How Attackers Exploit Non-Human Identities

At The 1st NHI Security Conference, security experts Francis Odom and Michael Silva demonstrated how attackers exploit non-human identities to infiltrate environments, move laterally, and target sensitive data. In a live demo, they revealed real-world attack techniques, highlighting the risks NHIs pose when left unsecured.

Francis began by discussing the rapid growth of NHIs and the escalating threat landscape. He cited 13 recent attacks involving NHIs, from service account exploits to misuse of API tokens, noting that many such incidents go unreported. With some organizations having tens of thousands of NHIs, securing each is increasingly challenging, making inventory management and visibility essential.

1. Credential discovery: Attackers can easily exploit misconfigurations and leaked tokens. In the demo, Michael used open-source tools to find an exposed AWS access key in a developer’s GitHub repository, gaining unauthorized entry into an AWS environment.
2. Lateral movement and persistence: With initial access, attackers frequently pivot across environments. Michael demonstrated moving from AWS to Slack, locating sensitive data, and discovering additional tokens in Slack messages, which granted further permissions.
3. Supply chain attack escalation: By exploiting these additional permissions, the attack escalated to a supply chain compromise. Michael accessed customer environments through interconnected NHIs, demonstrating how attackers can use one vulnerability to impact broader networks.

Francis and Michael emphasized the importance of inventorying and continuously monitoring NHIs. They recommended automating processes wherever possible to reduce the chances of human error, stressing that even a single misconfigured NHI can open paths to extensive breaches.

Watch the session to get the full insights.