Securing Non-Human Identities: Insight from Recent Breaches

Securing Non-Human Identities: Insight from Recent Breaches

Publish on

April 16, 2024

Join Ido Geffen for an enlightening webinar on "Securing Non-Human Identities: Insights from Recent Breaches." Dive deep into the critical role non-human identities play in today’s security landscape, as Ido unravels real-world examples of security breaches and the lessons learned. Gain invaluable insights into the challenges and vulnerabilities associated with managing non-human identities and discover proactive measures and strategic solutions to safeguard your organization against sophisticated cyber threats.


Hello, everyone, and thank you for joining us today.

My name is Ido Geffen, and I am the VP of Product at Oasis Security.

Today, I hope to provide you with a fascinating session that will last about 30 minutes.

We will be focusing on how to secure non-human identities. Specifically, we will delve into the most recent attacks that involve non-human identities, explain how these attacks occurred, and provide a perspective that will help you better understand how to protect yourself from such threats. We will also discuss the risks and consequences associated with these types of attacks.

Our agenda will cover the following points at a high level:

Definition of non-human identity and why they are appealing to attackers.

Detailed discussion on a specific attack involving a non-human identity and its impact on businesses.

In the end, I will share some strategies, recommendations, and best practices on how to better protect against non-human identity attacks.

Let's begin by looking at traditional identity and access management, which primarily focuses on human-to-machine access. This has been the standard since the inception of computers—a human interacting with a machine.

From an enterprise perspective, systems like Workday serve as our authoritative source for human identity management.

Following our discussion on traditional identity management, we explore the tools used for managing authentication and authorization of human identities.

To provide context, let's consider an example: imagine a new employee, whether a developer or a salesperson. We know their role, their department, and based on these, our Identity Governance and Administration (IGA) solutions determine the relevant authorizations. For example, if the employee is an admin, they will require access to the organization's critical infrastructure and high-privilege areas. This is managed through a Privileged Access Management solution. Furthermore, every employee must complete multi-factor authentication to gain access to the organization's resources.

Now, let's shift our focus to non-human identities or, more broadly, the current landscape in modern, highly distributed enterprises. Here, we encounter a complex mesh of technologies and architectures. The modern tech stack in these organizations involves clouds, microservices, DevOps workflows, and more. In this environment, we see numerous non-human identities that facilitate service-to-service connections, transitioning from the traditional human-to-machine interactions to machine-to-machine communications. This is typically managed with API keys and integrations across various platforms such as AWS, Slack, or Microsoft Teams. This mesh of applications communicates and transfers data, propelling business operations to move quickly and scale.

Reflecting on the past 15 years, traditional enterprise organizations primarily managed human identities, with a smaller proportion of service accounts in on-premise solutions like Active Directory. However, over the last decade, there has been a significant shift towards cloud-based platforms, largely driven by development teams. Today, we often see a dramatic increase in non-human identities — sometimes up to ten times more than human ones. For instance, in an AWS-focused company, you might deal with various AWS services like S3 buckets and EC2 instances, along with other applications like ServiceNow and Salesforce. These applications need to communicate seamlessly with each other.

The prevalence of non-human identities is only increasing, and it's crucial for us to understand and manage this growing complexity to ensure the security and efficiency of our technological ecosystems.

By 2025, we anticipate seeing 50 times more non-human identities than we do today. This surge is largely due to advanced tools that generate new features, capabilities, and applications. These applications often utilize non-human identities to facilitate communication and operations behind the scenes.

So, what exactly are non-human identities? On the left, you can see various types such as service accounts in Microsoft Active Directory, service principals in Microsoft Azure, and IDS users in AWS, which are default users for many AWS-based databases. We also see applications like OAuth tokens and others.

On the right, if we consider authentication methods for humans, which are fairly uniform, non-human identities present a vast array of types and authentication methods. For example, Azure uses SAS tokens for storage accounts, and specific GitHub API keys are required for interactions with GitHub. The sources for these non-human identities are extensive, including major cloud providers like AWS, Azure, and Google Cloud, as well as identity providers.

Moreover, modern big SaaS applications like ServiceNow, Salesforce, GitHub, and Workday also create their own types of non-human identities. These identities can be created, interrogated, and connected within your cloud environment or to your Platform as a Service (PaaS) solutions like Snowflake or Databricks.

This leads us to a much more distributed world with numerous definitions and complexities. As we will discuss later, these complexities are precisely what hackers exploit. The diverse and expansive nature of non-human identities creates numerous blind spots, posing significant security risks.

Now, let’s contrast this with human identities, which grow very slowly in traditional organizations and are centralized from an Identity Governance and Administration (IGA) perspective. We usually know the context for each human identity— who the person is, which department they belong to, etc. The security and IT teams have structured identity lifecycle management processes in place for these human identities.

In contrast, non-human identities are proliferating at the pace of code development. There's no single source of truth; it's challenging to track ownership or determine the specific services these identities are connected to. Often, these identities are created by developers, adding to the complexity and potential security risks.

And we know that these people are moving and moving fast in order to support the business and it's very hard to.

And many times we don't want to make the move slower because this is the enabler of the modern organizations and the very sparse management and, and, and no identity, life cycle management governs tools and processes around it.

So now that I'm turning it aside and so let's look for the bad guys, right?

The Attackers, they say, OK, so there is no M fa which is very common and in U the lifespan is very long, we are seeing some that people are putting 50 years ahead that they will not need to rotate those keys.

The black is many times very big because by definition, when you want the machine to speak with a machine or to do a backup job or whatever, you're giving a high, so the blood value is very high, the unauthorized activities is very hard to detect because again, as when we have a traditional system of building the patterns of how human is utilizing.

So if you're in the US, it's less likely that you would connect to production systems at 2 AM Pacific time, and perhaps even less likely from an IP address in Russia. But what about machines that communicate continuously? It becomes much more difficult to identify deviations, such as suspicious or malicious activities.

A lot of supply chain attacks, which we will discuss later, like the Octa breach against the I CDC and the SolarWinds attack, show that non-human identities have become very attractive targets for attackers. These attackers exploit these identities to gain access to technological companies and then perform lateral movements to their entire customer base. Many of these identities remain undetected because they are hidden backdoors.

We also observed this in recent attacks on Microsoft’s cloud services. The landscape of attacks has clearly shifted, and non-human identities are increasingly being utilized as a key part of these attacks.

Let’s delve deeper into one such instance—the breach involving 38 terabytes of data accidentally exposed by the Microsoft AI research team. This was due to a SAS token, which we'll discuss in more detail shortly. SAS tokens can grant access to an Azure storage account, but in this case, the Microsoft AI research team mistakenly granted full access to the entire storage account. This led to the leak of over 38 terabytes of extremely sensitive data, including dumps of Microsoft employee data and their computers, which contained private keys, passwords, a lot of internal Microsoft team messages, and more.

The access was supposed to be limited to specific files using Azure's token features, which allow data sharing from Azure storage accounts. However, the configuration mistake shared the entire storage account, which included another 38 terabytes of data. Originally, the AI research team intended to share open-source data to train AI models, but the misconfiguration led to significant data exposure.

This incident underscores the challenges in managing non-human identities and ensuring that they are configured correctly. Tokens, a type of non-human identity used in Azure Cloud, exemplify this issue. Unlike human identities, which can be secured with multi-factor authentication—including something you know, something you have, and something you are—non-human identities often rely solely on something they know, like a secret or token.

When such a token or secret is compromised, attackers can use it without needing to bypass additional security measures like multi-factor authentication. Furthermore, it’s challenging to detect when such tokens expire, and many organizations don’t manage these tokens as diligently as they manage human credentials, which are typically changed every 60 to 90 days.

Additionally, there are issues on the user side concerning the generation and sharing of SAS tokens with third parties. There are often no logs of token creation, making it impossible to track who created a token and when. This lack of oversight allows for the unrestrained creation and use of tokens, posing a significant security risk.

Azure Cloud is not involved in this example, so I will not delve into the cryptographic details. However, I assure you that such operations are feasible.

At the end of this presentation, I will share my email and would be more than happy to discuss this in further depth.

A critical point to understand about third-party tokens is that they can be configured to never expire. This feature, while useful, can allow unintended access if mistakes occur, as was the case with Microsoft. In Microsoft's scenario, the tokens targeted their storage accounts. It’s currently impossible to enumerate all existing tokens or detect tokens that grant incorrect levels of access. This simplicity we see with managing human identities does not translate well to managing tokens.

Another example of a severe supply chain attack occurred in January 2023 involving the CCIC, a popular DevOps tool for continuous integration and delivery. The attack began with an engineer’s computer being compromised through malware. The attacker, named Manuel, stole session tokens stored on this computer. Because the engineer had privileges to generate production tokens, the attacker could escalate their access and exfiltrate data from customer environments. This breach exemplifies the severe implications of attacks that exploit non-human identities, like session tokens, in CI/CD processes.

I will also discuss two more incidents: the Octave Bridge and the Mercedes band. Starting with the Octave Bridge, this attack targeted the support platform of a company called Octa. Octa’s support system uses files known as HAR files, which customers can submit when requesting support. These files often contain access keys that grant Octa high-level permissions to assist the customer. Unfortunately, this access facilitated the attackers to steal credentials and create backdoors in customer environments.

Cloud FFL, a major customer of Octa, was promptly informed about the breach. They took significant measures by rotating about 5,000 non-human identities they believed were compromised. This task was challenging because errors in the rotation process could disrupt production environments. Despite their efforts, there were four overlooked non-human identities. One of these identities was crucial enough that attackers were able to infiltrate significant systems within Cloud FFL, such as their big data conference platform and Jira instances.

Another example of a third-party supply chain attack involves Octa. By exploiting non-human identities, attackers gained high-level access to sensitive data and intellectual property.

A similar incident occurred with Mercedes Benz. A developer accidentally exposed an access token on a public GitHub repository. Constantly scanning for such vulnerabilities, cybercriminals found and used this token to access enterprise servers, obtaining private source code and other intellectual property.

These incidents highlight a recurring issue: once attackers use one non-human identity to infiltrate a system, they can access other systems and identities, escalating their privileges almost undetected. This creates a cascade of unauthorized access across various platforms.

From our data analysis at large Fortune 500 companies, we found that about 10% of nearly 3,000 non-human identities were outdated or unused. Many exposed secrets were also linked to former employees, turning internal risks into external threats. Developers, who frequently handle various secrets for their tasks, may inadvertently retain access to these secrets even after leaving the company. Unfortunately, traditional identity access management tools lack mechanisms to effectively manage or track non-human identities across various platforms, from on-premises to cloud environments.

To address this, our company is pioneering a unique approach focused on the discovery and contextual management of non-human identities. We connect with major identity providers and secret managers, integrating data across on-premises and cloud applications. This integration helps us construct a detailed model of access and user actions. We prioritize managing non-human identity inventories, assessing risk levels, and ensuring routine secret rotations and deletions.

By enhancing visibility and control over non-human identities, we aim to provide a holistic view and robust security posture that traditional tools fail to offer. This approach ensures better lifecycle management of non-human identities, from provisioning to deprovisioning, fundamentally changing how organizations secure their digital environments.

We begin by focusing on visibility, ensuring you have a complete overview of all non-human identities within your organization. This includes a thorough classification and identification process.

Our initial phase involves what we call "clean meth" — addressing the most pressing security issues to significantly reduce your attack surface and the likelihood of breaches within the next 30 days.

As we progress, we shift towards "stopping the bleeding" by implementing preventative measures. This includes routine key rotations, which are as crucial for non-human identities as they are for human users. We ensure you can set automatic key rotation policies for intervals like 30, 60, or 90 days, which helps solve potential security gaps at their root.

Our platform automates the discovery and monitoring of non-human identities without the need for agent deployment. It provides clear visibility and contextual insights into each identity's privileges and risks, including potential over-privileges and connections to sensitive data.

We also offer posture violation alerts, providing concise descriptions of security issues, their severity, and detailed, actionable recommendations. These can be addressed manually or through automated actions aligned with your internal workflows.

The benefits of partnering with us extend beyond immediate fixes. With enhanced visibility, you'll not only understand your current non-human identity landscape but also gain organizational alignment on ownership and management policies. This proactive approach reduces your attack surface by prioritizing high-risk identities and vulnerabilities.

Over time, our aim is to shift from reactive to preventive security management, akin to preventive medicine: better to maintain ongoing health through regular checks and balances than to deal with emergencies as they arise.

I hope you found this presentation insightful. If you're interested in learning more or wish to provide feedback, feel free to contact me via email or connect on LinkedIn. Additionally, visit our website for a free risk assessment to see how our solutions can make a tangible difference in your organization's security posture. Our customer success team will guide you through the findings and recommend efficient risk mitigation strategies.

Thank you again, and I look forward to potentially assisting you in securing your digital environment.

More like this