Description

This curriculum spans the design and operationalization of an enterprise identity threat detection program, comparable in scope to a multi-phase advisory engagement that integrates risk assessment, data architecture, behavioral analytics, detection engineering, and response automation across hybrid environments.

Module 1: Foundational Identity Threat Landscape and Risk Assessment

Conducting a privilege audit across hybrid identity stores to identify overprovisioned accounts in Active Directory and Azure AD.
Selecting identity telemetry sources based on signal reliability, including event logs, sign-in logs, and privileged access workstations.
Mapping identity attack paths using MITRE ATT&CK framework to prioritize detection coverage for T1078 (Valid Accounts) and T1098 (Account Manipulation).
Establishing risk thresholds for anomalous behavior, such as logins from high-risk countries or impossible travel, based on organizational travel patterns.
Integrating threat intelligence feeds to enrich identity events with known malicious IPs, domains, and user agent anomalies.
Defining scope for identity threat detection by excluding service accounts with static, non-interactive usage patterns from behavioral baselines.

Module 2: Identity Data Collection and Log Aggregation Architecture

Configuring Windows Event Forwarding to centralize critical identity events (e.g., 4624, 4625, 4768) from domain controllers at scale.
Normalizing identity log schemas across cloud and on-premises systems to enable correlation in a SIEM or data lake.
Implementing log sampling strategies for high-volume identity sources to balance cost and detection efficacy.
Deploying lightweight agents or APIs to collect identity data from SaaS applications without native logging integration.
Enabling Azure AD audit and sign-in logs with appropriate retention policies aligned with incident response requirements.
Securing log transmission channels using mutual TLS and ensuring integrity with hashing mechanisms like SHA-256.

Module 3: Behavioral Analytics and Anomaly Detection Models

Establishing baseline login patterns for individual users and groups by analyzing time, location, and device frequency over a 30-day period.
Tuning machine learning models to reduce false positives in peer-group analysis for global organizations with regional access norms.
Implementing risk-based session controls using conditional access policies triggered by anomaly scores from identity protection systems.
Handling model drift by retraining behavioral baselines quarterly or after major organizational changes like mergers.
Excluding automated processes from behavioral models by tagging service accounts and non-human identities in the directory.
Validating anomaly detection efficacy through red team exercises that simulate credential theft and lateral movement.

Module 4: Detection Engineering for Identity-Specific Threats

Writing Sigma rules to detect Kerberoasting by identifying repeated service ticket requests with RC4 encryption.
Creating correlation rules to flag Golden Ticket attacks via abnormal PAC validation patterns in domain controller logs.
Developing detection logic for password spray attacks by aggregating failed logins across multiple accounts from a single source IP.
Monitoring for abnormal consent grant activity in OAuth applications to detect malicious app registration exploitation.
Implementing alerts for unexpected changes to high-privilege groups such as Domain Admins or Enterprise Admins.
Correlating authentication failures with subsequent successes to detect brute-force and credential stuffing sequences.

Module 5: Privileged Access and PAM Integration

Integrating Privileged Access Management (PAM) solutions with SIEM to monitor just-in-time (JIT) elevation requests and approvals.
Enforcing time-bound access for privileged roles and auditing session recordings from PAM-managed systems.
Mapping privileged roles across cloud platforms (e.g., AWS IAM, Azure RBAC) to detect privilege creep over time.
Configuring break-glass account monitoring with multi-factor alerting and immediate revocation workflows.
Validating that privileged sessions are brokered through jump hosts or PAM gateways to ensure full auditability.
Enforcing credential rotation after privileged session termination using automated vaulting mechanisms.

Module 6: Incident Triage, Forensics, and Response Automation

Developing runbooks for identity incident types, including account takeover, pass-the-hash, and token theft.
Preserving forensic artifacts such as Kerberos tickets, LSASS memory dumps, and authentication timestamps during investigations.
Automating account disablement and MFA reset via SOAR playbooks upon confirmation of credential compromise.
Coordinating identity revocation across on-premises and cloud directories during cross-realm compromise scenarios.
Reconstructing attack timelines using correlated identity events across endpoints, directories, and cloud services.
Engaging HR and legal teams for insider threat cases involving identity misuse by terminated or disgruntled employees.

Module 7: Governance, Compliance, and Continuous Improvement

Conducting quarterly access reviews for privileged and cross-system roles to enforce least privilege.
Aligning identity threat detection controls with compliance frameworks such as NIST 800-63, ISO 27001, and SOC 2.
Measuring detection efficacy using metrics like mean time to detect (MTTD) and false positive rates per rule.
Managing rule lifecycle by deprecating stale detections and documenting changes in a centralized repository.
Coordinating cross-functional tabletop exercises involving IAM, SOC, and IT operations to validate response readiness.
Updating detection logic in response to new identity threats identified in industry threat reports or internal post-mortems.