How to Implement Identity Threat Detection and Response Best Practices
Learn how identity threat detection and response frameworks protect modern enterprises from sophisticated identity-based cyberattacks.
Explore the chapters:
< Previous Chapter
Next Chapter >
Stop AD Threats As They Happen
Cayosoft Protector provides continuous monitoring and real-time alerts across your entire Microsoft Identity stack
Like This Article?
Subscribe to our LinkedIn Newsletter to receive more educational content
Identity is the most ubiquitous element of modern enterprises and has become the new perimeter for apps, data, and resources. While identity and access management (IAM), multi-factor authentication (MFA), and conditional access are used for gatekeeping, they are preventive in nature and cannot detect, prevent, or respond to identity-based attacks such as identity theft and AD attacks.
These gaps and blind spots have given rise to identity threat detection and response (ITDR) frameworks and solutions that bridge the gap between access control and active threat hunting. This article explores how identity threat detection and response go beyond basic access checks and monitoring. We look at how it brings active threat hunting to the field to secure the human and machine credentials that keep modern businesses running safely.
Summary of Identity Threat Detection and Response (ITDR) best practices
The following is a list of ITDR best practices covered in this article.
| Best practice | Description |
|---|---|
| Continuously discover identities | Create a comprehensive inventory of all identities across the entire identity infrastructure, mapping human identities as well as non-human identities (NHIs) like service accounts, API keys and tokens, agentic AI identities, and machine identities. |
| Implement real-time protocol-level monitoring | Use real-time monitoring tools that collect signals from all identity sources, i.e., AD, Entra ID, SaaS applications, cloud, identity providers, etc. |
| Harden the initial security posture | Use identity security posture management (ISPM) to reduce the initial attack surface, implementing controls such as MFA, right-sized permissions, least-privileged access, and privilege access management. |
| Classify and protect Tier-0 identities | Tier-0 identities such as Domain Admins, Enterprise Admins, Schema Admins in AD, and Global Administrators, Privileged Role Administrators, and Conditional Access Administrators in Entra ID control the identity control plane. They must receive prioritized protection, be audited, and enabled to trigger alerts. |
| Establish behavioral baselines | Leverage tools that use ML to learn known-good behavior for identities and trigger alerts on anomalies that indicate abuse. |
| Create automated responses | Create playbooks to automate incident response actions based on high-fidelity alerts. |
| Close the recovery gap | Consider a recovery-first perspective for ITDR. Use identity recovery solutions for granular or complete restoration of identity infrastructure to a clean state if needed. |
| Enforce continuous governance | Conduct continuous audits, assessments, and adjustments to fix identity security gaps before they can be exploited. |
Learn how ITDR must evolve to account for non-human identities (NHI)
Identity and its threats
Modern applications, data, and resources, along with their users (human and non-human), are no longer defined by physical corporate boundaries and premises. Consumption models such as SaaS and hybrid work, along with the rise of non-human identities like service accounts and AI agents, have contributed to a borderless environment accessible via identity. As a result, traditional cybersecurity perimeters—once defined by private networks, firewalls, and VPNs—have become irrelevant. Identity has become the new perimeter for apps, data, and resources wherever they reside, and the entry point for both genuine users and adversaries is no longer a network port but a login prompt.
All an attacker needs to break in is a simple set of compromised credentials for an employee, a service account, or an AI agent to bypass network security, leaving identity as the only remaining control plane in perimeter security. In addition, the modern identity threat landscape is largely driven by automated and AI-enabled classic attacks. AI is also used to exploit unknown vulnerabilities and create novel attacks.
The following is a list of typically categorized identity threats:
- Volumetric threats that target logins and passwords using brute force attacks. Automation, especially using AI, can amplify this by a factor of 100, making it difficult to manage.
- Protocol-based threats that generally target Kerberos, NTLM, and OAuth, exploiting trust at the foundation of the identity fabric.
- Session-based threats that exploit cookies and active tokens to bypass MFA entirely by “riding” an already authenticated session, also known as adversary-in-the-middle (AiTM).
- Machine-level identities that target API keys and AI agents, as they do not have MFA and have higher-level permissions.
Identity threat detection and response (ITDR)
With identity being the new security perimeter, organizations need tools to secure it against today’s sophisticated identity-centric attack vectors. Traditional identity security tools, such as identity and access management (IAM) and multi-factor authentication (MFA), were effective in preventing security issues to a certain extent, but with the rise of hybrid work and multi-cloud architectures combined with an increasing number of non–human identities, they are ineffective for a modern security posture.
IAM and MFA can only verify users; they cannot differentiate between a genuine user and a threat actor using compromised credentials. They also lack visibility after logging in or if MFA was bypassed using session hijacking (AiTM) or via MFA fatigue. IAM and MFA cannot detect malicious activities either within a successfully authenticated session. Here’s a list of a few other scenarios where IAM and MFA fail:
- Not all IAM systems support monitoring of underlying protocols, making them unable to detect attacks like Kerberoasting or Golden Ticket forgeries.
- MFA cannot continuously evaluate risk throughout a successful session. It cannot tell whether there was a high-risk change in user behavior and either prompt for reauthentication or terminate the session.
- IAM tools cannot respond to breaches, such as revoking tokens or rolling back changes.
The identity threat landscape has reached a critical threshold. With 80% of enterprise cyberattacks leveraging AD for privilege escalation and lateral movement, and up to 95% of breaches following identity-based attack paths predominantly through AD environments, organizations face an existential security challenge intensified by a 42% year-over-year surge in AD attacks.
To address these challenges, identity threat detection and response (ITDR) has emerged as a new approach to identity security that focuses on deep, identity-centric monitoring, machine-learning-based behavioral analysis, and automated response.
ITDR is a framework of solutions that protects a digital enterprise through three core capabilities:
- Posture management and hardening: ITDR continuously scans identity stores like Active Directory and cloud IdPs to find misconfigurations, unmanaged service accounts, weak passwords, and excessive privileges before attackers can exploit them.
- Continuous real-time monitoring: Once a session begins, ITDR analyzes behavioral baselines to spot anomalies. It monitors the underlying authentication protocols directly, allowing it to intercept sophisticated identity-centric attacks like Kerberoasting, Golden Ticket forgeries, and session token theft.
- Automated incident response: When a threat is detected, ITDR goes beyond basic alerts. It can automatically trigger defensive actions, such as instantly revoking active session tokens, forcing re-authentication, isolating compromised accounts, or rolling back unauthorized configuration changes.
Read about Microsoft 365 E7 licensing and the rise of agent identities
ITDR vs. EDR, XDR, and SIEM
The security solution landscape comprises multiple frameworks and tools—such as endpoint detection and response (EDR), extended detection and response (XDR), and security information and event management (SIEM)—that offer varying levels of comprehensive protection but have an identity gap. These solutions are great at detecting device and network anomalies and malware infections and at aggregating logs across multiple devices and domains. However, they lack specialized identity-aware analysis of complex authentication protocols and the ability to distinguish between human and non-human identities to decode and harden the identity fabric. They provide broad coverage but not deep context.
Let’s look a little deeper into the differences.
ITDR vs. EDR
EDR is a security solution that monitors physical and virtual devices via agents installed on them. Its primary goal is to prevent malicious code from running on monitored machines and to isolate infected machines from the rest of the network. However, while EDR is great at detecting issues such as process execution, file activity, and network connections, it protects only the host. For example, it cannot differentiate legitimate logins using stolen credentials and take action.
ITDR vs. SIEM
A SIEM tool is a security log aggregator that ingests telemetry from firewalls, servers, databases, endpoints, and other relevant infrastructure to provide event correlation for potential breaches. While it is great for auditing, historical events, compliance, and multi-silo correlation, it lacks an in-depth understanding of identity protocols and cannot distinguish between attackers and genuine users. For example, a SIEM treats a successful login as a metadata field in a log and cannot flag in case of a valid but stolen credential.
ITDR vs. XDR
An XDR platform is a cross-domain security solution that integrates telemetry across the entire organization’s environment, including endpoints, networks, email, and servers, on-prem and in the cloud. It can correlate across these multiple signals, looking for patterns that suggest an attack or a possible breach, e.g., a phishing email that leads to a suspicious process being downloaded and running on a machine with an IP address outside the known range.
While XDR is great for broad cross-domain correlation, it lacks deep, granular visibility into identities, especially at the protocol level, and cannot perform actions such as revoking sessions or rolling back changes. ITDR can be an integrated component of a broader XDR solution.
Key components of an ITDR framework
A comprehensive ITDR solution requires a broad set of capabilities that go beyond traditional IAM, MFA, and generic security tools. The following components form the blueprint of a resilient ITDR architecture.
Visibility and continuous discovery
A key component and a foundation of a robust ITDR framework is continuous visibility into the entire identity infrastructure. This includes on-premises, cloud, or hybrid setups. The objective of this component is to map all identities, permissions, and resources, along with their relationships.
A key capability of modern ITDR frameworks is to extend this discovery and visibility to non-human, agentic AI identities, including service-to-service authentication patterns that do not involve human users. Security architects should look for tools that provide capabilities to visualize the impact of a compromised credential using a graph.
User and entity behavior analytics (UEBA)
Static rules cannot detect anomalies involving valid credentials nor predict behavioral changes in identities. ITDR frameworks should include tools that leverage AI/ML to analyze signals such as login velocity, typical geolocations, and resource access frequency to establish a dynamic behavioral baseline for entities and then use this baseline to detect deviations. For example, the identity of a user with a developer role may be running API queries against production data in a different department. UEBA should also be able to differentiate between human mistakes and bot reconnaissance.
Real-time detection
Real-time detection is another important component of the modern ITDR framework, especially at the protocol level. The goal here is to detect attack indicators before session establishment. Solutions should include capabilities such as monitoring Kerberos, NTLM, LDAP, and OAuth/SAML flows, as well as deep packet inspection, which will allow inspection of protocol-specific attacks like Kerberoasting, Golden Ticket creation, or unauthorized OAuth token grants.
Automated response
The goal of this component is to go beyond mere observation and provide programmatic approaches to respond to attacks. The framework must include capabilities to interact with identity providers and trigger automated responses, such as adaptive MFA challenges, revoking session tokens, or rolling back unauthorized changes. For example, you want the ability to undo changes to directory attributes, such as removing domain admin rights granted via an exploit.
Tool/ecosystem integration
ITDR should act as the identity signal provider for an organization’s entire security operations center. The ITDR framework should consider bidirectional integration with other security stacks, such as EDR, XDR, and SIEM. It should communicate signals and risk scores to other tools, preferably using open standards like Shared Signals and Events (SSE). For example, if ITDR detects a credential compromise, it should automatically signal the EDR to isolate the device on which the user is currently logged in.
Respond Instantly to Identity Threats
Monitor AD for unwanted changes – detect for security or critical functions
Recover global enterprise-wide Active Directory forests in minutes, not days
Use a single tool to administer and secure AD, Azure AD, and Office 365
Core functions of an ITDR solution
The functions of an ITDR solution must align with the framework and provide comprehensive coverage across the entire attack lifecycle. The following list describes core functions or pillars that any ITDR solution must provide. They map ITDR capabilities to the NIST Cybersecurity Framework 2.0, providing a structured way for an organization to identify areas that its ITDR program should cover.
- Identify: It is impossible to protect what cannot be seen. The scope of this function is to discover all human and non-human identities, permissions, and systems that must be protected across the identity fabric, such as on-prem AD, Entra ID, and other third-party identity apps. This function performs activities such as identity asset discovery, mapping, and shadow account discovery (e.g., shadow IT, orphaned accounts, and unmonitored AI identities), helping SOC teams avoid identity blind spots, especially those with excessive permissions.
- Protect: The objective of this pillar is to implement and enforce security controls to harden the identity fabric. Automating identity security posture management (ISPM) by identifying signals that can be exploited is an important activity of this pillar. Examples of such signals are misconfigured GPOs or clear-text passwords in AD attributes. Other activities include configuration management, policy enforcement, and the implementation of least-privilege access controls.
- Detect: This function identifies anomalies and threats using behavioral analytics (UEBA), threat intelligence integration, protocol-level analysis, and real-time anomaly detection. The objective of this pillar is to provide signals that help SOC teams detect intruders during reconnaissance or lateral movement. ITDR detection is more identity-centric than SIEMs and hence better detects identity threats such as Kerberoasting, DCShadow, or session hijacking (AiTM).
- Respond: This function involves SOC teams taking immediate action on identified threats. They can use automated response playbooks using the ITDR platform to neutralize the threat. Activities here include alert triage, investigation, threat containment, and rollbacks. Examples include revoking compromised session tokens or disabling a compromised service account.
- Recover: This function enables SOC teams to restore normal operations after a breach or accidental corruption. It enables returning to a clean slate for the identity fabric. In a nutshell, it provides an “undo” button and is often considered a missing link in the ITDR framework. Activities in this pillar include backup restoration, configuration rollback, and service continuity. For example, tools like Cayosoft Guardian can provide granular, attribute-level restoration or full forest recovery in minutes after a compromised domain controller or the wiping of an Entra ID tenant.
- Govern: This pillar oversees security processes, their continuous improvements, risk management, and compliance. It provides SOC teams with audit trail and reporting capabilities, which can also be used to improve the Protect and Detect functions.
ITDR best practices
Continuously discover identities
Implement automated discovery tools to maintain a real-time inventory of all identities in your hybrid identity fabric. Discovery should include all human and non-human identities, such as users, service accounts, API keys, autonomous AI agents, and agentic AI IDs. You must also identify the identities involved in service-to-service (S2S) authentication patterns that do not involve humans.
Expert tip: Use an identity graph to visualize the relationship between identities, permissions, and resources. This will help you discover shadow (admin) accounts that hold administrative power without being members of formal admin groups or that are not part of an identity provider like AD or Entra ID.
Implement real-time protocol-level monitoring
Relying solely on event logs creates identity blindness, since attackers can clear logs or operate within legitimate protocols (like Kerberos or LDAP) without triggering standard system alerts. Monitor continuously at the protocol level across your hybrid identity infrastructure to detect identity-centric attacks, such as Kerberoasting, Golden Ticket forgeries, and session hijacking, which frequently evade traditional EDR and SIEM logs. This allows SOCs to intercept indicators of attack (IOAs) in real time rather than later. Every authentication request and directory query must be captured in real time to immediately flag reconnaissance attempts or ticket forgery.
Harden the initial security posture
Threat actors often look to exploit low-hanging fruit, such as legacy NTLM dependencies, over-privileged service accounts, or missing MFA on critical admin roles, to gain initial access. The objective is to close the gap between the access granted and the access used through continuous auditing and the remediation of indicators of exposure (IOEs).
Proactively reduce the identity attack surface by using ISPM to remediate directory misconfigurations, enforce phishing-resistant MFA, and eliminate high-risk attack paths before they can be exploited. This preventive hardening ensures that the identity fabric is fundamentally secure against common entry-level identity threats.
Classify and protect Tier-0 identities
Tier-0 identities such as Domain Admins, Enterprise Admins, Schema Admins in AD, and Global Administrators, Privileged Role Administrators, Conditional Access Administrators in Entra ID control the identity control plane. These “crown jewel” identities and roles should be formally classified to apply targeted, high-frequency auditing and phishing-resistant protections.
Protecting them is about reducing the blast radius in case of a compromise, as if such accounts are compromised, the attacker gains total control over the identity fabric. Hardening such identities involves steps like transitioning from permanent memberships to privileged identity management (PIM) using just-in-time (JIT) access methods to grant privileged (Tier 0) rights as needed, gated by phishing-resistant MFA.
Establish behavioral baselines
Leverage tools that employ user and entity behavior analytics (UEBA) to establish known-good behavioral patterns for every identity, triggering high-fidelity alerts in case of anomalies that suggest identity abuse. An effective ITDR strategy relies on probabilistic scoring to distinguish between a human making a mistake and a bot performing high-speed reconnaissance.
Monitor for scenarios such as “impossible travel,” unusual login rates, or unauthorized resource access patterns. For example, if a service account that normally authenticates once an hour suddenly requests 50 Kerberos service tickets in a minute, it could be a case of Kerberoasting attempt and should be flagged.
Create automated responses
Develop and deploy pre-vetted automated response playbooks to neutralize confirmed identity threats at speed. These playbooks can function as kill switches, taking actions such as automatically revoking Entra ID tokens, triggering a password reset for the compromised ID, and isolating the source endpoint via EDR before an attacker can move laterally.
It is important to integrate the identity signals directly into your security orchestration, automation, and response (SOAR) platform for automatic invocation.
Close the recovery gap
You must assume that prevention will eventually fail. This could be due to corruption in primary AD caused by ransomware, a Golden Ticket attack, or Tier-0 compromises in your identity fabric. True identity resiliency is the ability to restore identity continuity in such cases, which can be achieved through backups.
Treat identity recovery as a core function of ITDR to achieve identity resiliency and maintain a continuously validated, malware-free backup for complete or granular restoration if needed. An active standby forest can ensure one-click restoration of business operations to a known-good state in minutes rather than days.
Enforce continuous governance
ITDR is not a one-time activity; it is a cycle. You must conduct continuous identity audits and posture assessments to reduce privilege creep, remove orphaned accounts, and remediate identity permission misconfigurations that can create new attack paths.
Through continuous governance, lessons learned from detections and recoveries should be codified into policy. This reduces the available attack surface and maintains a least-privilege environment. Use ISPM to find and fix legacy NTLM dependencies or overly permissive service principal permissions that could be exploited.
Watch our recorded & upcoming educational webinars about identity protection
ITDR implementation strategy
An effective ITDR strategy focuses on actively detecting attacks and defending the entire identity infrastructure. The objective is to go beyond simple access and authorization management to a comprehensive identity resilience.
The following are important considerations for a robust strategy:
- Organizational alignment and team collaboration: An effective ITDR implementation starts with teams working collaboratively rather than in silos. For example, IAM admins and SOC analysts monitoring threats should use unified processes and workflows for threat management.
- Baselining: An effective ITDR implementation should include a comprehensive mapping of what an identity can do based on a deep analysis of its group memberships, inherited permissions, and service principal delegations. The same is also true for non-human identities. Baselining will also reveal permissive accounts and shadow admins. This should typically be implemented using ML-based UEBA tools.
- Recovery-based resilience: An effective strategy also assumes that prevention will fail. A recovery-based implementation ensures that identity infrastructure can be restored to a clean working state if needed. For example, an active-standby AD can handle identity requests in the event of an AD forest wipe.
Cayosoft Guardian for ITDR
Cayosoft Guardian platform is a unified identity resilience platform that monitors and recovers across the entire Microsoft hybrid identity stack. It plugs the recovery gap in ITDR, providing rapid restoration capabilities along with prevention and detection.
Cayosoft Instant Forest Recovery provides full forest recovery automation for Active Directory, enabling rapid recovery in minutes to a clean standby environment. Audit & Restore tracks every identity change, enabling granular object-level rollback of unwanted changes for both AD and Entra ID. And Protector continuously detects identity threats, enabling abuse to be detected in real time. Together, these products help organizations implement a resilient Microsoft identity platform.
| Platform | Admin Features | Single Console for Hybrid (On-prem AD, Azure AD, M365, Teams) | Change Monitoring/Auditing | User Governance (Roles Rules, Automation) | Forest Recovery in Minutes |
| Microsoft AD Native Tools | ✓ | ||||
| Microsoft AD + Cayosoft | ✓ | ✓ | ✓ | ✓ | ✓ |
Conclusion
The shift from network perimeter to identity perimeter necessitates more than simple authentication and monitoring. Modern security mandates unified inventory and signal collection of both human and non-human identities, a proactive approach to identity posture hardening rather than a reactive one after a threat actor has gained access, and cohesive integration with other security tools. Implementing an ITDR solution provides the framework for identity security and resiliency in a landscape defined by an increasing number of non-human and AI-driven threats.
Stop AD Threats As They Happen
Cayosoft Protector provides continuous monitoring and real-time alerts across your entire Microsoft Identity stack
Like This Article?
Subscribe to our LinkedIn Newsletter to receive more educational content