ITDR and PAM: how to protect identities and privileged access against advanced attacks

When the attacker is already inside: the challenge of detecting malicious legitimate access

For decades, enterprise cybersecurity has been dominated by a clear paradigm: perimeter protection. Inspired by the “Castle and Moat” model, this approach prioritizes building increasingly sophisticated defensive barriers: next-generation firewalls, network segmentation, IDS/IPS systems, proxies, WAFs, and network-centric Zero Trust architectures.

The goal was unequivocal: prevent unauthorized access. However, the evolution of the threat landscape has proven this model insufficient against modern threats.

The data is conclusive: the attacker is already inside. Recent industry reports place average dwell time at weeks or even months. During that time, the attacker does not behave like an intruder, but like a legitimate user. This behavioral shift is not accidental, it is strategic.

The operational reality is that:

• More than 80% of breaches involve the use of compromised credentials: This means that the most critical attacks no longer depend on traditional exploits, but on valid credentials obtained through phishing, leaks, or internal movement.

• Initial access rarely relies on advanced technical exploitation: Attackers often enter through social engineering or weak authentication flows.

• The critical phase of the attack occurs after authentication: Once inside, traditional tools barely detect lateral movement, privilege escalation, or covert persistence.

Attackers no longer break the door, they use valid credentials, legitimate tokens, or hijacked sessions. In this new scenario, identity becomes the true perimeter. This is where ITDR (Identity Threat Detection and Response) comes into play: a discipline designed to detect, analyze, and respond to identity-centric threats, even when access appears completely legitimate.

1. What ITDR really is (and what it is NOT)

In an ecosystem saturated with acronyms, ITDR should not be understood as a point solution, but as a transversal strategic capability within the cybersecurity architecture.

What it is NOT

• It is not an IAM system: Traditional IAM (Identity and Access Management) focuses on provisioning, assigning, and revoking identities. Its primary goal is to ensure users have the right access according to roles and policies, but it does not evaluate whether that access is being misused.

• It is not a SIEM: SIEM tools (Security Information and Event Management) correlate and analyze logs. While useful for auditing and compliance, they detect threats reactively, after malicious activity has already occurred or data has been exfiltrated.

• It is not an EDR: EDR (Endpoint Detection and Response) focuses on endpoint behavior, not on the identity executing actions on critical systems. If an attacker uses valid credentials for lateral movement, EDR may not detect it because the activity appears legitimate.

What it IS

ITDR is an active intelligence layer that:

• Monitors identity behavior in real time: every action of a privileged user is analyzed with historical context and expected behavioral patterns. It is not only about what user did what, but how and when it was done.

• Analyzes authentication flows (Kerberos, NTLM, OAuth, SAML): this allows detection of attacks such as Pass-the-Hash, compromised Ticket Granting Tickets, or OAuth token abuse before damage materializes.

• Detects deviations from normal patterns: the combination of behavioral analytics, heuristics, and machine learning identifies actions outside expected norms for each identity, regardless of whether authentication is valid.

• Responds automatically to risky behavior: a high-level ITDR can revoke compromised sessions, isolate users, or invalidate credentials in milliseconds, minimizing the exposure window.

Technical domains of action

1. Identity directories

• Active Directory / Microsoft Entra ID: Domain controllers represent the heart of the organization. They are the primary target of sophisticated attacks because they control privileges, roles, and authentication across the entire ecosystem. ITDR monitors these flows to detect ticket manipulation, privilege escalation, or the creation of hidden accounts.

2. Non-human identities

• APIs, bots, and service accounts: They represent a growing portion of total corporate identities. Many of these identities lack continuous monitoring and, if compromised, enable invisible lateral movement, data exfiltration, and manipulation of critical systems.

3. Privilege management

• Detection of excessive privileges: ITDR analyzes the actual use of privileges to identify unnecessary or risky access.

• Identification of orphan accounts and shadow admins: these are forgotten accounts or those created without formal control, representing a critical risk vector in any advanced attack.

2. The real problem: from “Hacker” to “Legitimate User”

The modern attacker does not seek to exploit complex technical vulnerabilities if it can be avoided. They prefer to exploit the most reliable element of the system: identity.

The most commonly used techniques reflect this shift:

• Pass-the-Hash: use of captured NTLM hashes for authentication without knowing the real password. Allows privilege escalation without triggering incorrect login alerts.

• Pass-the-Ticket: use of valid Kerberos tickets, obtained through manipulation or memory dumping techniques, to access resources without re-authentication.

• Kerberoasting: extraction of service ticket hashes to crack high-privilege credentials.

• Credential Dumping: obtaining credentials stored in memory, SAM files, or Windows caches without visibly interacting with the endpoint.

• Token Hijacking: hijacking session tokens in web or cloud environments to gain legitimate access.

Operational implications

An attacker with valid credentials can:

Lateral movement

Allows access to critical systems using existing credentials, replicating legitimate user behavior to evade detection.

Privilege escalation

Identify accounts with excessive permissions or configuration vulnerabilities and become a domain administrator in minutes, without triggering alerts in conventional control systems.

Advanced persistence

Creation of new hidden identities or modification of existing accounts to maintain access even after the initial breach is detected.

Full detection evasion

Since no malware is executed and no files are modified, traditional protection tools barely detect suspicious activity.

3. Where the traditional approach fails: structural blind spots

SIEM

• Detects patterns only after the fact.
• High dependence on rules and event correlation.
• Lacks deep context about identity and authentication flows.
• Result: threats based on credential abuse are identified too late, when data may already be compromised.

EDR

• Endpoint-centric, not identity-centric.
• Unable to monitor lateral movement at the level of internal protocols or domain controllers.
• Blind to attacks that do not involve malware.

MFA

• Adds security, but does not eliminate risk.
• Techniques such as MFA fatigue or token replay allow bypassing this control.
• Does not protect against lateral movement using already authenticated legitimate sessions.

4. Critical capabilities of enterprise-grade ITDR

1. Behavior analytics

• Machine Learning and user modeling: detects anomalous behavior patterns even if actions are technically legitimate.
• Historical context: analyzes each identity’s behavior over time, detecting significant deviations.
• Example: a financial analyst attempting to access production servers outside their usual schedule triggers alerts immediately.

2. Identity plane protection

• NTLM and Kerberos flows: monitors tickets, hashes, and authentication requests to detect manipulation or misuse.
• Detection of Golden/Silver Tickets: identifies the use of compromised tickets before lateral movement materializes.
• Mitigation: immediate isolation of compromised accounts, credential reset, and session revocation.

3. Attack path analysis

• Identification of critical paths: analyzes how an identity can move from one system to another.
• Attack simulation: anticipates lateral movements before an attacker executes them.
• Real-time visualization: enables CISOs and administrators to prioritize mitigation actions and strengthen controls.

4. Automated response and orchestration

• Token revocation and session isolation: immediate implementation in milliseconds.
• Dynamic identity blocking: allows threats to be contained in real time without affecting legitimate users.
• Integration with SOAR: orchestrates response workflows across the infrastructure consistently.

5. ITDR + RSW (Endurance as a strategic reference)

Key principles

• Credential never exposed: users never receive the real password or hash.
• Isolated session: only interaction events (keyboard, mouse, video, audio) are transmitted between user and asset.
• Elimination of persistence: credentials never reside on endpoints, removing the theft vector.
• Mitigation of advanced attacks: Credential dumping, Pass-the-Hash, Pass-the-Ticket, and Kerberoasting become ineffective.

Interaction model

• Users interact with critical assets through a virtual interface.
• All sensitive flows remain within secure infrastructure, without exposing credentials or direct access.
• This redefines the concept of Zero Trust applied to privileged identities.

6. Critical use cases by sector

ITDR is not an abstract concept: its real value is demonstrated in concrete business scenarios where privileged identities control critical systems. Each sector has specific risks and attack vectors.

Energy

In the energy sector, privileged accounts manage everything from SCADA systems to turbines, valves, or transformers. A malicious access can cause:

• Operational sabotage: alteration of energy flows or shutdown of plants.
• Regulatory risks: non-compliance with critical standards (NIS2, ISO 27001).
• Reputational damage: loss of trust from users and partners.

With ITDR:

• Every action of a privileged identity is analyzed in real time.
• Anomalous activity is detected, for example, an operator attempting to modify plant parameters outside their shift.
• Response can be automatic: revoke session, isolate identity, or alert the SOC, mitigating damage before it occurs.

Telecommunications

Network operators and infrastructure administrators are targets of internal and external attacks:

• Unauthorized access to critical nodes → mass service disruption.
• Manipulation of routers, switches, or DNS servers → impact on connectivity and communications.
• Risk of stealth attacks lasting months without detection.

ITDR enables:

• Mapping potential attack paths of compromised identities.
• Monitoring privileged sessions in real time.
• Detecting lateral movement before an attacker reaches critical systems, even when MFA and EDR are active.

Industry and Manufacturing

In industrial environments and production plants:

• OT systems control machinery, assembly lines, and automated processes.
• A compromised identity can stop production, manipulate processes, or even cause physical damage to equipment.
• Breaches in OT are often devastating and costly.

ITDR:

• Monitors identities interacting with OT systems.
• Detects actions that do not match historical usage patterns.
• Automates responses such as isolating accounts or blocking sessions, preventing significant economic losses.

Partial conclusion: ITDR is not just an IT solution, it is critical for protecting industrial operations and critical infrastructure.

7. Evolution of the model: from Zero Trust to Identity-Centric Security

The Zero Trust model radically changed the way security is conceived:

“Never trust, always verify”

However, most implementations have focused on:

• Endpoint validation
• Network microsegmentation
• Role-based policies

The problem: they verify the authenticity of the initial session, but not the subsequent behavior of the identity.

ITDR: continuous, identity-centric validation

ITDR elevates Zero Trust to a higher level:

• Continuous verification: authenticating once is not enough; identity behavior must be continuously monitored.
• Proactive detection: lateral movement, privilege escalation, or anomalous patterns are identified before impact occurs.
• Applied intelligence: Machine Learning and advanced analytics differentiate between a legitimate user and an attacker using stolen credentials.

Business benefits

• Reduction of operational risk: protects both IT and OT.
• Enhanced regulatory compliance: ITDR provides full traceability of privileged identities.
• Improved security ROI: combines existing technologies (IAM, PAM, EDR) with advanced monitoring, maximizing effectiveness.

Applied example

Imagine a network administrator accessing critical servers outside working hours. A traditional Zero Trust model would allow access if authentication and MFA are valid. ITDR, however, detects the anomalous pattern and triggers:

• Immediate alert to the SOC
• Real-time session isolation
• Blocking of sensitive access until manual verification

This makes ITDR the last line of defense.

8. Trends and future of ITDR

ITDR is an area in constant evolution. Current trends indicate what identity-centric security will look like in the coming years:

Integration with XDR

• Enables correlation of network, endpoint, cloud, and identity behavior events.
• Provides a comprehensive view of risk, not only based on suspicious activity but also on business context.

Extensive use of Artificial Intelligence

• Machine Learning to detect complex anomalous usage patterns that humans or traditional rule-based systems would not identify.
• Analyzes millions of authentication events, user behavior, and API flows in real time.

Protection of non-human identities

• APIs, cloud services, and bots are primary targets of automated attacks.
• ITDR ensures these identities do not become entry points to critical systems.

Continuous session monitoring

• Modern attacks can last weeks or months.
• Constant monitoring makes it possible to detect deviations even when the identity appears legitimate.

Convergence with SASE and modern Zero Trust architectures

• The combination of ITDR with SASE enables identity-based security policies to be applied to cloud traffic and SaaS applications.
• This ensures that even remote users or those in distributed environments comply with security standards.

Conclusion

Cybersecurity has evolved: what once worked is now a risk.

Identity is the new perimeter, and attackers already operate within it using legitimate credentials. Protecting systems without protecting identities is like securing doors when the attacker already has the key.

ITDR is not just another security layer, it is the structural evolution of Zero Trust. It ensures that every access, every session, and every movement of a privileged identity is monitored, analyzed, and, when necessary, automatically blocked.

At Cosmikal, we provide full visibility, proactive detection, and agile response to protect critical IT and OT assets.

We transform identity security into a core operational strategy aligned with business continuity, regulatory compliance, and resilience against advanced threats.