Non-Human Identities
In cybersecurity, Non-Human Identities (NHIs) refer to any entity that interacts with IT systems, applications, data, or network resources without direct human intervention. These identities are designed to perform automated tasks, run services, or facilitate communication between system components. As organizations increasingly rely on automation, cloud infrastructure, and microservices, the number and complexity of NHIs have exploded, making their management a critical cybersecurity concern.
Here's a detailed breakdown of NHIs:
Categories of Non-Human Identities:
NHIs can be broadly categorized based on their purpose and the context in which they operate:
Workload Identities:
These are identities assigned to software components and applications.
Examples:
Microservices: Identities used by individual services in a microservices architecture to authenticate and authorize their interactions.
Containers: Identities assigned to containers (e.g., Docker containers) to access resources or communicate with other containers.
Serverless Functions: Identities granted to serverless functions (e.g., AWS Lambda, Azure Functions) to execute code and access cloud services.
Virtual Machines (VMs) and Instances: Identities for virtual machines to communicate with other VMs, access storage, or interact with cloud APIs.
Machine Identities:
These identities represent physical or virtual machines, enabling them to authenticate to networks, services, and other machines.
Examples:
Servers: Identities for physical or virtual servers to join a domain, access network shares, or communicate with management systems.
Network Devices: Identities for routers, switches, firewalls, and other network appliances to authenticate with management platforms or other devices.
IoT Devices: Identities for smart sensors, industrial control systems (ICS), and other Internet of Things devices to communicate with central platforms or other devices.
Application Identities:
These identities are tied explicitly to software applications, allowing them to authenticate and access resources for themselves or users.
Examples:
Service Accounts: Generic accounts that applications or services use to run processes or access system resources. These are often distinguished from individual user accounts.
API Keys/Tokens: Credentials used by applications to authenticate to APIs and access specific functionalities or data.
OAuth Clients: Applications that use OAuth for delegated authorization, obtaining tokens to access resources on behalf of users.
Bot and Script Identities:
Automated scripts and bots use these identities to perform specific tasks.
Examples:
Automation Scripts: Identities for scripts that automate tasks like data backups, system updates, or infrastructure provisioning.
Chatbots: Identities for conversational bots that interact with users or systems.
Web Scrapers: Identities used by bots to extract data from websites.
Infrastructure Identities:
These identities are used by infrastructure components and tools to manage and orchestrate environments.
Examples:
Cloud Service Principals/Roles: Identities within cloud platforms (e.g., AWS IAM Roles, Azure AD Service Principals, Google Cloud Service Accounts) grant specific permissions to cloud resources.
Orchestration Tools: Identities used by tools like Kubernetes, Ansible, or Terraform to manage and deploy infrastructure.
CI/CD Pipelines: Identities used in Continuous Integration/Continuous Deployment pipelines to access code repositories, build tools, and deployment targets.
Why Non-Human Identities Are a Cybersecurity Challenge:
Managing NHIs presents unique cybersecurity challenges:
Proliferation and Scale: The sheer volume of NHIs, especially in cloud and microservices environments, makes tracking and managing them complex.
Lack of Visibility: Organizations often have poor visibility into which NHIs exist, their permissions, and when and how they are used.
Credential Sprawl: NHIs often use a variety of credentials (API keys, tokens, certificates, service accounts, SSH keys), leading to credential sprawl and increased attack surface.
Over-Privileging: NHIs are frequently granted more permissions than necessary (the least privilege principle is often neglected), making them attractive targets for attackers.
Lifecycle Management: Managing the lifecycle of NHIs (provisioning, deprovisioning, rotation of credentials) can be complex, leading to stale or unused credentials that pose a risk.
Lateral Movement Risk: If an NHI's credentials are compromised, attackers can use them to move laterally within a network, escalating privileges and accessing sensitive data.
Compliance and Audit: Demonstrating control and accountability for NHIs is crucial for compliance and audit purposes, which can be challenging without proper systems.
Automated Exploitation: Because NHIs are designed for automation, a compromised NHI can potentially be used for rapid, automated malicious activity.
Key Security Practices for Non-Human Identities:
To mitigate the risks associated with NHIs, organizations should implement the following security practices:
Discovery and Inventory: Continuously discover and maintain an up-to-date inventory of all NHIs across the environment.
Least Privilege: Grant NHIs only the minimum permissions required to perform their intended function. Regularly review and revoke unnecessary permissions.
Strong Authentication: Where possible, use strong authentication mechanisms for NHIs, such as mutual TLS (mTLS), certificates, and short-lived tokens, rather than static credentials.
Credential Management: Implement robust credential management for NHIs, including automated rotation of API keys, certificates, and passwords. Use secrets management solutions.
Segmentation: Isolate NHIs and their associated resources into segmented environments to limit the blast radius in case of a compromise.
Regular Auditing and Monitoring: Monitor NHI activity for anomalies, suspicious access patterns, and policy violations. Log all NHI actions.
Lifecycle Management: Establish transparent processes for the provisioning, deprovisioning, and regular review of NHIs to ensure that unused or obsolete identities are removed.
Identity Governance and Administration (IGA): Extend IGA principles and tools to manage NHIs, providing centralized visibility, control, and auditing capabilities.
Secrets Management: Use dedicated secrets management platforms to securely store, distribute, and rotate sensitive credentials used by NHIs.
Behavioral Analytics: Implement user and entity behavioral analytics (UEBA) to detect unusual or malicious behavior by NHIs that might indicate a compromise.
NHIs are a powerful enabler of modern IT, but their unique characteristics demand a dedicated and robust cybersecurity strategy to prevent them from becoming significant vulnerabilities. Treating NHIs with the same, or even greater, security rigor as human identities is paramount in today's automated and interconnected digital landscape.
ThreatNG, as an all-in-one external attack surface management, digital risk protection, and security ratings solution, offers extensive capabilities to help manage and secure Non-Human Identities (NHIs) by providing external visibility and intelligence.
Here's how ThreatNG would help with NHIs, highlighting its key features:
ThreatNG's External Discovery
ThreatNG excels at external, unauthenticated discovery, which is crucial for identifying NHIs that might be exposed or misconfigured without internal network access. This is particularly useful for NHIs like:
Cloud and SaaS Workload Identities: ThreatNG can discover sanctioned and unsanctioned cloud services and SaaS solutions being used by an organization, including potential exposures like open cloud buckets. This helps identify NHIs associated with these services, such as service accounts or API keys configured for cloud-based applications.
Mobile App Identities: It discovers an organization's mobile applications in various marketplaces and scrutinizes their content for exposed access credentials (e.g., AWS Access Key IDs, API keys, OAuth tokens, GitHub Access Tokens), security credentials (e.g., PGP private keys, SSH private keys), and platform-specific identifiers (e.g., AWS S3 Buckets, Firebase instances). These often represent NHIs the mobile app uses to interact with backend services.
Code Repository Identities: ThreatNG discovers public code repositories and investigates their content for sensitive data exposure. This includes various NHI-related credentials like API keys (Stripe, Google OAuth, AWS), access tokens (Facebook), generic credentials (username/password in URIs), cloud credentials (AWS Access Key ID, Secret Access Key), and security credentials (cryptographic private keys, SSH private keys). These are frequently hardcoded credentials used by CI/CD pipelines, automation scripts, or other development-related NHIs.
External Assessment
ThreatNG performs various external assessments that directly or indirectly reveal risks related to NHIs:
Web Application Hijack Susceptibility: ThreatNG analyzes web applications' external attack surface to identify potential entry points for attackers. This assessment can uncover misconfigurations in web applications that NHIs (like API gateways or microservices) interact with, making them vulnerable to hijacking.
Subdomain Takeover Susceptibility: This assessment evaluates a website's susceptibility to subdomain takeovers by analyzing subdomains, DNS records, and SSL certificate statuses. A compromised subdomain could lead to an attacker controlling NHIs or services associated with that subdomain.
BEC & Phishing Susceptibility: ThreatNG derives this score from factors like Domain Intelligence (including DNS Intelligence and Email Intelligence) and Dark Web Presence. While primarily human-centric, compromised credentials found on the dark web can include service accounts or API keys used by NHIs, increasing the risk of Business Email Compromise (BEC) through impersonation of automated systems.
Brand Damage Susceptibility: This is derived from attack surface intelligence, digital risk intelligence, and Domain Intelligence. NHIs, such as social media bots or automated content posting tools, if compromised, could be used to generate negative sentiment or spread misinformation, leading to brand damage.
Data Leak Susceptibility: This is based on Cloud and SaaS Exposure, Dark Web Presence (compromised credentials), and Domain Intelligence. Exposure of NHI credentials in cloud environments or on the dark web directly contributes to data leak susceptibility, as these credentials can be used to access and exfiltrate sensitive data.
Cyber Risk Exposure: ThreatNG considers certificates, subdomain headers, vulnerabilities, and sensitive ports to determine cyber risk. NHIs often rely on certificates for secure communication, and exposed sensitive ports or vulnerabilities associated with services run by NHIs (e.g., database NHIs) directly increase cyber risk. Code Secret Exposure, which discovers sensitive data in code repositories, is also factored in, directly exposing NHI credentials.
Cloud and SaaS Exposure: This directly evaluates cloud and SaaS solutions, identifying sanctioned and unsanctioned services, impersonations, and open exposed cloud buckets. This helps pinpoint NHIs (like service accounts or cloud roles) with excessive permissions or misconfigurations in these environments.
Supply Chain & Third-Party Exposure: Derived from Domain Intelligence (enumeration of vendor technologies) and Cloud and SaaS Exposure, this assesses risks from third-party vendors. If compromised, NHIs used by third-party applications or services can introduce significant supply chain risk.
Breach & Ransomware Susceptibility: This score considers exposed sensitive ports, private IPs, known vulnerabilities, compromised credentials, and ransomware events from the dark web. Many of these indicators directly relate to NHIs: an exposed database managed by an NHI, a vulnerable service run by an NHI, or compromised NHI credentials on the dark web can all lead to a breach or ransomware attack.
Mobile App Exposure: As detailed under external discovery, this assessment explicitly highlights the presence of NHI-related access and security credentials within mobile apps, which attackers can use to compromise backend systems or data.
Reporting
ThreatNG provides diverse reporting capabilities that are crucial for managing NHIs. These reports offer valuable insights for security teams to understand and address NHI-related risks:
Prioritized Reports: These categorize risks into High, Medium, Low, and Informational. This helps organizations prioritize which NHI exposures to address first, focusing on those with the highest potential impact. For example, exposed API keys with high privileges in a public code repository would be flagged as high priority.
Security Ratings Reports: These provide a comprehensive view of the organization's security posture, which inherently includes the security of its NHIs.
Inventory Reports: These provide a detailed list of discovered assets, including those managed by or exposing NHIs, such as identified cloud services, mobile apps, or code repositories.
Ransomware Susceptibility Reports: These highlight vulnerabilities and exposures that could lead to ransomware, often including those related to NHIs. For instance, if an exposed sensitive port used by an automated service (NHI) is identified, it would contribute to this score.
Continuous Monitoring
ThreatNG monitors an organization's external attack surface, digital risk, and security ratings. This continuous monitoring is vital for NHIs because their configurations and exposures can change rapidly in dynamic cloud or microservices environments. This ensures that newly deployed NHIs or changes to existing ones that introduce vulnerabilities are quickly detected. For example, continuous monitoring would ideally flag this misconfiguration if a new serverless function (NHI) is deployed with overly permissive access.
Investigation Modules
ThreatNG's investigation modules provide deep insights into NHI-related exposures:
DNS Intelligence: Analyzes domain records, identifies vendors and technologies, and uncovers domain name permutations and Web3 domains. This helps identify shadow IT or unsanctioned NHIs using obscure domains.
Subdomain Intelligence: Provides details on HTTP responses, header analysis (security and deprecated headers), server technologies, and cloud hosting providers. It also assesses subdomain takeover susceptibility. This module can pinpoint subdomains associated with specific NHIs (e.g., an API endpoint for a microservice) and identify configuration vulnerabilities. For instance, discovering an exposed API endpoint on a subdomain that lacks proper security headers indicates a risk for the NHI behind that API. It also identifies various exposed ports, including those for databases (e.g., SQL Server, MySQL), remote access services (SSH, RDP), and IoT/OT devices, which are often managed or accessed by NHIs.
Sensitive Code Exposure: This module is highly relevant to NHIs as it discovers public code repositories and their contents. It explicitly identifies:
Access Credentials: These include API keys (Stripe, Google OAuth), access tokens (Facebook), generic credentials (username/password in URI), and cloud credentials (AWS Access Key ID, Secret Access Key). They are often hardcoded NHI credentials.
Security Credentials: Cryptographic keys (PGP private key block, RSA Private Key) and SSH private keys are frequently used by NHIs for secure communication or access.
Configuration Files: Including application configurations (Azure service, Ruby On Rails, Django), system configurations (shell, SSH, Linux shadow/passwd files), and network configurations (OpenVPN, Tunnelblick). Misconfigured NHIs can inadvertently expose these files, revealing sensitive details.
Database Exposures: Identifies database files (SQL, SQLite) and credentials. If NHIs are used to manage databases, their compromised credentials could be disastrous.
Application Data Exposures: Including remote desktop connection files, encryption keys (BitLocker), Java Keystores, and git-credential-store helper credentials files. Many of these are directly related to how NHIs authenticate and operate.
Cloud Service Configurations: Like AWS CLI credentials files, indicating potential exposure of NHI access to cloud environments.
Mobile Application Discovery: This module identifies access credentials, security credentials, and platform-specific identifiers within mobile applications discovered in marketplaces. These often represent NHIs that the mobile app uses to interact with backend services.
Search Engine Exploitation: This helps users investigate susceptibility to exposing sensitive information via search engines, including errors, public passwords, susceptible files, and user data. Exposed NHI credentials or misconfigurations could be discoverable through search engines.
Cloud and SaaS Exposure: This module identifies sanctioned and unsanctioned cloud services and SaaS implementations (e.g., Salesforce, Slack, Workday, Okta, ServiceNow). NHIs are heavily integrated with these platforms, and this assessment helps identify where their permissions might be over-provisioned or exposed.
Dark Web Presence: ThreatNG monitors for organizational mentions on the dark web, including associated compromised credentials and ransomware events. NHI credentials are frequently found in data breaches and sold on the dark web, making this a critical module for detecting compromised NHIs.
Intelligence Repositories (DarCache)
ThreatNG's continuously updated intelligence repositories provide vital context for understanding and prioritizing NHI risks:
Compromised Credentials (DarCache Rupture): This addresses NHI risk by tracking compromised credentials. If an API key, service account password, or SSH key belonging to an NHI is found here, it's an immediate, high-priority alert.
Ransomware Groups and Activities (DarCache Ransomware): Tracking over 70 ransomware gangs helps anticipate potential attack vectors. If a ransomware group is known to target specific vulnerabilities or misconfigurations often associated with NHIs (e.g., exposed RDP, vulnerable IoT devices), this intelligence is invaluable.
Vulnerabilities (DarCache Vulnerability): This comprehensive repository, including NVD, EPSS, and KEV data, helps assess the real-world exploitability of vulnerabilities. Many vulnerabilities affect software components and systems that rely on NHIs, and this intelligence helps prioritize patching efforts for those NHIs. For example, if a critical vulnerability known to be actively exploited (KEV) is found in a web server run by an NHI, ThreatNG provides the necessary context.
Verified Proof-of-Concept (PoC) Exploits (DarCache eXploit): Direct links to PoC exploits accelerate understanding of how a vulnerability can be exploited. This is crucial for security teams to reproduce and mitigate vulnerabilities impacting NHIs.
Mobile Apps (DarCache Mobile): This repository directly provides information on the presence of access credentials, security credentials, and platform-specific identifiers within discovered mobile apps. This is a direct intelligence source on potentially exposed NHI credentials embedded within mobile applications.
Complementary Solutions
ThreatNG's capabilities can be significantly enhanced with complementary solutions, creating a more holistic NHI security posture.
Privileged Access Management (PAM) Solutions: While ThreatNG identifies exposed NHI credentials externally, PAM solutions manage and secure NHI credentials (like service account passwords, API keys, and SSH keys) internally. ThreatNG could identify that an API key is exposed in a public code repository, and a PAM solution would then be used to rotate that key, manage its lifecycle, and enforce just-in-time access for any systems using it.
Identity Governance and Administration (IGA) Solutions: IGA platforms manage identity lifecycles and access entitlements. ThreatNG's discovery of NHIs and associated risks (e.g., over-privileged service accounts in cloud environments) can feed directly into an IGA solution. The IGA system can then enforce the principle of least privilege for these NHIs, ensure proper approval workflows for their creation, and automate deprovisioning when no longer needed.
Cloud Security Posture Management (CSPM) Solutions: CSPM tools focus on misconfigurations within cloud environments. ThreatNG's "Cloud and SaaS Exposure" module can identify whether an AWS S3 bucket is publicly exposed or if a Google Cloud Platform service account has excessive permissions. A CSPM tool would then provide deeper insights into the specific misconfiguration within the cloud provider's console and help automate remediation of the NHI-related issue.
Vulnerability Management (VM) Platforms: ThreatNG identifies known vulnerabilities in components and services exposed externally, often run by NHIs. A dedicated VM platform would then take this vulnerability data, correlate it with internal scan results, and manage the patching and remediation workflows for the affected NHIs. ThreatNG's DarCache Vulnerability, including NVD, EPSS, and KEV, provides rich data for VM platforms to prioritize.
Security Information and Event Management (SIEM) / Security Orchestration, Automation, and Response (SOAR) Platforms: ThreatNG's continuous monitoring and risk findings can be integrated into SIEMs for centralized logging and alerting on NHI-related anomalies. For instance, if ThreatNG detects a new, unmanaged service (NHI) exposed to the internet, this alert can go to the SIEM. A SOAR platform can then automate responses, such as initiating a workflow to investigate the new service or automatically block its access if deemed malicious.
Examples of ThreatNG Helping with NHIs
Scenario 1: Exposed API Key: ThreatNG's "Sensitive Code Exposure" module discovers a Stripe API key in a public GitHub repository belonging to the organization. This key is an NHI, likely used by an internal application to process payments. ThreatNG reports this high-risk exposure, flagging "Access Credentials" under "Code Secret Exposure."
Scenario 2: Over-Privileged Cloud Service Account: ThreatNG's "Cloud and SaaS Exposure" assessment identifies that a Google Cloud Platform service account, which is an NHI, has broad "Editor" permissions on a project, far exceeding its actual need to access only a specific BigQuery dataset. This is flagged as a "Cloud and SaaS Exposure" risk.
Scenario 3: Vulnerable Web Server with a Service Account: ThreatNG's "Cyber Risk Exposure" identifies a critical vulnerability (e.g., Log4j) in an externally accessible web server. Further investigation with "Subdomain Intelligence" reveals that this web server uses a specific service account (NHI) to connect to a backend database. This highlights the NHI as being at risk due to its vulnerable server.
Scenario 4: Mobile App with Hardcoded Credentials: ThreatNG's "Mobile App Exposure" discovers an organization's mobile app in a marketplace that contains hardcoded AWS Access Key IDs and a PGP private key. These are NHI credentials the mobile app uses, posing a severe risk if the app is reverse-engineered.
Examples of ThreatNG Working with Complementary Solutions
ThreatNG & PAM: ThreatNG discovers an SSH private key exposed in a public code repository. The security team uses this information to revoke the exposed key immediately. A PAM solution is then used to generate a new, temporary SSH key for the affected NHI, which is automatically rotated every 24 hours, ensuring no static credentials are left exposed.
ThreatNG & IGA: ThreatNG's "Cloud and SaaS Exposure" highlights multiple unsanctioned SaaS applications the organization uses, each implicitly using NHIs (e.g., API integrations). The IGA solution then takes this information to initiate a workflow, requiring departments to formally request and justify the use of these SaaS applications. This ensures that NHIs used by these applications are properly governed and their access is reviewed.
ThreatNG & CSPM: ThreatNG identifies an open AWS S3 bucket, a "Cloud and SaaS Exposure" finding. A CSPM solution, integrated with AWS, provides immediate remediation steps, such as applying a bucket policy to restrict public access and notifying the responsible team. The CSPM also continuously monitors for similar misconfigurations of NHIs across the AWS environment.
ThreatNG & SIEM/SOAR: ThreatNG detects a new, unusual subdomain pointing to an IP address not associated with the organization, possibly indicating a shadow IT service (an NHI). This event is sent to the SIEM, which correlates it with other network traffic logs. A SOAR playbook then automatically initiates an investigation: querying internal asset management systems, performing a passive DNS lookup, and, if suspicious, blocking the IP at the firewall level until further analysis can be done.
