Roey Rozi
Director of Solutions Architecture
Published on
February 2, 2024
Cloudflare disclosed on February 2nd that it had been breached by a suspected nation-state attacker. This breach exploited multiple unrotated and exposed secrets. The chain of events began with the Okta breach in October 2023, during which the attacker gained administrative access to Cloudflare’s Okta system. Although the Cloudflare team attempted to rotate all relevant credentials within Okta, they inadvertently missed one access token and three service accounts, mistakenly believing they were unused. Subsequently, the attacker utilized these four non-human identities to gain access to Cloudflare’s Confluence, Jira, and Bitbucket systems. The breach was eventually detected by a detection system, prompting the initiation of a thorough investigation.
It is noteworthy that the Cloudflare team was aware of the Okta breach in October, yet they couldn’t prevent the subsequent breach. Despite the awareness and the recognized need to rotate all exposed credentials, timely action was impossible to execute quickly enough and precisely due the inherent operational complexity of the task, even by an experienced team like the one at Cloudflare. Consequently, the attacker capitalized on the initial Okta access to gain further credentials, facilitating lateral movement.
In the wake of the breach, Cloudflare’s team was faced with a huge challenge that requires an incredible effort to solve: rotate all their production secrets, analyze all testing and development environments, and return data center hardware back to the vendor for analysis. A process that took them until January to complete, while developers were still working on hardening systems. As it often happens, the challenge of responding to risks is usually much greater than implementing best practices that prevent them to begin with.
Rotating secrets is inherently difficult:
The lack of relevant management tools leaves most organizations struggling to perform regular rotations, especially during security incidents. Furthermore, non-human identities lack multifactor authentication (MFA) and often possess privileged access, making them prime targets for attackers seeking to execute supply chain attacks, perform lateral movement, and maintain persistence.
The best approach for an organization to eliminate the security risk exposure from NHIs is to efficiently manage them throughout their lifecycle . This entails implementing several key best practices:
When an organization achieves this ideal state, an identity based attack becomes practically impossible. For example, after the Okta breach, this organization could trigger a wide and through rotation, thus eliminating the risk. Reaching this ideal state requires a combination of security policies and great tooling that enable the organization to follow said policies efficiently.
The Cloudflare incident is a stark reminder of the security risks of unmanaged NHIs. It also speaks to the unique operational challenges that security teams face with NHIs, even for an experienced team like the one at Cloudflare. While most organizations today have a well defined enterprise strategy to secure human identities and the right solutions for the job, they don’t for NHIs which are often left undamaged because simply too difficult to deal with existing tools for PAM, CIEM, CSPM.
Luckily, there is a solution now and it’s called Oasis! We created the Oasis platform to provide security, identity and cloud teams the needed capabilities and automation to easily secure all non-human identities across that stack throughout their lifecycle.
Specifically to secret rotation, Oasis drastically simplifies the process allowing security teams to efficiently remediate existing vulnerabilities with the peace of mind that system availability won’t be impacted. The Oasis platform offers several powerful capabilities to address this critical use case:
Managing NHI is complex and involves more than just safely performing secret rotation. Without the right tool, the operational complexity and overhead of managing NHIs becomes an insurmountable barrier. Our team is here to assist you in navigating the complexities of non-human identity management and enhancing your organization's security posture. Request free NHI assessment