NHI Exposure Score

The Non-Human Identity (NHI) Exposure Score is a cybersecurity metric that quantifies the risk and vulnerability posed by an organization's digital identities that are not tied to individual human users. These non-human identities, which include API keys, service accounts, cryptographic certificates, and machine credentials, are used by applications, automated systems, and devices to authenticate and interact with systems.

The score reflects the likelihood that an attacker could exploit a compromised NHI to gain unauthorized access, move laterally, or perform malicious actions.

Why NHI Exposure is Scored

NHIs are critical drivers of modern automation in cloud and DevOps environments, often outnumbering human identities by large margins. However, they introduce significant risk because:

• Over-Privileging: NHIs are frequently granted far more permissions than necessary to perform their tasks, violating the Principle of Least Privilege. A compromised NHI with excessive access can lead to catastrophic data exfiltration.

• Insecure Credentials: Unlike human users, NHIs typically rely on static, long-lived credentials (like API keys) and often lack Multi-Factor Authentication (MFA). These credentials are prime targets for exposure through insecure storage or hardcoding in public code repositories.

• Lack of Visibility: NHIs are decentralized across cloud, SaaS, and on-prem systems, leading to identity sprawl. Without centralized visibility, these identities—especially those belonging to retired projects (orphaned accounts)—can persist as unmonitored backdoors.

Key Factors Influencing the NHI Exposure Score

The calculation of the NHI Exposure Score incorporates the external and intrinsic properties of the identity and its corresponding credentials:

1. Credential Exposure (Secret Leakage): This factor assesses if the NHI's secret (API key, token, or password) is publicly accessible. External discovery sources include public code repositories (e.g., GitHub), mobile application contents, and misconfigured logs or error messages.

2. Entitlements (Access Level): This measures the permissions or entitlements granted to the NHI. An NHI with high-severity, uncommon entitlements (e.g., ability to manage security settings or delete resources) is scored higher than one with simple read-only permissions.

3. Context and Naming: The score is often influenced by the NHI's perceived function, which is sometimes encoded in its name (e.g., svc-prod-api-gateway vs. test-read-only). An NHI associated with administrative or security roles is inherently deemed higher risk.

4. Compromise Status: The score escalates if the NHI's credentials or associated email are found in dark web compromised credential dumps, confirming active exploitation risk.

The resulting score guides security teams to prioritize the remediation of NHIs that are both exposed externally and possess high internal privilege, effectively mitigating the potential for critical system compromise.

ThreatNG is an excellent solution for mitigating risks associated with the Non-Human Identity (NHI) Exposure Score because it directly and continuously assesses the external exposure of the machine identities that drive this score, using an attacker's perspective.

ThreatNG's Role in Quantifying NHI Exposure Risk

External Discovery and Continuous Monitoring

ThreatNG performs purely external unauthenticated discovery, which is the only way to find credentials that have been mistakenly exposed to the public internet, a primary factor in a poor NHI Exposure Score. The platform offers Continuous Monitoring of the external attack surface, ensuring that any time a new NHI credential—such as an API key or service account credential—is accidentally committed to a public repository, the exposure is instantly detected and factored into the score.

External Assessment and Examples

ThreatNG calculates a dedicated, high-level metric for this risk:

• Non-Human Identity (NHI) Exposure Security Rating: This is a critical governance metric (A–F scale) that quantifies an organization's vulnerability to threats originating from high-privilege machine identities, which includes leaked API keys, service accounts, and system credentials.

• The capability achieves certainty by using purely external unauthenticated discovery to continuously assess 11 specific exposure vectors, including Sensitive Code Exposure and misconfigured Cloud Exposure.

• Example: If ThreatNG discovers a publicly exposed Artifactory API Token in a configuration file, this finding instantly degrades the NHI Exposure Security Rating because it confirms a leaked, high-privilege machine identity credential.

Investigation Modules and Examples

The investigation modules provide the granular evidence needed to calculate the score:

• Sensitive Code Exposure: This module is the key to finding hardcoded NHI credentials. The Code Repository Exposure submodule finds Access Credentials and Security Credentials in public code repositories.

• Example: ThreatNG identifies a public code repository containing Cloud Credentials such as an AWS Access Key ID and AWS Secret Access Key, providing the exact location and the credential itself. This is a direct finding that negatively impacts the NHI Exposure Score.

• Mobile Application Discovery: This module scans mobile apps for hardcoded NHI credentials.

• Example: ThreatNG discovers a Heroku API Key or a Stripe API Key hardcoded within the application content, which are high-value NHI secrets.

• NHI Email Exposure: This module identifies role-based email addresses (like System, git, docker, jenkins, devops, terraform, service, svc, and Automation). While not the credential itself, these emails are Non-Human Identities that an attacker would target to compromise a service account.

Intelligence Repositories and Reporting

ThreatNG uses its intelligence repositories to provide context and certainty to the NHI Exposure Score:

• Compromised Credentials (DarCache Rupture): If ThreatNG discovers a hardcoded API key, this repository immediately checks if that same credential has been found in dark web dumps. This confirms active compromise risk, which escalates the NHI Exposure Score.

• Context Engine™: ThreatNG uses this engine to deliver Legal-Grade Attribution, converting chaotic technical findings (like a leaked key) into irrefutable evidence. This certainty is vital for justifying the immediate, high-priority remediation required to fix a poor NHI Exposure Score.

• Reporting: The NHI Exposure Security Rating is presented on an A-F scale. ThreatNG’s Prioritized Reports (High, Medium, Low) ensure that these critical identity exposures are addressed first.

Complementary Solutions

ThreatNG's external NHI findings can be integrated with internal systems to enforce a better security posture:

• Secrets Management Solutions: When ThreatNG discovers a hardcoded credential (e.g., an Artifactory API Token), this external alert can be automatically sent to the organization's Secrets Management tool. The tool can then use this alert to revoke the exposed key and notify the development team to retrieve a newly rotated key from the secure vault, enforcing better credential management.

• Cloud Identity and Access Management (IAM) Systems: The discovery of a leaked AWS Access Key ID in a public repository can be shared with the organization's IAM system. The IAM system can automatically use this high-certainty external finding to disable the exposed key, mitigating the risk of account takeover associated with that NHI.

• Security Orchestration, Automation, and Response (SOAR) Platforms: A critical NHI Exposure alert from ThreatNG can trigger a SOAR platform. The SOAR platform can then automatically use this external discovery to open a high-priority incident ticket, notify the security operations center (SOC), and initiate automated steps to quarantine the exposed code or asset.