Technology experts are understandably experiencing category exhaustion. This weariness can be more noticeable within security than in any other division of IT. Are the current use cases and risks compelling enough to justify the implementation of identity threat detection and response (ITDR)?
To tackle this query, we will start by examining the vulnerabilities, threats, misconfigurations, and assaults that IDTR specializes in uncovering.
With the evolution of identity threat detection and response (ITDR) technology, one of the most frequently asked questions we encounter is: “Why should we consider ITDR when we already utilize user behavior analytics (UBA) in our security operations (SecOps)?”
To address this query, we will delve into the latest research. Subsequently, we will dissect the vulnerabilities, threats, attacks, and misconfigurations that SecOps, in general, and UBA, in particular, may not effectively identify.
The risk landscape centered around identity
IBM’s 2024 Cost of a Data Breach study revealed that stolen or compromised credentials were the most common method of attack, seen in 16% of breaches.
There was a 71% year-on-year surge in the utilization of these compromised credentials in attacks, with 60% of all documented cyberattacks targeting identities and accounts.
While the network has conventionally been regarded as the IT security boundary, it is now apparent that identity serves as the new frontier. Identity functions as a conceptual stratum above networked applications. For example, being “logged in” to a system implies that an application or another system server has conferred a valid access token to a client app — such as a browser or terminal. As we will observe, it is within this realm of identity abstraction that tools and procedures must advance.
There have been three particularly notable breaches in the last two years worth mentioning:
- The Change Healthcare breach in 2024 involved an unmanaged local account and a deficiency of multi-factor authentication (MFA) on a remote access connection validating systems via compromised credentials. Subsequently, the attackers maneuvered laterally within the system and introduced malware to a data repository housing the medical records of 100 million clients. The current estimated financial toll of this incident stands at approximately $2.9 billion.
- The Okta breach in September 2023 resulted from a service account with access to the data of any customer who utilized its technical support portal being compromised. It appears that the service credentials were obtained when hackers compromised an Okta employee’s personal Google account using Shadow Software-as-a-Service (SaaS). The personal Google account contained both the service account’s credentials and was authenticated in the employee’s workstation browser.
- The Snowflake breach of 2022 was among the largest breaches in terms of data volume. Noteworthy aspects include claims by hackers of having around 560 million Ticketmaster records, 30 million Santander Bank records, and 380 million Advanced Auto Parts records. The perpetrators only managed to access accounts lacking MFA or those with improperly configured MFA.
Security Breaches: Usage of Access Rather Than Hacking
Though the statement “hackers don’t hack in, they log in” has become a cliché, it holds substance when it comes to the essence of the matter.
Hacking entails entering resources without proper authentication. Conversely, identity-based intrusions involve legitimate account hijacking and successful authentication. While the definitions of hacking are broad and diverse, let’s currently perceive it as “authentication circumvention.”
Traditional SecOps methodologies and tools scrutinize operations based on tangible wire-like components of network streams, endpoint telemetry, as well as application and system logs. These types of risks often appear benign!
This is predominantly because, lacking the context provided by identity and access management (IAM) expertise, these “authentication circumvention” risks might inadvertently be deemed routine.
5 Identity-related Risks
ITDR technology is developed to assimilate and evaluate identity-specific data. It gathers and correlates application logs and network streams, analyzing their content to uncover identity-based risks. This IAM-oriented analysis is where ITDR significantly differs from security information and event management (SIEM) and UBA, which are designed to perceive the “what” rather than the “who” or “why.”
Let’s explore five varieties of identity-based risks that ITDR is engineered to identify, along with a brief examination of why SIEM and UBA might not be the optimal solutions for mitigating these risks.
1. Weak Password Hashes and Compromised Credentials
Weak passwords possess low entropy (or unpredictability). These passwords can be deciphered with minimal computational effort or time.
Advanced ITDR systems assess the potential time required to crack a password based on various factors like length and predictable sequences. ITDR can be enhanced with insights from password intelligence sources such as IBM X-Force Exchange. Such inputs aid in identifying established compromised username and password pairs.
This is a threat that SIEM and UBA were not inherently designed to identify.
Schedule a demonstration for IBM Verify Identity Protection
2. Absence of Multi-Factor Authentication and MFA Circumvention
As ITDR can scrutinize user accounts in identity providers (IdPs) and end systems like applications and SaaS platforms, it can detect instances where MFA has been improperly configured or evaded.
SIEM and UBA, while adept at spotting failed authentications and deviations from past behavior, lack the capability to determine if an asset is shielded by supplementary authentication factors or if an authentication took place using the primary factor when it should have employed a subsequent factor.
3. Password Spray Attacks
Password spraying represents a refined form of the brute-force attack. By dispersing unsuccessful authentication attempts among numerous accounts, the attacker can avoid triggering account lockout safeguards.
ITDR is structured to unveil these types of attacks by setting criteria for wrongful or poor password usage, authentication attempts to a specific IdP, and over a defined timeframe.
SIEM and UBA are configured to detect failed authentications for individual identities within singular systems. They may need adjustments to effectively correlate these distributed, multi-account attacks.
ITDR technology is engineered to track associations between identities in local accounts or directories,
and final systems on the opposite side. This allows for the identification of the routes that traffic should follow through an access-controlling intermediary but currently doesn’t.
In comparison, SIEM and UBA lack the capability to enhance and give context to their analyses with access policy components. They are primarily focused on identifying irregularities within individual systems rather than those that span multiple elements within the organization’s structure.
5. Vulnerable authentication protocols.
Vulnerable authentication protocols are those considered outdated or proven to be insecure, such as network level trust manager (NTLM), along with those that utilize unsecured connections like hypertext transfer protocol (HTTP) or lightweight directory access protocol (LDAP) that lack protection through transport layer security (TLS). Increasingly, businesses are identifying Kerberos as a precarious protocol.
A reliable ITDR solution should be developed with a focus on detecting these protocols. While SIEM platforms may identify the presence of these protocols, they may struggle to accurately map out the interactions among the client browser, IdP server, and application/resource server in an authentication or federation process that potentially utilizes these risky protocols.
The Impact of ITDR
This compilation of five risks isn’t exhaustive, yet it aims to broadly illustrate the distinctions between ITDR, and UBA-enabled SIEM, respectively.
The ability of ITDR technology to interpret and associate data from logs and network flows in a manner that aligns with IAM practices enables the recognition of these identity-oriented risks. The technicians creating the parsing algorithms and correlation algorithms ensure that the technology comprehends the meanings contained in log and packet contents that relate to identity. This could entail dissecting LDAP authentication exchanges, security assertion markup language (SAML) statements, or JSON web tokens (JWTs). The system is also built to monitor and manage user session establishment and continuity. Notably, ITDR is engineered to follow the flow of activities as they move through the interconnected systems prevalent in today’s integration landscape.
While the traditional SecOps methodologies of analyzing data in logs, network flows, and endpoint telemetry remain vital, it’s evident that identity-focused detection mechanisms constitute another crucial facet of SecOps that warrants an equal place at the forefront.
Reach out to Cian Walker at IBM for a demonstration of IBM Verify Identity Protection, our AI-enhanced ITDR platform, or to connect with your local client-facing specialist.