Non-Human Identity Risks: Lessons from Dropbox's Security Incident

Misha Brickman, Software Engineer

Misha Brickman, Software Engineer

 Non-Human Identity Risks: Lessons from Dropbox's Security Incident

On April 24th, Dropbox became aware of unauthorized access to the Dropbox Sign (formerly HelloSign) production environment. The Investigation revealed that a threat actor had breached the system, accessing sensitive customer information. What set this incident apart was the method of intrusion: the compromise of a non-human identity (NHI) used within Dropbox Sign's back-end infrastructure.

At the heart of the breach was the compromise of a vital automated system configuration tool within Dropbox Sign's infrastructure. This tool, essential for managing the system's configuration, became a target for exploitation by threat actors. Specifically, the compromised NHI was a service account—a type of non-human identity specifically designed to execute applications and automate essential services within the system.

Service accounts, often established within Microsoft Active Directory (AD), serve as conduits for various system operations, from software installations to database management. Functioning autonomously, these accounts carry out tasks seamlessly, often operating in the background without human intervention. However, their autonomy, coupled with extensive access privileges, renders them susceptible to exploitation if not adequately secured.

In the Dropbox Sign breach, the threat actor gained unauthorized access to sensitive customer data by exploiting violations within this service account. While the company assures that the breach did not extend to compromising user account contents or payment information, 'Based on what we know as of the date of this filing, there is no evidence that the threat actor accessed the contents of users’ accounts, such as their agreements or templates, or their payment information,' the company said in the 8-K filing. It underscores the critical importance of fortifying non-human identities within system infrastructures.

In response to the incident, Dropbox took swift action to mitigate risks to its users. This included resetting users' passwords, logging users out of connected devices, and coordinating the rotation of all API keys and OAuth tokens. The company also reported the incident to data protection regulators and law enforcement authorities.  However, the incident illuminates a broader issue within cybersecurity practices—the often overlooked security measures concerning non-human identity management.

Lessons Learned and Future Outlook

The Dropbox Sign security incident serves as a stark reminder of the critical importance of effectively managing non-human identities like service accounts throughout their lifecycle. Organizations must prioritize robust practices for the creation, assignment, governance, rotation of secrets, and decommissioning of stale service accounts to mitigate risks and enhance cybersecurity posture.

Prioritize Comprehensive Visibility for Effective Service Account Management

Achieving a complete view of the service account landscape is crucial. Organizations should strive for holistic visibility, enabling them to identify all service accounts within their infrastructure. This visibility should extend to various aspects such as account usage, permissions, and associated resources, empowering administrators to track and manage service accounts efficiently.

Ensure Safe Secret Rotation for Non-Human Identities

While regular password/secret rotation is standard practice for human identities, it is often overlooked for non-human identities. Concerns about potential disruptions to critical operations lead to the neglect of secret rotation, allowing compromised service accounts to maintain prolonged access to an organization's network undetected.

Rotating passwords in outdated environments, especially those heavily dependent on Microsoft Active Directory (AD) service accounts, presents a significant challenge. An illustrative example of this challenge is the Cloudflare breach, where despite a rotation attempt of approximately 5000 accounts, four service accounts remained unrotated. This incident highlights the need for automation solutions to address this issue effectively. Unlike modern systems that allow for simultaneous rotation of multiple passwords, older systems often impose restrictions, permitting only one password rotation at a time. This limitation not only complicates the rotation process but also heightens the risk of credential exposure due to delayed updates.

To mitigate these risks, organizations must invest in dedicated tools designed to automate the rotation of non-human identity secrets. By leveraging automation solutions, such as specialized platforms, organizations can streamline the rotation process, enhance security measures, and effectively safeguard their systems against evolving cyber threats. Moreover, streamlining non-human identities lifecycle management is paramount for both efficiency and security. Automated workflows enable seamless provisioning, enforce role-based access controls (RBAC), and conduct regular audits, ensuring consistent and policy-compliant management of service accounts. Through automation, organizations can minimize manual efforts, mitigate the risk of errors or oversights, and uphold robust security standards across their infrastructure.

Context is Key to Solve Security Challenges without Business Disruption

When Dropbox asked its customers to rotate all API keys and OAuth tokens following the security incident, it highlighted the importance of contextual understanding. Without a comprehensive view of how these non-human identities were being used within their systems, customers may find it challenging to determine the appropriate course of action for rotation.

For instance, some API keys or OAuth tokens may be associated with critical integrations or applications essential for business operations. Rotating these tokens without understanding their usage context could potentially disrupt crucial workflows or services, leading to operational downtime or service interruptions.  Think of it like this: some of these keys and tokens are like the keys to your office building or your home – if you change them without knowing who's using them and why, you could accidentally lock out important services or cause disruptions in your day-to-day operations.

Detailed insights into the context surrounding each service account are essential. Contextual mapping capabilities provide information about service account configurations, access controls, and usage patterns. By understanding the context in which service accounts operate, administrators can make informed decisions regarding their management and access privileges.

Proactive Posture Assessment is Key to Strengthening Security Measures

Assessing the security posture of service accounts is paramount. Organizations should conduct automated posture assessments, evaluating factors such as secret rotation, access permissions, and compliance with security policies. This proactive approach helps identify vulnerabilities and prioritize remediation efforts to enhance the overall security of service accounts.

In conclusion, the Dropbox Sign security incident highlights the critical need for organizations to enhance their management of service accounts throughout their lifecycle. By adopting robust practices for visibility, contextual understanding, proactive posture assessment, streamlined lifecycle management, and security and compliance enforcement, organizations can significantly improve their cybersecurity posture and effectively mitigate risks. As we all adapt to the ever-evolving cybersecurity landscape, it's essential for organizations to invest in comprehensive approaches to non human identity management. If you're a Dropbox user looking to better assess your non-human identity risk in light of this incident, reach out to Oasis Security today for expert assistance and guidance. Safeguard your sensitive data and maintain trust with stakeholders by taking proactive steps towards better security practices.