ITDR — Identity Threat Detection & Response
Identity is the primary attack surface in modern enterprise. Credential abuse, token theft, privilege escalation through misconfigured identity providers, and lateral movement via Kerberos tickets are the dominant patterns in real-world breaches. This handbook covers the full chain: protocols → labs → attacks → detection → simulation.
What This Handbook Covers
| Phase | What You Get |
|---|---|
| Identity Foundations | Core concepts, threat model, key frameworks |
| Protocols & Systems | Deep dives into 8 identity systems |
| Labs | Reproducible lab environments for each system |
| Attacks | ATT&CK-mapped attacks with real CTI examples |
| Detection | Sigma / KQL / SPL rules, telemetry requirements, DRL levels |
| Simulations | End-to-end attack–defense scenarios |
How to Use This Handbook
If you are a detection engineer: Start with the protocol page for your identity system, then go directly to the relevant attack pages and their paired detection pages.
If you are a CTI analyst: The Attacks section carries ATT&CK technique IDs, evidence labels (Observed / Reported / Assessed / Inferred), and real threat actor usage. Use these as intelligence inputs to detection backlog prioritization.
If you are a red teamer or lab operator: The Labs section provides the baseline environments, and the Simulations section provides structured attack sequences tied to those labs.
If you are building an ITDR program: Start with What is ITDR?, then Identity Attack Surface, then Identity Frameworks.
Conventions
- Evidence labels: Observed, Reported, Assessed, Inferred, Unknown, Gap
- DRL levels: 0–9; only DRL-9 = production coverage
- ATT&CK mapping: behavior evidence required; not mapped otherwise
- Severity: Critical / High / Medium / Low per attack page
- Status tags: each page carries a
Statusnote (Scaffold / In Progress / Review / Final)
Scope
All content is defensive, TLP:CLEAR, and publicly shareable. Attack techniques are documented at the behavioral level required for detection engineering and threat intelligence. No working exploits, no credential dumps, no victim-sensitive data.
This handbook is part of the ITDR project by Andrey Pautov.