Why Identity Infrastructure Is Under Attack
Active Directory and its cloud equivalent Microsoft Entra ID are the single most consequential systems in most enterprise environments. They control who can authenticate, what those authenticated users can access, and what administrative capabilities exist. For an attacker who has compromised an initial foothold in an environment, the path from limited access to full domain control almost always runs through identity infrastructure.
Techniques like DCSync, which allows an attacker with sufficient privileges to replicate all password hashes from Active Directory, Golden Ticket and Silver Ticket attacks, which forge Kerberos authentication tickets to access any resource in the domain, and pass-the-hash and pass-the-ticket credential relay attacks, are well-documented, widely used, and consistently under-detected by organizations that have not deployed controls specifically designed to detect them.
What ITDR Is and What It Covers
Identity Threat Detection and Response is a security discipline that focuses specifically on protecting identity infrastructure and detecting attacks that target it. ITDR capabilities typically include monitoring of authentication events and identity infrastructure changes, detection of specific attack techniques targeting Active Directory and Entra ID, analysis of privilege escalation paths and attack paths through the identity infrastructure, and response capabilities to contain and remediate identity compromises.
ITDR sits at the intersection of identity and access management and security operations. It is distinct from SIEM because it applies identity-specific knowledge to interpret events that a general-purpose SIEM would miss or misclassify. It is distinct from PAM because it is focused on detection and response rather than access governance.
Attack Techniques That ITDR Specifically Addresses
Kerberoasting
Kerberoasting requests service tickets for service accounts and attempts to crack the tickets offline to recover the service account passwords. Service accounts are often highly privileged and have passwords that have not been changed in years. ITDR tools detect the pattern of unusual service ticket requests that indicates a Kerberoasting attempt in progress.
Active Directory Privilege Escalation
Most Active Directory environments have privilege escalation paths where an attacker who controls a lower-privileged account can, through a series of object modifications and delegation relationships, escalate to domain administrator privileges. ITDR platforms continuously map these paths and alert when new escalation paths are created or when movement along known paths is detected.
Credential Dumping and Lateral Movement
Post-compromise credential dumping using tools like Mimikatz or LSASS access is a standard lateral movement technique. ITDR tools monitor for the specific access patterns and system calls associated with credential dumping and generate alerts with sufficient context to enable rapid investigation and response.
Active Directory misconfigurations that create privilege escalation paths are present in the majority of enterprise environments. These paths are often invisible to standard security tooling and unknown to the teams responsible for managing Active Directory. An ITDR assessment that maps these paths is one of the highest-value security investments an organization can make.
How to Evaluate ITDR Solutions
- Assess coverage of both on-premises Active Directory and cloud identity in Entra ID or Okta
- Evaluate the quality of privilege escalation path mapping, not just real-time detection
- Test detection against documented attack techniques in your own environment, not vendor-controlled demonstrations
- Assess the response capabilities: detection without response is incomplete
- Evaluate integration with your existing SIEM and SOAR platforms