Non-Human Identity Security
Non-Human Identity (NHI) security is a cybersecurity practice focused on protecting the digital identities of machines, applications, and automated processes. These non-human identities, which include things like API keys, service accounts, and tokens, are the "digital credentials" that allow systems to communicate and operate without human intervention. In modern IT environments, the number of NHIs often far exceeds the number of human identities, making them a significant and growing attack surface.
Challenges in NHI Security
Securing NHIs presents unique challenges that are not addressed by traditional identity and access management (IAM) solutions designed for human users.
Lack of Visibility: Organizations often have a limited understanding of the number of NHIs that exist, where they are used, and the privileges they hold. This "blind spot" can allow unmanaged or "shadow" NHIs to become easy targets for attackers.
High Privileges and Misconfigurations: To simplify development, NHIs are frequently granted more permissions than they need, violating the principle of least privilege. Attackers can exploit these over-privileged identities to move laterally and escalate access within a network.
Credential Management: NHIs often rely on static, long-lived credentials like API keys and secrets that are hardcoded into applications or stored insecurely. Unlike human users, NHIs cannot utilize security measures such as multi-factor authentication (MFA), making them vulnerable to credential theft and reuse.
Scale and Lifecycle Management: The number of NHIs is constantly growing and changing, often created automatically in cloud and DevOps environments. This rapid proliferation can lead to identity "sprawl," where dormant or unneeded identities are not retired, creating security risks.
Key Strategies for NHI Security
Effective NHI security requires a specialized approach that focuses on the following:
Discovery and Inventory: Organizations must first identify and catalog all NHIs across their environment. This includes both active and dormant accounts, their associated permissions, and their respective dependencies.
Principle of Least Privilege: NHIs should only be granted the minimum permissions necessary to perform their specific tasks.
Secure Credential Management: Organizations should utilize secret management solutions to securely store, manage, and automatically rotate NHI credentials, such as API keys and tokens.
Continuous Monitoring: Real-time monitoring and logging of NHI activities can help detect unusual behavior or unauthorized access attempts.
Lifecycle Management: This involves managing an NHI's entire life, from its creation with appropriate permissions to its timely retirement when it is no longer needed. This process helps prevent the accumulation of orphaned or unused identities.
ThreatNG helps an organization with Non-Human Identity (NHI) security by providing an external, attacker-centric view of an organization's publicly accessible NHI attack surface. It identifies and evaluates exposed credentials and other digital assets that could be exploited for NHI abuse, thereby complementing internal security measures to provide a more comprehensive understanding of the risk.
ThreatNG's external discovery is crucial for identifying NHIs that may be exposed or misconfigured without an organization's knowledge. It performs unauthenticated, external reconnaissance to uncover a wide range of public-facing assets, including domains, cloud services, and mobile apps, that may contain NHIs. For instance, ThreatNG can discover a forgotten subdomain or an unsanctioned cloud service that exposes an API key, which could be used for NHI abuse. It also identifies email addresses associated with specific non-human roles, such as "admin," "devops," or "svc," which are often high-value targets for attackers and can be found in archived web pages or compromised credential data.
ThreatNG's external assessment capabilities help an organization understand the risk associated with discovered NHI exposures. The platform provides detailed scores and ratings that transform raw data into actionable intelligence.
Sensitive Code Exposure: This is a key assessment for NHI security. ThreatNG discovers public code repositories and checks their contents for exposed credentials. It can find hardcoded API keys (e.g., Stripe API key, Google OAuth Key), cloud credentials (e.g., AWS Access Key ID), and security credentials (e.g., SSH private keys), all of which are types of NHIs. This enables an organization to identify and address vulnerabilities before they're exploited.
Mobile App Exposure: ThreatNG evaluates an organization's mobile app exposure by discovering them in marketplaces and analyzing their contents for exposed credentials. For example, it can detect a hardcoded API key or user account in a mobile app, which represents a direct NHI exposure that an attacker could use to gain unauthorized access.
Cyber Risk Exposure: This score considers parameters such as certificates and exposed sensitive ports, which NHIs often use for secure communication. ThreatNG can identify exposed database ports (e.g., MySQL, PostgreSQL), which are frequently managed by NHIs and can be a point of entry for attackers.
ThreatNG's reporting capabilities provide the necessary context to address NHI security effectively. The Prioritized Report is beneficial, as it categorizes risks as high, medium, low, and informational. This helps security teams focus on the most critical exposures, such as an exposed privileged service account found on the dark web, rather than being overwhelmed by a flood of alerts.
ThreatNG provides continuous monitoring of an organization’s external attack surface, digital risk, and security ratings. This is vital because NHI abuse often stems from credentials that were leaked or forgotten but remained active for a long time. ThreatNG’s continuous monitoring ensures that if a new NHI credential is leaked or if a developer accidentally exposes a secret in a public repository, the organization is alerted promptly, enabling a timely response.
ThreatNG's investigation modules allow for a detailed examination of NHI exposures.
Sensitive Code Exposure: This module is highly relevant to NHI security as it explicitly finds hardcoded credentials in public code repositories. For example, it can find a hardcoded AWS Access Key ID in a public GitHub repository, which an attacker could use to access the organization's cloud infrastructure.
NHI Email Exposure: This feature specifically groups discovered email addresses associated with non-human roles, such as "admin," "devops," or "svc". By highlighting these emails, ThreatNG provides a focused view of high-value identity targets that could be used to impersonate a non-human identity or service.
Dark Web Presence: This module monitors for compromised credentials, providing a focused view of an organization's identity exposure. ThreatNG can discover if an NHI credential has been leaked, giving the security team the intelligence needed to force a password reset for that account.
ThreatNG’s continuously updated intelligence repositories, known as DarCache, provide the data that is essential for identifying and contextualizing NHI abuse.
DarCache Rupture: This repository focuses on Compromised Credentials. If a batch of credentials from a third-party breach includes NHIs like service accounts or API keys, ThreatNG can use this data to assess the risk to an organization.
DarCache Vulnerability: This repository offers a comprehensive and proactive approach to managing external risks by examining their real-world exploitability, likelihood of exploitation, and potential impact. If an exposed NHI is linked to a known vulnerability that is actively being exploited (from DarCache KEV), this repository provides the context to prioritize remediation efforts.
Complementary Solutions
ThreatNG's external perspective on NHI abuse can be enhanced by complementary solutions that provide internal visibility and control.
Privileged Access Management (PAM) solutions: If ThreatNG discovers an exposed NHI with high privileges, such as an API key for a critical system, a PAM solution can be used to rotate that credential and automatically enforce stricter access policies.
Identity and Access Management (IAM) platforms: ThreatNG's findings can be integrated into an IAM system to provide a more complete picture of an organization’s identity landscape. For example, suppose ThreatNG identifies a user's cloud credentials exposed in a public code repository. In that case, the IAM system can be used to automatically revoke that credential and provision a new one, mitigating the threat.
Security Information and Event Management (SIEM) systems: ThreatNG can feed its external intelligence into a SIEM. Suppose ThreatNG flags a publicly exposed database port. In that case, the SIEM can then correlate this with internal logs to detect any unauthorized login attempts to that database from the exposed port, providing a unified view of the threat.
