Identity threat detection and response in 2024

In the dynamic cybersecurity landscape of 2024, security and Identity and Access Management (IAM) leaders face unprecedented challenges. With the constant evolution of cyber threats, IAM has always played a significant role throughout cybersecurity. Recent years have seen it become the cornerstone which not only underpins cybersecurity, but whose effectiveness will make or break it. To effectively safeguard digital assets, IAM and security leaders must strategically prioritize integrating identity-centered threat detection and response practices in 2024.

The 2023 Verizon Data Breach Investigations Report highlights that 49% of breaches involved compromised credentials, emphasizing the critical role of IAM in risk mitigation and breach prevention. Furthermore, the Microsoft Digital Defense Report of 2023 underscores this urgency, revealing a tenfold increase in password-based attacks, with 11,000 incidents per second recorded in April 2023.

Understanding the IAM landscape

Traditional threat detection and response tools like EDR and NDR, while effective within their domains, are not fully equipped to address the unique challenges of identity threats. As the security perimeter increasingly shifts towards identity, there is a growing need to inventory critical assets, categorize risks and continuously monitor identity systems for misconfigurations and vulnerabilities.

Traditionally, IAM has focused on preventive control through access provisioning and authentication. However, this approach alone is insufficient against sophisticated identity threats. While infrastructure security controls are diverse, they often lack depth in detecting identity-specific threats. Identity Threat Detection and Response (ITDR) bridges this gap, combining threat intelligence, tools and processes to effectively protect identity systems. A good ITDR strategy not only prevents and detects but also investigates and coordinates responses to restore integrity in the face of identity infractions.

The multifaceted nature of identity threats

Identity threats are varied and complex. Attackers exploit misconfigurations and vulnerabilities, use sophisticated tactics like generative AI for social engineering, or even purchase stolen credentials from dark web marketplaces. To counter these threats, IAM leaders must adopt a proactive, multifaceted approach, ensuring comprehensive protection against a wide array of identity threats.

Why should ITDR be prioritized in 2024?

Credential misuse persists

According to the 2022 and 2023 Data Breach Investigations Reports from Verizon, misuse, defined as the use of entrusted organizational resources or privileges for any purpose or manner contrary to that which was intended, remains a critical concern in cybersecurity. This misuse, particularly in the form of credential misuse, has been a significant factor in around 40% of security breaches in 2022 and increased to 49% in 2023. This trend underscores the urgent need for Identity and Access Management (IAM) leaders to prioritize and tackle this prevalent form of attack.

Dark web marketplace for stolen credentials

The recent discovery of the “Mother of All Breaches” (MOAB), a massive database containing 26 billion stolen user credentials, underscores the critical importance of prioritizing ITDR in 2024. The MOAB, which includes data from major platforms like Twitter/X, LinkedIn, Weibo and Tencent, highlights the growing threat posed by the Dark Web marketplace for stolen credentials. With the potential for identity theft, sophisticated phishing schemes, targeted cyberattacks and unauthorized access to personal and sensitive accounts, businesses must invest in robust ITDR strategies to protect their digital assets. Furthermore, the presence of records from various government organizations in the MOAB database raises serious concerns about national security. This incident, along with another recent data dump of 71 million unique credentials, emphasizes the urgent need for comprehensive ITDR planning in the face of escalating cybersecurity threats.

Sophisticated attack techniques

Cybercriminals are rapidly advancing their methods. The SANS Institute found that in 2023, the average time for intrusions decreased to 79 minutes, with a 312% rise in legitimate remote monitoring tools used for attacks. FireCompass noted more advanced phishing, including sophisticated spoofing. Generative AI has further escalated these threats, making phishing via email, text and websites more convincing. LastPass and CSO Online reported on generative AI’s role in effective, scalable phishing attacks, with AI-generated phishing emails crafted in minutes. Darktrace highlighted a 135% increase in scam emails using advanced linguistic techniques, potentially linked to AI tools like OpenAI’s ChatGPT.

Evolving attack surface

Digital transformation is expanding the attack surface, introducing new vulnerabilities. The rise of remote work, the increasing use of cloud services and the proliferation of Internet of Things (IoT) devices have broadened the attack potential. In 2023, 62% of organizations reported understaffed cybersecurity teams, and with over 60% of enterprise data in the cloud, the need for robust Identity Threat Detection and Response (ITDR) strategies is clear. Additionally, while AI in cybersecurity offers predictive insights and automates tasks, it also brings risks of exploitation by malicious actors. Organizations must balance AI’s benefits against its risks and train employees in safe AI technology use. This evolving landscape requires continual adaptation and enhancement of ITDR strategies to keep pace with cybersecurity changes.

Prevalence of hybrid Active Directory

In 2022, Alex Weinert Vice President of Identity Security at Microsoft said at The Experts Conference (TEC) in Atlanta, ”Active Directory is where we are being attacked.” This 25-year-old IAM system continues to dominate enterprise organizations with a staggering 90% implementation rate according to Forbes. This legacy system continues to play a critical role in IAM for Microsoft 365 customers. While Active Directory should now be relegated to a secondary role in the identity provisioning of access to resources within an enterprise organization, it continues to be used as an attack vector to laterally move to the cloud or Microsoft 365 for greater access.

Protection of identity infrastructure

Cyberattacks, particularly ransomware attacks, can cause significant operational disruptions. According to a 2022 Statista report, the average length of interruption after ransomware attacks at businesses and organizations in the United States was 24 days. This highlights the potential impact of attacks on identity infrastructure, emphasizing the crucial role of IAM leaders in safeguarding business operations, remote work and customer access. It’s imperative for organizations to invest in robust security measures to protect their identity infrastructure and minimize potential downtime.

Key priorities for IAM leaders in 2024

1.  Abandon passwords for passkeys

IAM leaders in 2024 must prioritize adopting passkeys, which are crucial for the passwordless journey and replacing traditional passwords. Highlighted by Microsoft’s Erik Dauner at Ignite 2023, over 300 million daily password attacks observed make this shift urgent. Passkeys use cryptographic key pairs for secure, user-friendly authentication that help reduce vulnerabilities.

Supported by FIDO2 and WebAuthn standards for easy integration across platforms, major tech giants like Apple, Google and Microsoft have adopted passkeys, ensuring seamless access without passwords. This move enhances security and simplifies access, marking a significant industry shift.

IAM leaders need to update policies, educate users on passkeys and ensure a smooth transition with technology leaders’ support. This strategy strengthens security and improves authentication experiences, eliminating the hassle of passwords.

2.  Welcome zero trust and identity-first security adoption

As organizations increasingly embrace the zero trust security model, it’s important to note that 80% of IT and security professionals list zero trust as a priority. Furthermore, 63% of organizations adopting zero trust do so to improve identity and access management, and 45% of respondents prioritizing zero trust focus on identity and access management controls. These statistics underscore the importance of strengthening identity security as a foundational component of zero trust, making ITDR even more crucial.

3.  Develop an ITDR strategy

Identify gaps in your ITDR capabilities by assessing the full range of attack vectors and telemetry covered. Plan to use a combination of tools that complement each other to build a robust ITDR initiative. Most importantly, designate an ITDR owner that is agreed upon by all security leadership to be accountable and responsible for leading an ITDR blended team whose objective will be to protect the identity infrastructure and to secure credential integrity. A blended team is a multidisciplinary team that blends technology or analytics and business domain expertise, and shares accountability for business and technology outcomes.

4.  Initiate hygiene measures and inventory procedures

Start by conducting a thorough inventory of your existing preventive controls and auditing your IAM infrastructure for misconfigurations, vulnerabilities and exposures. Implement proper hygiene measures to prevent misconfigurations and reduce attack surfaces.

5.  Modernize your IAM infrastructure

Streamline and enhance your IAM infrastructure through regular updates, patching and consolidation. Reduce complexity by consolidating IAM tools and processes, enhancing efficiency and reducing redundant systems. Adopt the zero trust model, operating under the principle of no inherent trust, even within the network perimeter. This modernization approach not only strengthens security but also ensures alignment with contemporary best practices and the evolving threat landscape.

6.  Establish a control plane

Your inventory process should include a continuous collection that identifies critical assets, or sometimes referred to as “Tier Zero” within your IAM systems, that are considered chokepoints to privileged rights. A “chokepoint” in this context typically refers to a critical juncture or control point within an organization’s identity infrastructure that plays a pivotal role in managing user identities, authentication and access to resources. These chokepoints are essential for enforcing security policies and ensuring that only authorized individuals have access to specific systems, applications or data.

7.  Enhance detection controls

Choose a focal point for identity alert correlation and detection logic. Prioritize identity tactics, techniques and procedures (TTPs) above other detection mechanisms. Stay agile in detecting new attack techniques, as attackers are continually evolving their strategies.

8.  Excel in the response phase

Develop or update playbooks and automation for IAM enforcement within your response strategy. Integrate IAM incidents into response and threat-hunting processes using existing security controls in the security operations center (SOC). 

Strengthening IAM with ITDR: A conclusive strategy

As we navigate the evolving cybersecurity landscape of 2024, the importance of prioritizing Identity Threat Detection and Response (ITDR) cannot be overstated. The statistics and trends highlighted earlier are a clear call to action for IAM leaders: to shift focus towards a proactive, identity-centric security strategy. The future of cybersecurity is not just in defending against today’s threats but in anticipating and neutralizing the challenges of tomorrow.

We stand at a critical juncture where the adoption of innovative technologies like the use of passkeys, the embrace of zero trust architectures and the fostering of a security-first culture are not just recommended, they are essential. Collaboration across industries and a commitment to continuous improvement will be our strongest allies in this endeavor.

Let us take this knowledge as a catalyst for change. By integrating advanced ITDR strategies, prioritizing education on emerging threats and encouraging an environment of shared cybersecurity responsibility, we can protect our digital assets more effectively. The path forward is clear: by embracing these principles, we can ensure a more secure, resilient digital future for all. The time to act is now.

Nine best practices to improve Active Directory security and cyber resilience

Active Directory (AD) is a prime target for attackers because of its importance in authentication and authorization. Learn best practices for defending your organization.

Get the Guide

About the Author

Richard Dean

Richard is a seasoned product leader and solutions architect with over 25 years in the IT industry, specializing in Microsoft Cloud & Hybrid technologies. As Quest's Senior Manager of Technical Product Management, he excels in managing complex Microsoft 365 challenges. Richard is a certified Microsoft Professional, speaker, blogger, and podcaster. He co-hosts the Practical 365 podcast, sharing insights on Microsoft 365. Recently, he co-hosted The Experts Conference (TEC) 2023 in Atlanta, GA, presenting on multi-tenant management solutions. Passionate about sharing knowledge, Richard helps organizations succeed in their digital transformation journey.

Related Articles