Identity Frameworks & Standards
Status: Scaffold — content in progress
ITDR intersects several frameworks. Understanding where each one applies prevents duplicate work and tells you which framework to cite for which decision.
MITRE ATT&CK — Identity-Relevant Techniques
ATT&CK is the primary behavior reference for ITDR detection engineering.
Key tactics with strong identity relevance:
| Tactic | Identity-Specific Techniques |
|---|---|
| Initial Access (TA0001) | Phishing for credentials (T1566), Valid Accounts (T1078) |
| Credential Access (TA0006) | Kerberoasting (T1558.003), LSASS Dump (T1003.001), DCSync (T1003.006) |
| Lateral Movement (TA0008) | Pass-the-Hash (T1550.002), Pass-the-Ticket (T1550.003) |
| Defense Evasion (TA0005) | Golden Ticket (T1558.001), Silver Ticket (T1558.002) |
| Persistence (TA0003) | Account Manipulation (T1098), Device Registration (T1098.005) |
| Privilege Escalation (TA0004) | Valid Accounts (T1078.002), ADCS ESC (T1649) |
Rule for this handbook: ATT&CK mappings are only applied when the behavior evidence is present. If a technique is suspected but not confirmed, it is marked Inferred or Gap.
NIST SP 800-63 — Digital Identity Guidelines
Three-volume standard for digital identity:
- 800-63A: Enrollment and identity proofing
- 800-63B: Authentication and lifecycle management (AAL1/2/3)
- 800-63C: Federation and assertions
Relevant for: authentication strength baselines, MFA requirements, federation trust levels.
CIS Controls — Identity-Relevant Controls
| CIS Control | Identity Focus |
|---|---|
| CIS 5 | Account Management |
| CIS 6 | Access Control Management |
| CIS 12 | Network Infrastructure Management (includes network auth) |
| CIS 16 | Application Software Security |
NIST Cybersecurity Framework (CSF) 2.0
The new Govern function in CSF 2.0 emphasizes identity governance. Identity maps across all five functions:
- Identify: asset inventory includes identity stores
- Protect: MFA, least privilege, PAM
- Detect: ITDR detection rules
- Respond: incident response to identity compromise
- Recover: account reset, credential rotation
Microsoft ITDR Framework (Entra ID focus)
Microsoft's Identity Secure Score and Entra ID Protection provide:
- Risk-based conditional access
- Identity risk detections (atypical travel, leaked credentials)
- PIM for JIT privileged access
How to Use These Frameworks in This Handbook
- Detection pages reference ATT&CK technique IDs and behavior evidence
- Attack pages cite ATT&CK and real CTI with evidence labels
- Lab pages reference NIST AAL levels to describe authentication strength being tested
- Simulation scenarios map attacker steps to ATT&CK tactics
Cross-Links
| Topic | Link |
|---|---|
| What is ITDR? | what-is-itdr.md |
| Detection Framework | detection-framework |