Non-Human Identity Risk Rating

N
Written By Threat NG Staff

The Non-Human Identity (NHI) Risk Rating is a quantifiable metric that measures the cybersecurity risk exposure posed by an organization's autonomous machine accounts. These non-human identities—including API keys, service accounts, tokens, certificates, and machine identities—are used by applications and systems to authenticate and operate without direct human intervention.

The rating serves as an objective score, often expressed as a grade, that reflects the potential impact if these autonomous identities were compromised, which is a significant and growing attack vector in modern cloud and DevOps environments.

Core Risk Factors Influencing the Rating

The NHI risk rating is determined by analyzing several factors related to the identity's credential security and its privileges:

  1. Credential Exposure (Secrets Leakage): This is the most critical factor. The rating is severely impacted if the NHI's secrets (keys, tokens, or passwords) are found to be hardcoded, stored in plaintext, or leaked into public code repositories (e.g., GitHub) or misconfigured cloud storage.

  2. Privilege Level (Entitlements): The rating increases proportionally to the identity's access rights. NHIs are often granted excessive permissions (violating the Principle of Least Privilege) for convenience. A compromised NHI with administrative access to production systems poses a much higher risk than one with limited read-only access.

  3. Governance and Lifecycle: The rating considers the management hygiene of the NHI. This includes identifying orphaned or zombie NHIs—accounts that remain active long after their associated application or task has been retired—which provide persistent and unmonitored backdoors for attackers.

  4. Inadequate Security Controls: Unlike human identities, NHIs cannot use Multi-Factor Authentication (MFA). If automated controls like secure secrets management, automated rotation, and continuous usage monitoring are absent, the rating will be negatively affected.

  5. Anomalous Behavior: Continuous monitoring of NHI activity is used to establish a baseline. The rating increases if the NHI exhibits abnormal usage patterns, such as accessing resources outside its normal scope or at unusual times, which can indicate a compromise.

A poor NHI Risk Rating indicates a significant, high-impact attack vector, as attackers can leverage compromised machine identities to maintain supply chain persistence, enable lateral movement, and steal large-scale data.

ThreatNG helps manage the Non-Human Identity (NHI) Risk Rating by providing continuous, external, and objective measurement of the factors that lead to the most significant drops in that score: credential exposure and the resulting attack surface expansion. It focuses on identifying high-value secrets that are visible to attackers and provides the verifiable context needed for remediation.

ThreatNG's Role in Quantifying NHI Risk

External Discovery and Continuous Monitoring

ThreatNG performs purely external unauthenticated discovery, which is the foundational step for any NHI risk management program. It identifies the specific credentials and assets that are visible to an attacker from the public internet, which are the primary drivers of a poor NHI Risk Rating. The platform's Continuous Monitoring capability ensures that the high-volume, dynamic nature of NHI credentials—which are often created and forgotten quickly (NHI sprawl)—does not create security blind spots. If a credential is newly exposed, the rating is immediately affected.

External Assessment and Examples

ThreatNG calculates a dedicated, high-level metric that directly serves as an organization’s external NHI Risk Rating:

  • Non-Human Identity (NHI) Exposure Security Rating: This is a critical governance metric (A–F scale) that quantifies the organization's vulnerability to threats from high-privilege machine identities, including leaked API keys, service accounts, and system credentials.

    • The rating's certainty is achieved by continuously assessing 11 specific exposure vectors, including Sensitive Code Exposure and misconfigured Cloud Exposure.

    • Example: The discovery of a publicly exposed AWS Access Key ID in a code repository or a Mailgun API Key in a configuration file immediately degrades the NHI Exposure Security Rating because these are high-privilege NHI secrets that grant unauthorized programmatic access.

Investigation Modules and Examples

The investigation modules provide the essential granular findings on credential exposure and poor hygiene:

  • Sensitive Code Exposure: This module directly addresses the credential-exposure factor in the NHI Risk Rating. The Code Repository Exposure submodule finds Access Credentials and Security Credentials in public code repositories.

    • Example: ThreatNG identifies a public repository containing a hardcoded PGP private key block or an SSH DSA Private Key. These findings are critical because they reveal core cryptographic NHI secrets.

  • Mobile Application Discovery: This module scans mobile apps for hardcoded NHI credentials, which are highly susceptible to leakage.

    • Example: ThreatNG discovers a hardcoded Square OAuth Secret or Heroku API Key within the application contents, confirming a severe NHI credential exposure.

  • NHI Email Exposure: This module tracks exposed role-based emails (like system, svc, devops, jenkins) that are often tied to NHI service accounts. This intelligence helps an organization anticipate which service accounts will be targeted for compromise.

Intelligence Repositories and Reporting

ThreatNG uses its intelligence repositories to provide context and certainty to the NHI Risk Rating:

  • Compromised Credentials (DarCache Rupture): If ThreatNG discovers a hardcoded NHI credential, this repository immediately checks to see if the same credential has been found in dark web dumps. Confirmation of a compromise risk escalates the severity of the NHI Exposure Security Rating.

  • Context Engine™ delivers Legal-Grade Attribution. This certainty is crucial for managing the NHI risk rating, as it converts technical findings (such as a publicly exposed service account key) into irrefutable evidence, enabling security leaders to prioritize the remediation of external NHI risks strategically.

  • Reporting: The NHI Exposure Security Rating is presented clearly on the A-F scale, and the Prioritized Reports (High, Medium, Low) ensure that teams focus first on the most severe and exposed NHI credentials.

Complementary Solutions

ThreatNG's external NHI findings can be integrated with internal systems to establish effective governance, a critical part of a robust NHI risk management program:

  • Secrets Management Solutions: When ThreatNG discovers a hardcoded credential (e.g., a Twilio API Key), this external alert can be automatically sent to the organization's Secrets Management tool. The tool can then use this alert to revoke the exposed key and notify the development team to retrieve a newly rotated key from the secure vault, enforcing secure lifecycle management and mitigating sprawl.

  • Cloud Infrastructure Entitlement Management (CIEM) Tools: ThreatNG's discovery of a critical cloud credential leakage (e.g., AWS Access Key ID) is shared with a CIEM tool. The CIEM tool can then use this external finding to perform an authenticated internal analysis to determine the actual privileges of the compromised key (the Privilege Level factor) and automatically enforce the Principle of Least Privilege by revoking excessive permissions or disabling the key immediately.

  • Security Orchestration, Automation, and Response (SOAR) Platforms: A critical alert from ThreatNG regarding a significant NHI Exposure can trigger a SOAR platform. The SOAR platform can automatically use this external finding to open a high-priority incident ticket, notify the security operations center (SOC), and initiate automated steps to quarantine the exposed code or asset.

Threat NG Staff
Previous

Programmatic Identity Protection
Next

NHI Sprawl