacks on credentials is steadily growing.
Compromise and subsequent use of credentials to access information systems have become central elements of almost any cyberattack. This is an inevitable consequence of the fact that attackers are looking for and using new ways to exploit the ever-increasing attack surface and exposition of credentials. Multi-factor authentication is no longer enough.
A strong authentication system is typically implemented in a corporate environment at a client or middleware level (Credential Provider, LDAP Proxy, RADIUS Server, etc.), while an authentication provider (KDC and LDAP Server of a domain controller) continues to operate in a single-factor mode.
Therefore, a large number of credential attack vectors remain relevant even if an organization uses IAM to its full extent.
So what is ITDR?
ITDR (Identity Threat Detection and Response) is a term introduced by Gartner to describe a set of tools and best practices for protecting credential systems. Companies are spending heavily to modernize access control (IAM) systems, but modernization mainly addresses improving authentication technologies, which leads to an increase in the attack surface of the fundamental part of the security infrastructure.
ITDR systems are designed to protect credentials, detect and prevent attacks on them. ITDR is a set of technical tools and organizational measures aimed at identifying, mitigating and preventing credential attacks.
The systems that make up the ITDR solution continuously monitor the activity of user and service accounts, identifying unusual sequences of events and patterns that indicate that an attack on credentials is being prepared or is underway. To assess the processes taking place in the infrastructure, the indicators can be compared both to statically set values and to basic statistical data that are constantly calculated during the operation of ITDR systems.
Depending on how the system qualifies a particular threat, entities affected by an incident may be blocked from accessing certain services, or a request for additional authentication factors may be enabled.
ITDR solutions allow you to identify:
- illegitimate use of credentials;
- attempts to escalate privileges;
- service and pseudo-administrative credentials;
- credential attacks (password spraying, golden/diamond ticket, lateral movement, etc.).
They also protect credentials, detect and counter attacks by blocking access and informing other security systems.