Story 3: Catching the Red-Team Red-Handed

Danielle Guetta July 2, 2024

Join Astrix customers as they lead the non-human identity security frontier in this series “The Astrix stories: Real customer wins”. From building an automated process around NHI offboarding, to a collaboration between security and engineering to remove super-admin tokens in two hours – these real stories will help you understand what an NHI security strategy looks like for Astrix customers.

Chapter 1: The Red-Team Routine

It is very common in the security industry to hear of failed security audits and red-team exercises targeting “the weakest link” – reused passwords, system defaults, unused, yet highly permissioned service accounts. But highly uncommon to hear about defensive security efforts that stop these exercises in their tracks. 

Today’s story is an example of the latter.

We’re all familiar with The Red-Team. Minimal access is granted and they are then tasked with infiltrating the system, uncovering weaknesses along the way. This approach helps organizations identify and fortify any gaps in their defenses.

As Non-Human Identity (NHI) attacks become more prevalent, they also became a favored vector for these Red-Teams (and attackers). The increased frequency and sophistication of such attacks necessitated an equally sophisticated response.

A major e-commerce platform recently experienced the efficacy of Astrix’s Threat Detection capabilities during a Red-Team exercise that stopped them in their tracks. 

Chapter 2: Astrix Spoiling the Red-Team’s Party

The company’s security team got a notification from Astrix about an internal Slack application that was flagged for exhibiting suspicious behavior when a dormant bot token suddenly came online, accessing Slack APIs it had never accessed before. Slack apps, notorious for their widespread use and access to sensitive data, became the unexpected entry point for this simulated attack.

But the security team was prepared. With Astrix in place, the SecOps teams received all the critical information required to investigate and address the anomaly, promptly identifying the source IP of the compromised Slack token and a dead giveaway around its misuse.

The swift response not only stopped the simulated attack but also underscored the importance of real-time threat detection in a dynamic and highly connected environment.

Chapter 3: Real-World Results

The immediate alert and subsequent investigation led to an interesting revelation. The efficiency and speed of the Astrix platform were so remarkable that the company had to cancel and reschedule the Red-Team exercise.

An executive from the company even stated, “Our reaction thanks to Astrix was so fast that we needed to …reschedule the [exercise]—so they could really check our internal vulnerabilities.”

Stay tuned for story 4…

Learn more

Employee offboarding: What about their NHIs?

Employee offboarding: What about their NHIs?

CSA and Astrix Research: The State of Non-Human Identity Security

CSA and Astrix Research: The State of Non-Human Identity Security

Massive NHI attack: 230 Million cloud environments were compromised

Massive NHI attack: 230 Million cloud environments were compromised