Securing Non-Human Identities: Insights from Recent Breaches

Securing Non-Human Identities: Insights from Recent Breaches

Publish on


Yonit Glozshtein:

Thank you, Tom, for the kind intro. Hello, everyone. Thank you for joining us today. I'm very excited, very happy to co-host this webinar with Jeff.

Jeff Farinich:

I'm really glad to be as well. Looking forward to talk about non-human identities on my experience.

Yonit Glozshtein:

Awesome. So what we're going to cover today is first of all, what are non-human identities and what makes them so unique and appealing for attackers to exploit. We'll talk about a couple examples of attacks involving non-human identities and the impact on the business, and then close with some recommendations and actions you should take to proactively fortify your posture.

Cool. So when we think about identities, we, first of all, think about the basic username and password that are created for you when we're joining an organization and all the tools that you have to manage those, right? So they are created for you in HR systems or a centralized identity provider. And then you have these governance processes to manage the identity. When you leave the organization or move to a new role, you have access guardrails, enforcing MFA/SSO and once in a while you have to reset your password. And then you have the access management for all of your applications, databases, everything that your user needs to access to.

When you think about the space and at places where we started exploring it, we realized that that's not the whole story. And the landscape kind of changed. When you think about most companies, you think about how they are in the middle of this cloud transformation. They're developing their own digital services for their customers like web services, for example, or applications that they have. And they want to make the business run super fast. They want to automate everything that they can. They are relying on third-party applications, adopt AI.

All of these essentially result in applications and services needing to somehow communicate one with another. Guess what? They're doing this with identities as well. These are the non-human identities. And if we explore the average environment of our customers, we see that they have 50 times, even sometimes more of these identities in their environment. And here's just example of there are different kinds and different authentication methods, which is another point because when you think about user, like human user, you have the password and that's it.

But in our space, it's not like you have a standard authentication method, you have access tokens, APITs, certificates. It's kind of all over the place. And if we think about the differences, trying to summarize it, so non-human entities, they are created everywhere. You don't have just one HR system or identity provider to create them in one place. You don't have a process for it. They're created by multiple stakeholders. It could be a cloud team, the IT team, developers, DevOps, even business owners that are responsible for their own, let's say Salesforce, they can create service accounts in their application.

So they're decentralized, democratized, and this makes them grow fast. You don't have any process to manage these assets in a proper way. So you don't have the context. You don't know who created them, who should be the owner, the official owner of these identities. You don't know. You don't have the visibility of who is using them or what to access which data. And essentially to summarize it, results in lack of management capabilities. And this is why, part of the reason why attackers really like to leverage these. First of all, they don't have MFA. It's not a thing.

You don't have another authentication factor or a piece of code, right? It's just the secret or the token that it has. When you think about how important these applications for the business, in most cases you think about two main exploitable vulnerabilities let's say that because of operational complexity, you don't want to manage the privileges for these applications all the time. So you usually give them over permissive access. You don't know how the application will use what operations this application will have to do in the future, so you just give it all it needs.

You usually don't want it to break, so you don't really give it an expiration date just in case. And because you don't have any processes to create them, and as we mentioned, they're created by anyone basically when there's a new service account created in your environment, it's undetectable. It's not abnormal for a new account to be created. So it's really hard to detect when something like that happens in your environment.

And the last piece is supply chain attacks, which makes them even more appealing to threat actors is the fact that if you think about how third parties need to authenticate with organizations, they usually do it with non-human identities, which makes them great surface for supply chain attacks. So this is exactly what we see that happens. These are several examples from the news, just the recent ones. And you only need just one. You only need just one non-human identity to get you breached.

So let's dive into a couple of specific examples and demonstrate exactly how attackers used these non-human identities in the breach. Let's start with CloudFlare. It was all over the news in the last couple of months. But to understand Cloudflare's attack, you need to go a few steps back. You need to start with Okta's breach where threat actors actually leveraged and hack the Okta's support system and they got their hands on our files that Okta's customers shared with their support team.

These files included access tokens, which then the attackers used to gain access to Okta's customers systems as we see in Cloudflare's use case. So Okta obviously notified all their customers that were impacted by this attack that they should rotate the credentials. But for some reason we see that CloudFlare failed to rotate or whether it was because of operational reasons or by mistake. But this was enough for the attackers to hack their systems and access their Atlassian server, getting access to JIRA Confluence and source code and BitBucket.

So after this happened, it then took over a week to CloudFlare to detect they had to rotate over 5,000 credentials. And if you had to do it even one time for one account, you can imagine that this task is so long, it's so tough. You have to involve so many teams and you always have the risk that something might break. So imagine doing this for 5,000.

Jeff Farinich:

So this breach, Mercedes-Benz is very interesting because once again it was based on non-human identities. It had to do with GitHub and a little background here. It was caused by one developer. So we need to take at the size of Mercedes-Benz, they probably have over a thousand developers, even larger given the size organization. Just a massive environment. And this exposure was actually publicly assessable since late September. So nearly four months and included source code designs, security keys, including Azure and ABS full access to enterprise GitHub server.

So I mean, what does that mean? We truly don't know the impact. Anytime when they got a breach, I tried to understand what was a true impact to the business. Was it intellectual property? Was it PI? Was it [inaudible 00:09:35] downtime? So this is another example. We still don't know the true impact on Mercedes-Benz. Very interesting.

As we're getting NHI, you need to understand what kind of risk are we seeing out there? So these numbers are based on a wide range of Oasis customers and based up 1,009 non-human identities. So overall we're seeing around 67 still privileged unrotated service principals and accounts. For unrotated secrets, 93 still storage accounts and 47 secret accounts that have like a spam beyond 50 years and then 179 vaults with the unused access policies. So overall, I mean this is quite a large attack service for the average customer, and I know in my environment I had many more times than a thousand human identities. So this one here is definitely extrapolated even higher.

So what's the problem of non-human identities. So the problem is really a lot of tools today do not provide visibility on NHI. So without the visibility, you really don't know all of the problem and you can't remediate it. Another issue is all the different themes that have access to these environments cloud including on premise, which caused a decentralized ownership of non-human identities. So this really increases the risk of breaches and makes taking action challenging.

So we recommend for proactive approach is one, we realize this is the problem and you have to do a full discovery environment to know the size of the problem. And from there you develop a plan for action that includes mitigation. And the best way to start is really low hanging fruit. What are the ones that are no longer in use that you could easily get rid of? And then from there figure out what's the best way to tackle the rest, which may require more involvement from various developers, IT teams and application owners.

As to look at the problem with cyber crime, it's not going away. It seems like every day there's a new breach on the news. We're going back to about eight years ago, the industry cost and damage was about $3 trillion and it was mainly around malware, ransomware, or state-sponsored attacks, cyber criminals and supply chain. And as we move up in the later years, so 2019 to 2021, we're seeing around $8 trillion in costs. State-sponsored attacks are getting more common, cyber criminals are getting more complex organized and starting to monetize themselves.

Supply chain attacks are getting larger. Ransomware has really been monetized now and then moving on to today and the next couple of years, it's estimated the cost will be over $10 trillion and we're going to see continued threats from state sponsored attacks. Cyber criminals are getting more sophisticated. Supply chain attacks are not going away. Become a bigger risk. A great example is look at United Healthcare. It's really paralyzing the healthcare industry today in America. We're going to see more attacks on political structure and that should be quite devastating to the economy as well as impact of the populations.

When I think of breach is given the environment I'm in, being the financial services, there's a lot of PI. So what's the true cost of a breach? I mean it's more than just regulatory fines, it's you have to deal with the attorneys that are getting involved. Class action lawsuits. In any cases, attorney generals represent the states will come in and enforce actions on you. The cost of investigation and response for consumers, you have to post credit monitoring.

Past sexual lawsuits in many cases more than one. And all the cybersecurity controls that you should have done in the first place, you now have to do at a short timeline. So those are the most common and that's considered above the water costs. But what about the costs we don't always think about? That's seen all the impact of the business. That's increase in cyber insurance, loss revenue, devaluation of brand, and we've seen some breaches last few months for the brand take a big hit and including the stock price loss, integral property, or PII. Increase in audits. In order to handle all this incoming work, you have to create the size of your staff. And lastly of course, loss of customers. So in many cases we truly have a hard time to understand the cost of breach. That's much larger than first estimated.

Another challenge is cloud attacks are happening faster and faster because the attacks are getting automated. The attacker is no... The cloud environments, they know Azure, AWS. They're getting a little SaaS. So they're able to move very fast in the attacks.

The complexity. The cloud is very complex. There's lots of configurations you need to know and make if there's lots of teams involved in management of cloud and that just leaves more room for error. And lastly, we're seeing attacks now being as fast as 10 minutes to cause impact to organization. So a lot of times the dwell time could be weeks, months before you know, but once they're in the attacks are fast.

So my experience coming from a financial company, there's been four major breaches the last five months and this is unprecedented. And each of these had several days of downtime that not only impact the mortgage company themselves, but also their supply chain customers. Millions of consumers were breached. There's multiple class actual lawsuits and the attack targets go from the help desk to the cloud to even 9 million identities.

So I think in the past, I can speak for myself, 9 million identities really weren't an area that we were focusing on because we didn't really know much about it. Of course, my programs are very strong on human identities, but I generally know how large a problem was until I actually ran a tool like Oasis and I got inventory environment. I realized, wow, this is a much bigger problem than I thought. Even my team was surprised.

So I always maintained a very strong posture, especially in cloud. But this is a gap my tools just weren't providing previously. So I quickly did a POB and then I realized the non-human identity values and quantities were at many times more than 4X my human identity environment. So what I did is I basically created this as an action plan to the board. I created a new budget item. I educated the board what an identity is. I used some of the recent attacks that we just talked about as examples. I shared our client non-human identities that we had in place. And I emphasize it only takes one employee to cause a non-human identity breach. I'm glad to say last few months we've been quickly reading as many findings as possible in our environment to really secure this attack surface.

Yonit Glozshtein:

Okay. So to talk about how we think about the solution. Basically to add to Jeff's point, we understood that this is because the landscape has changed and because the challenge is so different, so unique, we had to have a different approach. So we understood that because this is decentralized, this whole world, we need to first be able to integrate with all the non-human identity sources and then start with inventory and context which is a crucial part and really lacking in non-human identities. And then on top of that, we can add a layer of posture and lifecycle management.

All of these components are crucial for the non-human identity strategy. So how it looks like. So first of all, for inventory, as I mentioned, there are so many sources for non-human identities. They're all over the place. You have identity providers and cloud providers. You have secret managers on-prem, SaaS applications, RPAs, so many different tools. And to be able to start even evaluating the problem, you need to be able to integrate and all of these non-human identities into one place. There's another layer of classification because it's not really obvious which identities are non-human. Sometimes we see that human identities are leveraged as non-human to serve other services and this connection between applications and processes. And so classification is a really important component as well.

Next is context, right? So you have the inventory. You have all of your non-human identities, but then you want to start evaluating who is using them to access what, when they were last used, which privileges are tied to these identities, which operations they can take on your resources and who should own them. These are the basic questions that were human identities or even other assets that you have in your organization you should be able to answer.

But because this area was neglected for so long, we figured that this should be one of our core pillars, right? So when we tell the story of the identity, when you click on one and you look at the identity itself, it's in the middle. And then we show the authentication side. Who is accessing it? Which applications, which processes are using this identity to authenticate and access resources in your cloud, for example.

The left side, the authentication side is super crucial because it not only gives you the full context, the full picture of the identity, but it also allows you to operate. If we talked about before the reasons why so many of them are out there alive for so long with no expiration date is because developers don't want to break anything, right? They don't want to risk the fact that there will be friction and something will be undetected using this identity to authenticate and will be broken if you rotate for example, or if you even delete it.

So the left side in the graph of the applications that are using this identity is super crucial to take any action and remediate. And then the third layer is the posture and the insights that we can tell based on the context and all the data that we collect. We can say, "Hey, these identities were not rotated for a while. These identities are exposed externally and they have massive privileges in your environment. These identities were exposed to employees that you just offboarded."

We all face massive layoffs in the last year and you know how you offboard an employee but you don't have a clue of which identity they had access to. So having the analysis of all the risks that are part of the identity and getting a remediation plan manual or automated is the third and really crucial part of how we see the solution should look like.

So the fourth part is lifecycle management. In Oasis philosophy, when we think about the perfect solution, we think about three components. One is visibility, the second one is cleaning the mess. Because you have so many identities, we want to help you prioritize the mess. So we have all the inside, the posture violations and we help you clean and remediate it. And the third one is what we call stop the bleeding. So from the moment that you're remediating the identity or even before it has any issue, being able to assign owners, assign vaults and rotate periodically, this identity should keep you safe, should help you prevent future breach.

Jeff Farinich:

What I recommend is we really got to start with getting visibility in your environment. So with Oasis, it's really easy to get instant value. A lot of tools you may want to evaluate in your environment, have a long ramp up time for proof of value, for testing. I have to say with Oasis it's really quick to get visibility really within 20 minutes, which you add your subscriptions, your cloud environments. It scans. It comes back with a discovery. It classifies the type of non-identities, the types of risk, the level risk. And from there you could take that nice report. You could share with your peers. I'm pretty sure at that point I know I did. I had an aha moment. It's like "Wow, this is a problem. I didn't realize it was quite so large and I need a plan in place to remediate it."

So what I learned is NHI risk is real. It was previously ignored and it's being exploited. And you really need to be proactive. I don't like the odds. One in 10,000 plus is the risk. It just takes one in 10,000 plus of non-human identities to cost a breach as well as having just one employee exposing that NHI. Really easy part of your overall strategy was part of your identity program or your cloud program. You need this visibility. You need to understand the posture risk.

Automation is really key. So it's hard to automate in this environment if you don't really have a tool in place to help with the rotation and remediation. It's really important to be able to assign the business owners a label for the NHI actually belongs to. You really want to have it dialed into one application. It's important to right-size. I know for myself, I literally found several a hundred NHI we're no longer relevant. It's very important to rotate on a rotary basis like any kind of secret or key. And then of course minimize the attack surface by just deleting NHI that's only required.

Yonit Glozshtein:

All right. So thank you all for joining and if you want to learn more about Oasis, you can please feel free to send me a note. And if you want to learn more about the free risk assessment that Jeff just mentioned, you have all it here. Thank you all for joining.

Jeff Farinich:

Thank you.

More like this