Digital identities remain the most targeted aspect of any organization. They are the keys to the kingdom, enabling access to systems, applications, and other business-critical accounts. Unfortunately, rises in phishing and business email compromise (BEC) put identities at great risk. Businesses need to take every step they can to keep them protected from these cyber threats.
Identity threat detection and response (ITDR) is a powerful method for preventing account takeovers (ATO) and other identity threats. But strong ITDR requires continuous monitoring to ensure that identities remain safe, even outside business hours. This is often easier said than done.
That’s why many organizations turn to Managed Extended Detection and Response, or MXDR, for their 24/7 ITDR needs. Let’s explore how MXDR proves useful in the fight against identity threats by understanding their prevalence in the first place.
Because they grant access to key resources, identities are a primary target for threat actors. Attackers can obtain these credentials through multiple avenues.
One of the most prevalent identity threats is phishing. Using social engineering tactics, attackers trick end users into giving up their credentials.
Attackers often pretend to be Microsoft or other well-known brands to trick people into clicking fake links. The websites they lead to use social engineering to harvest users' identities.
After the user gives up their credentials, the attacker can use the identity for account takeovers. Then, they can use the stolen credentials to gain access to their Microsoft 365 account and commit BEC. The result is more sophisticated phishing campaigns, inbox snooping, account misuse, etc.
Besides phishing, attackers will prey on identities by intercepting a user’s traffic to steal credentials and session tokens. This Adversary-in-the-Middle (AitM) technique preys on people using unsafe public networks (i.e. airports or coffee shops). The threat actor steals traffic data by taking over the public router.
Attackers also use AitM tactics for phishing attacks. In this case, the attacker’s fake web page collects the user identity. In the background, the fake page feeds the identity into Microsoft's valid webpage. This masks the attacker's presence and helps them steal session tokens so they can carry out future campaigns undetected.
Todyl’s threat report on the Söze Syndicate shows a prime example of this technique.
For some attackers, the easiest way to obtain identities is to simply purchase them. Through initial access markets, bad actors can put the identities they’ve stolen up for sale. This lets them quickly profit from stolen identities without risking detection. It also reduces the amount of time they need to invest, making it appealing for opportunist attackers.
On the other side of the transaction, buying attackers don’t have to invest any time to steal credentials. Instead, they offset that cost with a focus on achieving larger goals like stealing data or installing ransomware. They can then use purchased identities attack the compromised organization through BEC, AT, ransomware, etc.
Organizations need ongoing visibility to watch for identity compromise and swift response to prevent credential theft and misuse. This is best accomplished through ITDR, but it requires significant investment and expertise to do so.
24/7 ITDR needs a full-time team of security experts to spot and stop potential identity threats. For budget-strapped MSPs and their SMBs clients, a 24/7 team with adequate security expertise is simply too expensive. So, how can these companies achieve the ITDR protection they need to prevent identity-based threats?
MXDR can answer that question by providing 24/7 security monitoring, investigation, and expertise as-a-Service. Just like an in-house security team, MXDR reviews log data, identifies threats, and acts accordingly on your behalf. Continuous detection coverage protects user identities, even outside working hours, and augmented response capabilities lead to faster containment and resolution.
MXDR uses the Todyl Security Platform to facilitate effective ITDR for your organization. By integrating with Microsoft 365, Todyl SIEM collects log information that helps catch identity compromises. It starts with Todyl's Anomaly Detection Framework.
The Anomaly Detection Framework is a machine learning algorithm that analyzes user behavioral analytics. It finds changes in account activities that may indicate an identity is at risk. As a result, MXDR can quickly determine the validity of an identity threat and act accordingly.
MXDR delivers even stronger protections through Todyl SOAR. SOAR provides prebuilt response playbooks and actions that automatically stop identity threats by revoking, disabling, or even deleting potentially compromised accounts. This prevents attackers from using stolen credentials to take over the account or later sell them.
Beyond immediately identity threats, MXDR constantly expands its ITDR capabilities by investigating the novel techniques and tactics used to target identities. The MXDR team uses this information to build new detections, playbooks, and other processes into Todyl for all partners. This “herd immunity” approach helps expand ITDR across the community and reduces attacks at a larger scale.
MXDR's proven track record for detecting and responding to identity threats keeps organizations safe from identity threats. Read how we’ve stopped active identity threats in our recent case study.
