Non-Human Identity Abuse
Non-Human Identity (NHI) Abuse is a type of cybersecurity attack where a malicious actor compromises and exploits a non-human identity to gain unauthorized access to an organization's systems or data. Unlike human identities, which are tied to individual users, non-human identities are digital credentials, such as API keys, service accounts, or tokens, that allow machines, applications, and automated processes to interact with each other.
Key Characteristics of NHI Abuse
Automation: NHIs are designed for machine-to-machine communication, allowing attackers who compromise them to automate malicious actions, such as data exfiltration or lateral movement across a network, at a scale and speed that is not possible with human-led attacks.
High Privileges: NHIs are often over-privileged, meaning they have more access than they need to perform their function. This happens for convenience during development but creates a significant security risk, as a compromised NHI can be used to escalate privileges and access sensitive resources.
Low Visibility: Unlike human identities, NHIs don't exhibit human-like behaviors, such as logging in or out, and they do not utilize multi-factor authentication (MFA). This makes their activities more difficult to monitor and detect, allowing attackers to operate undetected for extended periods.
Common Attack Vectors
Attackers can compromise non-human identities through a variety of methods:
Credential Leakage: This is one of the most common causes of NHI abuse. Developers may accidentally hardcode secrets like API keys or passwords into public code repositories, or store them in plain-text configuration files, which are then discovered and exploited by attackers.
Orphaned Identities: When an application or service is decommissioned, its associated NHI may be forgotten and not properly removed. Attackers can easily hijack these dormant, unmonitored accounts to gain unauthorized access.
Supply Chain Attacks: Third-party services often rely on NHIs to connect to an organization's systems. If a third-party provider is breached, attackers can steal and use these credentials to infiltrate connected systems.
Reusing NHIs: Using the same NHI across multiple systems or environments creates a single point of failure. If that identity is compromised, all other systems that use it may also be exposed.
ThreatNG helps an organization combat non-human identity (NHI) abuse by providing external visibility into the NHI attack surface. It operates like an attacker would, without needing internal access, to discover and assess exposed credentials and digital assets that could be used for NHI abuse. This helps an organization identify and address vulnerabilities before they are exploited, complementing internal security measures.
ThreatNG's external discovery is crucial for identifying NHIs that may be exposed or misconfigured without an organization’s knowledge. It uncovers a wide range of public-facing assets, including domains, cloud services, and mobile apps, that may contain NHIs. For example, ThreatNG can discover a forgotten subdomain or an unsanctioned cloud service that a microservice uses and exposes an API key, creating a blind spot for the security team.
ThreatNG’s external assessment capabilities help an organization understand the risk associated with discovered NHI exposures. It provides detailed scores that contextualize the raw data into actionable intelligence.
Sensitive Code Exposure: This is a key assessment for NHI abuse. ThreatNG discovers public code repositories and checks their contents for exposed credentials. It can find hardcoded API keys, cloud credentials like an AWS Access Key ID, and security credentials such as SSH private keys, which are all types of NHIs.
Cyber Risk Exposure: This score considers parameters such as certificates and exposed sensitive ports, which NHIs often use for secure communication. Discovering an exposed database port (e.g., MySQL or PostgreSQL) can indicate a vulnerability, as NHIs usually manage these and can be a point of entry for attackers.
Cloud and SaaS Exposure: ThreatNG evaluates an organization's use of cloud services and SaaS solutions, identifying sanctioned and unsanctioned services. It can locate open, exposed cloud buckets on platforms such as AWS, Microsoft Azure, and Google Cloud Platform, which may contain NHI credentials or other sensitive data.
ThreatNG's reporting capabilities provide the necessary context to address NHI abuse effectively. The Prioritized Report is beneficial, as it categorizes risks as high, medium, low, and informational. This helps security teams focus on the most critical exposures, such as an exposed privileged service account found on the dark web, rather than being overwhelmed by a flood of alerts.
ThreatNG provides continuous monitoring of an organization’s external attack surface, digital risk, and security ratings. This is vital because NHI abuse often stems from credentials that were leaked or forgotten but remained active for a long time. If a new NHI credential is leaked or if a developer accidentally exposes a secret in a public repository, ThreatNG will quickly detect the change and update the risk assessment, enabling a timely response.
ThreatNG's investigation modules allow for a detailed examination of NHI exposures.
Sensitive Code Exposure: This module is highly relevant to NHI abuse as it explicitly finds hardcoded credentials in public code repositories. For example, it can find a hardcoded API key or AWS Access Key ID in a public GitHub repository, providing a direct path for an attacker to compromise a non-human identity.
Domain Intelligence: This module uncovers shadow IT or unsanctioned NHIs that use obscure domains. It can also identify subdomains associated with specific NHIs, such as an API endpoint for a microservice, and pinpoint configuration vulnerabilities like a lack of proper security headers.
NHI Email Exposure: This feature specifically groups discovered email addresses associated with non-human roles, such as "admin," "devops," or "svc". By highlighting these emails, ThreatNG provides a focused view on high-value identity targets that could be used to impersonate a non-human identity or service.
ThreatNG’s continuously updated intelligence repositories, known as DarCache, provide the data that is essential for identifying and contextualizing NHI abuse.
DarCache Rupture focuses on Compromised Credentials. If a batch of credentials from a third-party breach includes NHIs like service accounts or API keys, ThreatNG can use this data to assess the risk to an organization.
DarCache Vulnerability includes data from NVD, EPSS, and KEV, which helps determine the exploitability and real-world impact of vulnerabilities. If an exposed NHI is linked to a known vulnerability that is actively being exploited, this repository provides the context to prioritize remediation efforts.
Complementary Solutions
ThreatNG's external perspective on NHI abuse can be enhanced by complementary solutions that provide internal visibility and control.
Privileged Access Management (PAM) Solutions: If ThreatNG discovers an exposed NHI with high privileges, such as an API key for a critical system, a PAM solution can be used to rotate that credential and enforce stricter access policies automatically.
Identity and Access Management (IAM) Platforms: ThreatNG's findings can be integrated into an IAM system to provide a more complete picture of an organization’s identity landscape. For example, suppose ThreatNG identifies a user's cloud credentials exposed in a public code repository. In that case, the IAM system can be used to automatically revoke that credential and provision a new one, mitigating the threat.
Security Information and Event Management (SIEM) systems: ThreatNG can feed its external intelligence into a SIEM. Suppose ThreatNG flags a publicly exposed database port. In that case, the SIEM can then correlate this with internal logs to detect any unauthorized login attempts to that database from the exposed port, providing a unified view of the threat.
