Non-Human Identity
In cybersecurity, a Non-Human Identity (NHI) refers to any entity interacting with IT systems, applications, data, or network resources without direct human intervention. These identities are essentially digital personas or credentials used by automated processes, machines, software, or devices to authenticate, authorize, and access resources. As organizations increasingly rely on automation, cloud infrastructure, and interconnected systems, NHIs have become ubiquitous, and their secure management is a critical aspect of modern cybersecurity.
Here's a detailed breakdown of NHIs:
Characteristics of Non-Human Identities:
Automated Operation: An NHI's defining characteristic is its ability to operate autonomously without human input for each action.
Programmatic Access: NHIs typically access resources programmatically through APIs, scripts, or automated protocols.
Diverse Form Factors: They exist in various forms, from simple API keys to complex service accounts, machine certificates, and cloud roles.
High Volume and Velocity: Modern IT environments can have thousands or even millions of NHIs, making their management at scale a significant challenge.
Specific Purpose: Each NHI is usually created for a particular task or set of functions, though their permissions can sometimes be overly broad.
Categories and Examples of Non-Human Identities:
NHIs can be broadly categorized based on their function and where they operate:
Workload Identities: These are assigned to software components and applications, enabling them to communicate and perform tasks.
Examples:
Microservices: Identities used by individual services in a microservices architecture to authenticate and authorize interactions with other services or databases.
Containers: Credentials assigned to containerized applications (e.g., Docker, Kubernetes pods) to access storage, networks, or external APIs.
Serverless Functions: Identities granted to serverless compute functions (e.g., AWS Lambda, Azure Functions) to execute code and interact with other cloud services.
Application Programming Interface (API) Keys/Tokens: Credentials one application uses to authenticate and access functionalities exposed by another application's API.
Machine Identities: These represent physical or virtual machines, allowing them to authenticate to networks, services, and other machines.
Examples:
Servers (Physical & Virtual): Identities (e.g., machine accounts, certificates) for servers to join a domain, establish secure communication channels, or access network resources.
Network Devices: Identities for routers, switches, firewalls, and load balancers to authenticate to management systems or other network infrastructure.
Internet of Things (IoT) Devices: Identities for smart sensors, industrial control systems, cameras, or other connected devices to transmit data or receive commands.
Service Accounts: These are dedicated user accounts designed for applications, services, or automated tasks to run processes or access system resources. They are distinct from individual human user accounts.
Examples:
Database Service Accounts: Applications applications use to connect to and query databases.
Automation Script Accounts: Accounts used by scripts that perform routine tasks like data backups, log collection, or system updates.
Code and Infrastructure-as-Code Identities: These identities are used by automated development and deployment pipelines or infrastructure management tools.
Examples:
CI/CD Pipeline Credentials: Credentials used by Continuous Integration/Continuous Deployment pipelines to access code repositories, build artifacts, deploy applications, or configure infrastructure.
Cloud Service Principals/Roles: Identities within cloud platforms (e.g., AWS IAM Roles, Azure AD Service Principals) that define permissions for cloud resources, often used by automation tools like Terraform or Ansible.
Version Control System (VCS) Accounts: Tokens or keys used by automated processes to interact with platforms like GitHub, GitLab, or Bitbucket.
Cybersecurity Implications of Non-Human Identities:
The proliferation of NHIs introduces significant cybersecurity challenges:
Expanded Attack Surface: Every NHI represents a potential entry point for attackers if its credentials are stolen or its permissions are exploited.
Lack of Visibility and Control: Organizations often struggle to track all their NHIs, understand their purpose, and manage their permissions, leading to "shadow NHIs" or unknown risks.
Over-Privileging: NHIs are frequently granted excessive permissions (more than they need), making them high-value targets for attackers seeking to escalate privileges or move laterally.
Credential Sprawl: NHIs use various credential types (API keys, certificates, secrets, tokens, passwords), leading to a complex landscape of credentials that are difficult to manage and secure.
Lifecycle Management Challenges: Provisioning, deprovisioning, and rotating credentials for NHIs at scale can be complex and often neglected, leaving stale or compromised credentials active.
Lateral Movement: If an NHI's credentials are compromised, attackers can use them to penetrate the network, access sensitive data, or launch further attacks.
Compliance Gaps: Without proper controls, auditing and proving compliance with the actions and access of numerous NHIs can be challenging.
Securing Non-Human Identities:
Adequate NHI security requires a dedicated approach that often mirrors, but also diverges from, human identity management:
Discovery and Inventory: Continuously discover and maintain a comprehensive inventory of all NHIs, their purpose, and their associated permissions.
Least Privilege: Enforce the principle of least privilege, ensuring NHIs have only the minimum necessary permissions to perform their specific tasks. Regularly review and adjust these permissions.
Strong Authentication: Use robust authentication methods such as mutual TLS (mTLS), machine certificates, and short-lived, dynamically generated tokens instead of long-lived static credentials.
Secrets Management: Use centralized secrets management solutions to securely store, distribute, and automatically rotate credentials used by NHIs. Avoid hardcoding credentials in code.
Lifecycle Management: Implement automated processes for the provisioning, deprovisioning, and regular review of NHIs and their credentials.
Monitoring and Auditing: Continuously monitor NHI activity for anomalous behavior, unauthorized access attempts, or deviations from their intended function. Log all NHI actions for auditing and forensic analysis.
Segmentation: Isolate NHIs and the resources they access into segmented network zones to limit the impact of a potential compromise.
Code Scanning: Integrate security scanning into development pipelines to detect hardcoded credentials or sensitive information related to NHIs.
Behavioral Analytics: Use behavioral analytics to identify deviations from typical NHI patterns, which could indicate a compromise.
NHIs are the backbone of modern automated systems, but their machine-driven nature and sheer volume make them a prime target for attackers. A robust cybersecurity strategy must include comprehensive management and security measures specifically designed for these non-human actors.
ThreatNG, as an all-in-one external attack surface management, digital risk protection, and security ratings solution, offers extensive capabilities to help manage and secure Non-Human Identities (NHIs) by providing external visibility and intelligence.
Here's how ThreatNG would help with NHIs, highlighting its key features:
ThreatNG's External Discovery
ThreatNG excels at purely external unauthenticated discovery using no connectors, which is crucial for identifying NHIs that might be exposed or misconfigured without requiring internal network access. This is particularly useful for NHIs like:
Cloud and SaaS Workload Identities: ThreatNG evaluates cloud services and Software-as-a-Service (SaaS) solutions, including sanctioned and unsanctioned cloud services, cloud service impersonations, and open, exposed cloud buckets of AWS, Microsoft Azure, and Google Cloud Platform. This helps identify NHIs associated with these services, such as service accounts or API keys configured for cloud-based applications.
Mobile App Identities: It discovers an organization’s mobile apps in marketplaces and investigates them for access credentials (e.g., Amazon AWS Access Key ID, APIs, AWS API Key, Facebook Access Token, Google API Key, Google Cloud Platform OAuth, Heroku API Key, MailChimp API Key, PayPal Braintree Access Token, Slack Token, Stripe API Key, Twilio API Key, Twitter Access Token), security credentials (e.g., PGP private key block, RSA Private Key, SSH DSA Private Key, SSH EC Private Key), and platform-specific identifiers (e.g., Amazon AWS S3 Bucket, Firebase, GitHub, Google Cloud Platform Service Account). These often represent NHIs that the mobile app uses to interact with backend services.
Code Repository Identities: ThreatNG discovers code repositories and their exposure level and investigates the contents for the presence of sensitive data. This includes various NHI-related credentials like API Keys (e.g., Stripe API key, Google OAuth Key, AWS API Key), Access Tokens (e.g., Facebook access token), Generic Credentials (e.g., Username and password in URI, SSH Password), Cloud Credentials (e.g., AWS Access Key ID Value, AWS Secret Access Key), and Security Credentials (e.g., Potential cryptographic private key, Private SSH key). These are frequently hardcoded credentials used by CI/CD pipelines, automation scripts, or other development-related NHIs.
External Assessment
ThreatNG can perform all the following assessments that directly or indirectly reveal risks related to NHIs:
Web Application Hijack Susceptibility: ThreatNG analyzes the parts of a web application accessible from the outside world to identify potential entry points for attackers, with Domain Intelligence substantiating this score. This assessment can uncover misconfigurations in web applications that NHIs (like API gateways or microservices) interact with, making them vulnerable to hijacking.
Subdomain Takeover Susceptibility: To evaluate this, ThreatNG uses external attack surface and digital risk intelligence that incorporates Domain Intelligence, including a comprehensive analysis of the website's subdomains, DNS records, and SSL certificate statuses. A compromised subdomain could lead to an attacker controlling NHIs or services associated with that subdomain.
BEC & Phishing Susceptibility: Derived from Sentiment and Financial Findings, Domain Intelligence (DNS Intelligence capabilities that include Domain Name Permutations and Web3 Domains and Email Intelligence that provides email security presence and format prediction), and Dark Web Presence (Compromised Credentials). While primarily human-centric, compromised credentials found on the dark web can include service accounts or API keys used by NHIs, increasing the risk of Business Email Compromise (BEC) through impersonation of automated systems.
Brand Damage Susceptibility: Derived from attack surface intelligence, digital risk intelligence, ESG Violations, Sentiment and Financials (Lawsuits, SEC filings, SEC Form 8-Ks, and Negative News), and Domain Intelligence (Domain Name Permutations and Web3 Domains). NHIs, such as social media bots or automated content posting tools, if compromised, could be used to generate negative sentiment or spread misinformation, leading to brand damage.
Data Leak Susceptibility: Derived from external attack surface and digital risk intelligence based on Cloud and SaaS Exposure, Dark Web Presence (Compromised Credentials), Domain Intelligence (DNS Intelligence capabilities including Domain Name Permutations and Web3 Domains, and Email Intelligence), and Sentiment and Financials (Lawsuits and SEC Form 8-Ks). Exposure of NHI credentials in cloud environments or on the dark web directly contributes to data leak susceptibility, as these credentials can be used to access and exfiltrate sensitive data.
Cyber Risk Exposure: This considers parameters the Domain Intelligence module covers, including certificates, subdomain headers, vulnerabilities, and sensitive ports. NHIs often rely on certificates for secure communication, and exposed sensitive ports or vulnerabilities associated with services run by NHIs (e.g., database NHIs) directly increase cyber risk. Code Secret Exposure is factored into the score as it discovers code repositories and their exposure level and investigates the contents for the presence of sensitive data, directly exposing NHI credentials. Additionally, the score considers the organization's compromised credentials on the dark web, which increases the risk of successful attacks.
Cloud and SaaS Exposure: This evaluates cloud services and Software-as-a-Service (SaaS) solutions. This directly helps pinpoint NHIs (like service accounts or cloud roles) with excessive permissions or misconfigurations in these environments by identifying sanctioned cloud services, unsanctioned cloud services, cloud service impersonations, and open, exposed cloud buckets of AWS, Microsoft Azure, and Google Cloud Platform. It also covers various SaaS implementations like Salesforce, Slack, Azure Active Directory, and Okta.
Supply Chain and third-party Exposure: This is derived from Domain Intelligence (Enumeration of Vendor Technologies from DNS and Subdomains), the Technology Stack, and Cloud and SaaS Exposure. If compromised, NHIs used by third-party applications or services can introduce significant supply chain risk.
Breach & Ransomware Susceptibility: Calculated based on external attack surface and digital risk intelligence, which includes domain intelligence (exposed sensitive ports, exposed private IPs, and known vulnerabilities), dark web presence (compromised credentials and ransomware events and gang activity), and sentiment and financials (SEC Form 8-Ks). Many of these indicators directly relate to NHIs: an exposed database managed by an NHI, a vulnerable service run by an NHI, or compromised NHI credentials on the dark web can all lead to a breach or ransomware attack.
Mobile App Exposure: This assessment evaluates how exposed an organization’s mobile apps are through their discovery in marketplaces and for the presence of Access Credentials, Security Credentials, and Platform-Specific Identifiers within their contents. As detailed under external discovery, this assessment explicitly highlights the presence of NHI-related access and security credentials within mobile apps, which attackers can use to compromise backend systems or data.
Reporting
ThreatNG provides diverse reporting capabilities, which are crucial for managing NHIs. These reports offer valuable insights for security teams to understand and address NHI-related risks:
Prioritized Reports: These categorize risks into High, Medium, Low, and Informational. This helps organizations prioritize which NHI exposures to address first, focusing on those with the highest potential impact. For example, exposed API keys with high privileges in a public code repository would be flagged as high priority.
Security Ratings Reports: These provide a comprehensive view of the organization's security posture, which inherently includes the security of its NHIs.
Inventory Reports: These provide a detailed list of discovered assets, including those managed by or exposing NHIs, such as identified cloud services, mobile apps, or code repositories.
Ransomware Susceptibility Reports: These highlight vulnerabilities and exposures that could lead to ransomware, often including those related to NHIs. For instance, if an exposed sensitive port used by an automated service (NHI) is identified, it would contribute to this score.
External GRC Assessment Mappings (e.g., PCI DSS): These help organizations map external security and compliance gaps directly to relevant GRC frameworks, ensuring NHI-related risks are addressed in the context of compliance requirements.
Continuous Monitoring
ThreatNG continuously monitors all organizations' external attack surface, digital risk, and security ratings. This continuous monitoring is vital for NHIs because their configurations and exposures can change rapidly in dynamic cloud or microservices environments. This ensures that newly deployed NHIs or changes to existing ones that introduce vulnerabilities are quickly detected. For example, continuous monitoring would ideally flag this misconfiguration if a new serverless function (NHI) is deployed with overly permissive access.
Investigation Modules
ThreatNG's investigation modules provide deep insights into NHI-related exposures:
DNS Intelligence: Provides Domain Record Analysis (IP Identification, Vendors and Technology Identification), Domain Name Permutations (Taken and Available), and Web3 Domains (Taken and Available). This helps identify shadow IT or unsanctioned NHIs using obscure domains.
Subdomain Intelligence: Provides HTTP Responses, Header Analysis (Security Headers and Deprecated Headers), Server Headers (Technologies), and identifies Cloud Hosting providers (AWS, Microsoft Azure, Google Cloud Platform, Heroku, Pantheon, Vercel). It also assesses Subdomain Takeover Susceptibility. This module can pinpoint subdomains associated with specific NHIs (e.g., an API endpoint for a microservice) and identify configuration vulnerabilities. For instance, discovering an exposed API endpoint on a subdomain that lacks proper security headers indicates a risk for the NHI behind that API. It also identifies various exposed Ports, including those for Databases (e.g., SQL Server, MySQL, PostgreSQL, Oracle), Remote Access Services (SSH, Telnet, RDP), and IoT / OT (e.g., FTP, SMTP, IMAP, SNMP, Exposed VoIP Services, Networked Security Cameras, Exposed ICS Devices, Publicly Accessible DVRs, Exposed Webcams), which are often managed or accessed by NHIs.
Sensitive Code Exposure: This module is highly relevant to NHIs as it discovers public code repositories and their contents, uncovering digital risks. It explicitly identifies:
Access Credentials: Such as API Keys (e.g., Stripe API key, Google OAuth Key, AWS API Key), Access Tokens (e.g., Facebook access token), and Generic Credentials (e.g., Username and password in URI, SSH Password). These are often hardcoded NHI credentials.
Cloud Credentials: Including AWS Access Key ID Value, AWS Access Key ID, AWS Account ID, AWS Secret Access Key, AWS Session Token.
Security Credentials: Cryptographic Keys (e.g., Potential cryptographic private key, Private SSH key), and Other Secrets (e.g., Ruby On Rails secret token configuration file). NHIs frequently use these for secure communication or access.
Configuration Files: These include application Configuration (e.g., Azure service configuration schema file, Ruby On Rails secret token configuration file), System Configuration (e.g., Shell configuration file, SSH configuration file, Potential Linux shadow file), and Network Configuration (e.g., OpenVPN client configuration file). Misconfigured NHIs can inadvertently expose these files, revealing sensitive details.
Database Exposures: Identifies Database Files (e.g., Microsoft SQL database file, SQLite database file) and Database Credentials (e.g., Potential Jenkins credentials file, PostgreSQL password file). If NHIs are used to manage databases, their compromised credentials here could be disastrous.
Application Data Exposures: These include remote Access (e.g., Remote Desktop connection file), Encryption Keys (e.g., Microsoft BitLocker recovery key file), Encrypted Data (e.g., Windows BitLocker full volume encrypted data file), Java Keystores (e.g., Java keystore file), and Code Repository Data (e.g., git-credential-store helper credentials file). Many of these are directly related to how NHIs authenticate and operate.
Cloud Service Configurations: Like S3cmd configuration file, AWS CLI credentials file, indicating potential exposure of NHI access to cloud environments.
Mobile Application Discovery: This module discovers mobile apps related to the organization in marketplaces and their contents for access credentials, security credentials, and platform-specific identifiers. It identifies explicitly NHI-related credentials embedded within mobile applications.
Search Engine Exploitation: Helps users investigate an organization’s susceptibility to exposing various elements via search engines, including Errors, Potential Sensitive Information, Public Passwords, and User Data. Exposed NHI credentials or misconfigurations could be discoverable through search engines.
Cloud and SaaS Exposure: This module identifies Sanctioned Cloud Services, Unsanctioned Cloud Services, Cloud Service Impersonations, and Open Exposed Cloud Buckets of AWS, Microsoft Azure, and Google Cloud Platform. It also covers various SaaS implementations associated with the organization, such as Salesforce, Slack, Azure Active Directory, Okta, and ServiceNow. NHIs are heavily integrated with these platforms, and this assessment helps identify where their permissions might be over-provisioned or exposed.
Dark Web Presence: Organizational mentions of Related or Defined People, Places, or Things, Associated Ransomware Events, and Associated Compromised Credentials. NHI credentials are frequently found in data breaches and sold on the dark web, making this a critical module for detecting compromised NHIs.
Intelligence Repositories (Branded as DarCache: Data Reconnaissance Cache)
ThreatNG's continuously updated intelligence repositories provide vital context for understanding and prioritizing NHI risks:
Compromised Credentials (DarCache Rupture): This addresses NHI risk by tracking compromised credentials. If an API key, service account password, or SSH key belonging to an NHI is found here, it's an immediate, high-priority alert.
Ransomware Groups and Activities (DarCache Ransomware): Tracking Over 70 Ransomware Gangs helps anticipate potential attack vectors. If a ransomware group is known to target specific vulnerabilities or misconfigurations often associated with NHIs (e.g., exposed RDP, vulnerable IoT devices), this intelligence is invaluable.
Vulnerabilities (DarCache Vulnerability): Provides a holistic and proactive approach to managing external risks and vulnerabilities. It is made up of:
NVD (DarCache NVD): Provides information like Attack Complexity, Attack Interaction, Attack Vector, Impact scores (Availability, Confidentiality, Integrity), CVSS Score and Severity.
EPSS (DarCache EPSS): Offers a probabilistic estimate of the likelihood of a vulnerability being exploited shortly.
KEV (DarCache KEV): Identifies vulnerabilities actively exploited in the wild with critical context for prioritizing remediation efforts. Many vulnerabilities affect software components and systems that use NHIs, and this intelligence helps prioritize patching efforts for those NHIs. For example, if a critical vulnerability known to be actively exploited (KEV) is found in a web server run by an NHI, ThreatNG provides the necessary context.
Verified Proof-of-Concept (PoC) Exploits directly linked to known vulnerabilities (DarCache eXploit): Direct links to Proof-of-Concept (PoC) exploits on platforms like GitHub, referenced by CVE, significantly accelerate the understanding of how a vulnerability can be exploited. This is crucial for security teams to reproduce and mitigate vulnerabilities impacting NHIs.
Mobile Apps (DarCache Mobile): Indicates if Access Credentials, Security Credentials, and Platform Specific Identifiers are present within Mobile Apps. This is a direct intelligence source on potentially exposed NHI credentials embedded within mobile applications.
Complementary Solutions
ThreatNG's capabilities can be significantly enhanced with complementary solutions, creating a more holistic NHI security posture.
Privileged Access Management (PAM) Solutions: ThreatNG can identify an API key exposed in a public code repository. A PAM solution would then rotate that key, manage its lifecycle, and enforce just-in-time access for any systems using it.
Identity Governance and Administration (IGA) Solutions: ThreatNG's discovery of NHIs and their associated risks (e.g., over-privileged service accounts in cloud environments) can feed directly into an IGA solution. The IGA system can then enforce the principle of least privilege for these NHIs, ensure proper approval workflows for their creation, and automate deprovisioning when no longer needed.
Cloud Security Posture Management (CSPM) Solutions: ThreatNG's "Cloud and SaaS Exposure" module can identify whether an AWS S3 bucket is publicly exposed or a Google Cloud Platform service account has excessive permissions. A CSPM tool would then provide deeper insights into the specific misconfiguration within the cloud provider's console and help automate remediation of the NHI-related issue.
Vulnerability Management (VM) Platforms: ThreatNG identifies known vulnerabilities in components and services exposed externally, often run by NHIs. A dedicated VM platform would then take this vulnerability data, correlate it with internal scan results, and manage the patching and remediation workflows for the affected NHIs. ThreatNG's DarCache Vulnerability, including NVD, EPSS, and KEV, provides rich data for VM platforms to prioritize.
Security Information and Event Management (SIEM) / Security Orchestration, Automation, and Response (SOAR) Platforms: ThreatNG's continuous monitoring and risk findings can be integrated into SIEMs for centralized logging and alerting on NHI-related anomalies. For instance, if ThreatNG detects a new, unmanaged service (NHI) exposed to the internet, this alert can go to the SIEM. A SOAR platform can then automate responses, such as initiating a workflow to investigate the new service or automatically block its access if deemed malicious.
Examples of ThreatNG Helping with NHIs
Scenario 1: Exposed API Key: ThreatNG's "Sensitive Code Exposure" module discovers a Stripe API key in a public GitHub repository belonging to the organization. This key is an NHI, likely used by an internal application to process payments. ThreatNG reports this high-risk exposure, flagging "Access Credentials" under "Code Secret Exposure".
Scenario 2: Over-Privileged Cloud Service Account: ThreatNG's "Cloud and SaaS Exposure" assessment identifies that a Google Cloud Platform service account, which is an NHI, has broad "Editor" permissions on a project, far exceeding its actual need to access only a specific BigQuery dataset. This is flagged as a "Cloud and SaaS Exposure" risk.
Scenario 3: Vulnerable Web Server with a Service Account: ThreatNG's "Cyber Risk Exposure" identifies a critical vulnerability (e.g., Log4j) in an externally accessible web server. Further investigation with "Subdomain Intelligence" reveals that this web server uses a specific service account (NHI) to connect to a backend database. This highlights the NHI as being at risk due to its vulnerable server.
Scenario 4: Mobile App with Hardcoded Credentials: ThreatNG's "Mobile App Exposure" discovers an organization's mobile app in a marketplace that contains hardcoded AWS Access Key IDs and a PGP private key. These are NHI credentials use by the mobile app, posing a severe risk if the app is reverse-engineered.
Examples of ThreatNG and Complementary Solutions Working Together
ThreatNG & PAM: ThreatNG discovers an SSH private key exposed in a public code repository. The security team uses this information to revoke the exposed key immediately. A PAM solution is then use to generate a new, temporary SSH key for the affected NHI, which is automatically rotated every 24 hours, ensuring no static credentials are left exposed.
ThreatNG & IGA: ThreatNG's "Cloud and SaaS Exposure" highlights multiple unsanctioned SaaS applications being use by the organization, each implicitly using NHIs (e.g., API integrations). The IGA solution then takes this information to initiate a workflow, requiring departments to formally request and justify the use of these SaaS applications, ensuring that NHIs use by these applications are properly governed and their access is reviewed.
ThreatNG & CSPM: ThreatNG identifies an open AWS S3 bucket, which is a "Cloud and SaaS Exposure" finding. A CSPM solution, integrated with AWS, then provides immediate remediation steps, such as applying a bucket policy to restrict public access and notifying the responsible team. The CSPM also continuously monitors for similar misconfigurations of NHIs across the AWS environment.
ThreatNG & SIEM/SOAR: ThreatNG detects a new, unusual subdomain pointing to an IP address not associated with the organization, possibly indicating a shadow IT service (an NHI). This event is sent to the SIEM, which correlates it with other network traffic logs. A SOAR playbook then automatically initiates an investigation: querying internal asset management systems, performing a passive DNS lookup, and if suspicious, blocking the IP at the firewall level until further analysis can be done.
