Understanding Identity Detection and Response

Identity Detection and Response (IDR) is a new enterprise cybersecurity method that relies on the use of identity-related information to identify that a malicious attack campaign such as ransomware might be on-going on a corporate network.

by Dr. Edward G. Amoroso

Chief Executive Officer, TAG Cyber LLC

Introduction

Cyber defenders categorize security protections as either preventive or reactive. Preventive security, such as strong authentication, focuses on stopping something bad from happening. Reactive security, such as log analysis, deals with bad situations that have already commenced or completed.

The prevention argument is that the cost and effort required to avoid a security problem will always be less than the corresponding cost and effort to respond and recover. The reactive argument is also familiar: Hacking is inevitable, goes the claim, so you’d better be ready to deal with problems as they occur.

Regarding identities, which are central to every modern cybersecurity approach, the preventive aspect is controlled by identity and access management (IAM). Every practitioner will recognize IAM as consisting of the registration, administration, protection, and coordination of identities to support access policies to data and resources.

In contrast, the corresponding reactive component for identities is just emerging. Known as identity detection and response (IDR), the new approach involves using metadata and telemetry from identities to detect, mitigate, and recover from enterprise attacks such as advanced persistent threats (APTs) and ransomware.

Cyber Attack Progression

Phase 1: Accessing the Target

The initial phase of any cyber breach involves exploiting weaknesses in an attack surface to enter a protected network, domain, system, or other entity. When crossing a perimeter, such access is referred to as a north-south connection, and firewall-based controls are designed to disallow such connection based on policy enforcement. Physical perimeters have recently been replaced with software-defined ones, but the control objective remains.

Phase 2: Traversing the Target

The second phase of a cyber breach involves lateral traversal and privilege escalation, often through theft and misuse of credentials and access to resources such as Microsoft Active Directory (AD). When this occurs slowly, we refer to the process as dwelling, and one of the toughest challenges for defenders involves minimizing attacker dwell time. This report makes the case that IDR offers hope that this challenge might be addressed.

Phase 3: Consummating the Attack

The final phase involves the attacker consummating the attack, either by exiting the targeted domain with stolen data, pushing the button on some integrity or availability attack, or otherwise taking whatever step is required to cause the intended consequence of the attack. Once this has occurred, the best that defenders can do is to respond, and this report also makes the case that IDR assists in this process.

FAIR USE NOTICE: Under the “fair use” act, another author may make limited use of the original author’s work without asking permission. Pursuant to 17 U.S. Code § 107, certain uses of copyrighted material “for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or research, is not an infringement of copyright.” As a matter of policy, fair use is based on the belief that the public is entitled to freely use portions of copyrighted materials for purposes of commentary and criticism. The fair use privilege is perhaps the most significant limitation on a copyright owner’s exclusive rights. Cyber Defense Media Group is a news reporting company, reporting cyber news, events, information and much more at no charge at our website Cyber Defense Magazine. All images and reporting are done exclusively under the Fair Use of the US copyright act.