Automated Identity Footprint

A
Written By Threat NG Staff

In the context of cybersecurity, an Automated Identity Footprint refers to the collective digital presence and discoverable assets of an organization's non-human identities (NHIs) across its external attack surface. It encompasses all the machine-based credentials, service accounts, and automated processes that exist outside the traditional human-user realm and are exposed to the public internet.

This footprint is a critical aspect of an organization's overall attack surface because it represents a potential entry point for attackers who target systems and services rather than individuals. The Automated Identity Footprint includes various components:

  • Service and Technical Accounts: Usernames, email addresses, or other identifiers for accounts used by applications, services, and automated scripts.

  • API Keys and Tokens: The unique, secret credentials that allow applications to authenticate and communicate with APIs and other services.

  • Digital Certificates and SSH Keys: Cryptographic keys used for authenticating servers, devices, and other infrastructure components during secure communication.

  • Cloud and SaaS Workload Identities: The roles and identities assumed by cloud resources (like virtual machines or containers) to access other services and data.

  • Code Secrets: Credentials or other sensitive information (e.g., database connection strings, API keys) that have been inadvertently hard-coded or exposed in public code repositories.

  • Publicly Accessible Configuration Files: Configuration settings or files that, if exposed, could reveal details about an organization's automated processes, network architecture, or sensitive credentials.

Managing the Automated Identity Footprint is essential for modern cybersecurity. It requires a security strategy that moves beyond protecting human users and addresses the unique risks posed by machine-to-machine communication, automation, and the proliferation of non-human identities in cloud and DevOps environments.

ThreatNG is an all-in-one external attack surface management, digital risk protection, and security ratings solution that would help manage an organization's Automated Identity Footprint. It achieves this by providing an outside-in perspective on where non-human identities (NHIs) are exposed and vulnerable to attack.

ThreatNG's Role in Managing an Automated Identity Footprint

1. External Discovery: ThreatNG can perform purely external, unauthenticated discovery to find elements of an organization's Automated Identity Footprint. This includes:

  • Code Repositories: ThreatNG discovers public code repositories and investigates their contents for sensitive data, which can include credentials for NHIs such as AWS Access Key IDs, various API keys (e.g., Stripe, Google, Twilio), and SSH private keys.

  • Cloud and SaaS Services: It identifies both sanctioned and unsanctioned cloud services and Software-as-a-Service (SaaS) solutions, as well as open, exposed cloud buckets on AWS, Microsoft Azure, and Google Cloud Platform. These are common locations where NHIs are created and can be exposed.

  • Mobile Applications: ThreatNG identifies mobile apps in marketplaces and assesses their content for access credentials (such as API keys and tokens) and security credentials (like PGP or SSH private keys) that may be associated with NHIs.

  • Domain Intelligence: The platform's Domain Intelligence module covers certificates and subdomain headers, which can be linked to machine identities. Its DNS Intelligence capabilities identify technologies and vendors that often use NHIs for their services.

Example of External Discovery aiding Automated Identity Footprint: ThreatNG identifies a publicly accessible GitHub repository and discovers a hard-coded AWS Secret Access Key and a Jenkins API token within the code. These findings are critical components of the organization's Automated Identity Footprint and represent a significant security risk.

2. External Assessment: ThreatNG performs a range of assessments that directly relate to the risks of an exposed Automated Identity Footprint.

  • Cyber Risk Exposure: This assessment considers parameters from the Domain Intelligence module, including certificates, subdomain headers, and sensitive ports. It also factors in "Code Secret Exposure," which discovers code repositories and their exposure level, and investigates their contents for the presence of sensitive data. The score also takes into account compromised credentials on the dark web. All of these are key elements of an Automated Identity Footprint.

    • Example: ThreatNG assesses a virtual machine with an exposed SSH port and identifies an associated SSH private key in a publicly accessible code repository. This would result in a high "Cyber Risk Exposure" score due to the combination of a vulnerable access point and a leaked machine identity.

  • Data Leak Susceptibility: This score is derived from external attack surface and digital risk intelligence based on Cloud and SaaS Exposure, Dark Web Presence (Compromised Credentials), and Domain Intelligence. If an NHI's credentials are found to be compromised, it directly increases the risk of a data leak.

  • Mobile App Exposure: This evaluates how exposed an organization's mobile apps are by discovering them in marketplaces and checking their contents for access credentials (e.g., Amazon AWS Access Key IDs, APIs, and various tokens) and security credentials (e.g., private keys). These credentials often belong to NHIs.

3. Reporting: ThreatNG's reporting capabilities would present detailed findings on the Automated Identity Footprint. The reports, which include Executive, Technical, and Prioritized, would highlight where NHI credentials were found, their associated risk levels, and specific recommendations.

Example of Reporting helping with Automated Identity Footprint: An executive report from ThreatNG might show a low security rating due to significant "Code Secret Exposure". The corresponding technical report would list specific findings, such as an exposed API key with a "High" risk level, and provide actionable recommendations like rotating the key immediately.

4. Continuous Monitoring: ThreatNG performs continuous monitoring of an organization's external attack surface, digital risk, and security ratings. This is crucial for managing the dynamic nature of an Automated Identity Footprint, as NHIs and their credentials are created and updated frequently. Continuous monitoring ensures that new exposures are detected as soon as they appear in public sources.

Example of Continuous Monitoring helping with Automated Identity Footprint: An automated deployment exposes a new service account's API key. ThreatNG's continuous monitoring detects this new exposure and immediately alerts the security team, preventing the NHI credential from being compromised.

5. Investigation Modules: ThreatNG's investigation modules provide the tools to deep-dive into an organization's Automated Identity Footprint.

  • Sensitive Code Exposure: This module directly identifies public code repositories and detects digital risks by analyzing their contents for various access credentials, security credentials, and configuration files. Many of these are credentials for NHIs.

    • Example: An investigation using this module reveals a publicly accessible configuration file with hard-coded database credentials (an NHI) for a production server.

  • Cloud and SaaS Exposure: This module identifies sanctioned and unsanctioned cloud services, as well as open exposed cloud buckets. It also identifies various SaaS implementations, many of which use NHIs.

    • Example: An investigation reveals an open AWS S3 bucket containing sensitive data that can be accessed by an NHI with excessive permissions, highlighting a critical risk.

  • Dark Web Presence: This module tracks organizational mentions and associated compromised credentials. Many of these credentials belong to NHIs.

    • Example: An investigation reveals that an API key (an NHI credential) for a payment gateway has been found in a list of compromised credentials on the dark web.

6. Intelligence Repositories (DarCache): ThreatNG's continuously updated intelligence repositories provide critical context for managing an Automated Identity Footprint.

  • Compromised Credentials (DarCache Rupture): This repository is a direct source for information on compromised credentials. If an NHI's API key, token, or other credentials are leaked, they will be found here, providing immediate actionable intelligence.

  • Vulnerabilities (DarCache Vulnerability): This repository includes information on vulnerabilities from NVD, EPSS, and KEV. This helps assess the risk of an NHI being compromised if it is running on a system with a known vulnerability.

Example of Intelligence Repositories helping with Automated Identity Footprint: The DarCache Rupture repository identifies a set of compromised credentials, including a service account password for a critical application. This provides a direct indicator of a threat to the organization's Automated Identity Footprint.

Synergies with Complementary Solutions:

  • Complementary Solutions: Identity and Access Management (IAM) and Privileged Access Management (PAM) Systems: ThreatNG's external discovery of exposed NHI credentials and roles can be fed into an internal IAM system to ensure proper governance and policy enforcement. PAM solutions can then be used to manage the lifecycle of the credentials for highly privileged NHIs identified by ThreatNG, such as enforcing mandatory rotation and just-in-time access.

  • Complementary Solutions: Secrets Management Solutions: ThreatNG's findings of hard-coded credentials in public code repositories provide strong evidence for implementing a secrets management solution. This allows organizations to move NHI credentials into a secure vault, where they can be programmatically retrieved and managed without being exposed.

  • Complementary Solutions: Cloud Security Posture Management (CSPM): ThreatNG's discovery of open exposed cloud buckets and unsanctioned cloud services can be complemented by a CSPM solution. The CSPM can then conduct a more thorough internal scan of the cloud environment to identify NHIs with excessive privileges that may be misconfigured.

  • Complementary Solutions: Security Information and Event Management (SIEM) and Security Orchestration, Automation, and Response (SOAR) Platforms: ThreatNG's alerts on newly discovered exposures or compromised credentials for NHIs can be ingested by a SIEM for consolidated logging. A SOAR platform can then use these alerts to automate response actions, such as triggering an emergency credential rotation or isolating a compromised asset.

Threat NG Staff
Previous

Authorization Keys
Next

Authorization Tokens