Non human Identities – Permissions, Third Party Vulnerabilities and Risk
In this article
What are non-human identities?
Non-human identities (NHIs) dominate the era of cloud services and SaaS applications. They are the identities that authenticate between different servers, APIs and third party integrations to provide programmatic access to data and services.
Non-human identities utilize different protocols, such as OAuth, REST and SSH. The complex nature of those integrations and permissions are part of the shadow IT problem, where organizations can lose track of them easily and have shadow identities performing sensitive actions and accessing customer data unbeknownst to them. These identities could be compromised and abused by attackers through phishing, misconfigured cloud resources, exploited vulnerabilities and exposed secrets.
What are digital supply chain attacks, and how do they happen
A digital supply chain attack refers to attacks on one or more dependencies in an organization’s digital supply chain. The digital supply chain usually consists of a complex web of third party software and services, each with access to different parts of the organization’s data and infrastructure. If any parts of the digital supply chain gets compromised, it creates a flow on effect which causes business disruption and potential data breaches.
Example 1: Microsoft hacked by Midnight Blizzard
Source: Wiz
One example of a major digital supply chain attack is the attack on Microsoft by Midnight Blizzard, a Russian state hacking group. The attackers first gained access to a test email server via password spraying. Abusing the OAuth permissions attached to an old application on the mail server, the attackers pivoted to the corporate Microsoft network. As a result of abusing these non-human identities, the attackers gained access to one of the highest privileges in Microsoft Entra, and used it to access email inboxes of Microsoft’s top leadership and security employees.
Example 2: Cloudflare breached via Okta compromise
Source: Astrix
A different digital supply chain attack affected Okta and its customers in 2023, where a third party support desk employee’s credentials were compromised and abused to access multiple customer session cookies. With those cookies (which often belonged to IT or security admins of the customer’s organization), they pivoted downstream into their customers’ Okta tenants.
This affected major Okta customers such as Cloudflare, which was estimated to be used by more than 7 million websites on the internet. During incident response, Cloudflare rotated more than 5000 API keys, but missed a few – the attackers used those keys to access internal Cloudflare documentation and source code, which they could use to mount further supply chain attacks by analyzing them for vulnerabilities.
Both of these examples show that compromises of first party and third party services and subsequent access to NHIs allowed attackers to pivot to sensitive customer data, even in large organizations with huge security budgets.
Exploiting non-human identity vulnerabilities
So how do attackers exploit NHIs to breach organizations? First, they begin with initial access to NHIs by abusing stolen credentials / cookies, exploiting vulnerable services, or performing phishing attacks to get permission grants. Attackers also find exposed secrets on platforms such as GitHub which are often API keys attached to NHIs.
Then, they explore the resources they can access with the compromised identity using the respective APIs, such as Microsoft GraphQL or AWS IAM. Attackers also try to perform privilege escalation and lateral movement to increase the resources they can access, by assuming additional roles, abusing existing privileges, or even pivot from cloud to on-premise infrastructure (“death from above”).
The general rule of thumb is attackers will go where your data is, and perform their objectives be it exfiltration, encryption, manipulation or all of the above. In cases of nation state sponsored APT (Advanced Persistent Threat) groups, long-term persistence is often a key goal, and the creation or modification of additional NHIs is often done to help them stay in your network undetected.
Solutions to address non-human identity risks
CTEM – Continuous Threat Exposure Monitoring
A Gartner introduced framework, Continuous Threat Exposure Monitoring (CTEM), is a continuous and dynamic strategy that safeguards the attack surface of an organization. It uses a proactive, lifecycle based approach to continuously diagnose and act on remediating risks.
CTEM consists of 5 key phases:
- Program Scoping – identify an initial scope that can deliver value based on the biggest risks to the business and expand as the program progresses.
- Attack Surface Discovery – discover the attack surface assets within the scope, assess their risk profiles including vulnerabilities, misconfigurations, and security issues.
- Risk Prioritization – identify and address the threats most likely to be exploited against the organization with the biggest business impact.
- Exposure Validation – conduct active exploitability testing to validate how potential attackers can actually exploit an identified exposure.
- Mobilization and remediation – operationalize risk reduction and acting on critical findings by reducing friction, aligning stakeholders, and streamlining remediation processes.
For organizations with a large amount of NHIs, an implementation of CTEM with tools that integrate into all of your cloud resources, SaaS applications and authentication protocols can effectively find, validate and remediate NHI based misconfigurations and threats.
EASM – External Attack Surface Monitoring
An organization’s external attack surface is all of its internet facing assets – from domain names and SSL certificates to email servers, cloud infrastructure, and IoT devices. It covers both first party assets as well as third party ones connected to the organization via its digital supply chain.
External Attack Surface Management (EASM) is the continuous discovery, monitoring, evaluation, prioritization, and remediation of these attack vectors – prioritized according to the actual risk posed by a given threat. It’s essentially an implementation of CTEM that quickly provides organizations with fast return on investment by proactively reducing attack surface.
Let’s look at an example: suppose an organization has a WordPress website on one of their external assets which has a plugin installed with a known CVE. An EASM solution will quickly detect the vulnerability and raise it as a finding with appropriate severity, then guides remediation efforts by providing advice. After the risk is resolved, the EASM solution continues to monitor the same assets for any future exposure in its digital supply chain.
Risk prioritization of external attack surface
Most organizations have a very limited security budget, which is why prioritization of risk is ever more important. The large amount of alerts coming from various security tools can also lead to burn out and alert fatigue.
This is definitely the case with NHI risks. With the onboarding of every new software and integration, the number of non-human identities in an organization grows, and can quickly become untenable to manage.
Good EASM tools help with risk prioritization, by getting to know your organization’s crown jewels as well as thinking like an attacker when validating the exploitability of each risk. Solid risk prioritization reduces the work you need to do, and helps convince leadership buy-in by remediating major business risks.
IONIX manages NHI risks as a CTEM platform
We are entering the era of non-human identities, which introduces new risks and requires better approaches to manage the increased attack surface of both first and third-party assets.
IONIX’s platform provides continuous, comprehensive discovery, assessment, and exposure validation across diverse IT environments, including cloud-based, vendor systems, and digital supply chains. The platform prioritizes risks based on business context, exploitability, and threat intelligence data. What’s more, IONIX can be seamlessly integrated with existing security operations systems, streamlining workflows and bolstering overall cybersecurity resilience.
To see how IONIX CTEM can find and address your non-human identity risks, request a scan today.