I remember when phishing was just about compromised passwords and stolen credit cards. Well, those days are long gone now. Attackers today are no longer content with just harvesting passwords; they’re now using compromised human credentials as a springboard to target something far more valuable: non-human identities, or NHIs.
The modern enterprise runs on non-human identities like Personal Access Tokens (PATs), service accounts, or API keys that stay hidden but keep our systems communicating and our pipelines flowing. These credentials often hold elevated privileges and operate with minimal oversight, making them perfect targets for attackers looking to establish persistent access.
This attack pattern of first compromising a human user through traditional phishing, and then pivoting to harvest NHIs allows threat actors to move laterally through networks. They blend in with legitimate machine-to-machine traffic while evading detection, but the implications? Oh, they are profound. A single compromised PAT can potentially grant access to a sea of sensitive data and critical systems.
This blog will dive into how these attacks unfold, and more importantly, what you can do to improve your defenses. Let’s get on it.
Enterprise Security for AI Agents & Non-Human Identities
What the modern identity ecosystem looks like
Non-human identities hold a key position in the digital workforce that powers modern IT infrastructure. But that hasn’t stopped them from becoming a security nightmare. Think about it — while we’ve gotten pretty good at protecting human users with MFA and SSO, NHIs can’t be secured through the same channels or security protocols.
To understand this better, let’s take a look at the NHI ecosystem:
Service accounts and PATs
Service accounts are the heavyweight non-human identities that keep your infrastructure running, often with elevated privileges to perform critical system-level operations. They often have domain admin privileges, access to critical databases, and permissions to run system-level operations. In container environments, service accounts are the primary means of authentication. Each pod gets assigned a service account, and these credentials can access the Kubernetes API server, other services within the cluster, and often external resources through workload identity federation. An attacker who compromises these can potentially access all workloads in a cluster.
Personal Access Tokens (PATs), meanwhile, are the bread and butter of development workflows — they authenticate to source control, CI/CD pipelines, and container registries.
Both become prime targets after a phishing attack because they rarely trigger the same security alerts as human account activities.
API keys and OAuth tokens
API keys and OAuth tokens, these credentials, which enable API-to-API communication, are particularly dangerous because of their persistence. API keys are static and long-lived, while OAuth tokens, despite their scope-based permissions, often have extended validity periods. To make these credentials more secure, we need a more intelligent approach — analyzing usage patterns, monitoring access behaviors, and implementing context-aware rotation to reduce the blast radius of potential compromises.
CI/CD pipeline credentials
The most devastating breaches often start with compromised pipeline credentials. Why? Because these credentials reach across your entire infrastructure. From source code access to production deployments, from artifact publishing to cloud resource provisioning, a single compromised pipeline credential can unlock every door in your development chain. Think deployment tokens that can push to production, artifact repository credentials that can publish packages, and cloud provider keys that can spin up infrastructure.
In my experience working with modern enterprises, I’ve found that the real challenge isn’t just counting these identities. It’s the operational patterns that I am more concerned about. They’re designed to work autonomously, often with minimal monitoring and extended lifespans. When an attacker compromises one, detecting them becomes significantly harder.
The attack chain
I want to walk you through my analysis of how attackers move from a successful phish to compromising NHIs. The process is methodical, calculated, and surprisingly quick — attackers can begin lateral movement almost immediately after initial compromise.
Initial access
The entry point is often deceptively simple: a phishing email targeting developers, system administrators, or other privileged users. Once credentials are harvested, the adversaries instead of launching a ransomware attack, begin a careful reconnaissance phase, mapping out the network’s non-human identities and how they are inter-connected.
Leveraging lateral movement
After establishing their foothold, attackers start moving laterally through the network using legitimate admin tools and stolen credentials. Common techniques include:
- Pass-the-Hash attacks to leverage cached credentials
- Token theft and manipulation
- Service account exploitation
- Remote service abuse
Privilege escalation
Here’s where it gets interesting. Attackers use compromised low-privilege credentials to gradually work their way up the privilege chain. They might capture hashes from system memory, particularly from help desk admins who’ve logged in recently. Each successful elevation provides access to more non-human identities and, consequently, more systems.
The NHI gold rush
The real target becomes clear: high-privilege non-human identities. Attackers specifically seek out:
- Service account credentials with broad system access
- Pipeline tokens with access to source code and deployment systems
- API keys that can access critical services
- OAuth tokens for cloud service access
The beauty of this attack (from an adversary’s perspective, of course) lies in its simplicity. By compromising these identities, attackers can maintain persistence while appearing as legitimate automated traffic. This makes detection particularly challenging — after all, how do you distinguish a compromised service account from a legitimate one when both are performing expected operations?
Impact analysis: when non-human identities go rogue
Let’s talk about the fallout when those NHIs we’ve been discussing decide to misbehave. Spoiler alert: it’s not pretty.
Business implications
First off, the financial hit. We’re not talking pocket change here. Data breach costs reached unprecedented heights in 2024, with organizations facing an average financial impact of $4.88 million per incident, marking a 10% jump from 2023’s figures. What’s more concerning is that 40% of these breaches involved data stored across multiple environments, with breaches in public clouds incurring costs as high as $5.17 million.
But it’s not just about the money. When non-human identities are compromised, the operational disruptions can be severe. Imagine your CI/CD pipeline grinding to a halt because a compromised token decided to play havoc with your build processes. Or your cloud services suddenly becoming inaccessible because an API key decided to take an unscheduled vacation. The Identity Defined Security Alliance’s latest research paints a grim picture: business disruptions from identity breaches surged to 84% of affected organizations in 2024, up sharply from 68% the previous year. The most common impact, cited by 52% of respondents, was significant distraction from core business.
And let’s not forget about compliance. In a world where GDPR, CCPA, and an alphabet soup of other regulations reign supreme, a breach involving non-human identities can lead to hefty fines and a regulatory nightmare.
Technical consequences
On the technical front, the consequences of compromised NHIs are severe and multifaceted. System compromise is merely the beginning. Once attackers gain a foothold, they can move laterally through your network with alarming ease, exploiting interconnected systems and services. This lateral movement allows them to access and exfiltrate sensitive data, often remaining undetected for extended periods.
Real-world impact
Let’s look at some real-world examples to drive this home:
- Internet Archive in 2024: Attackers leveraged stale access tokens in their Zendesk platform, compromising over 800,000 support tickets with data stretching back to 2018.
- Schneider Electric in 2024: Hackers exploited exposed non-human identity credentials in the development environment, making off with 40GB of data, including 400,000 records with names, emails, and critical project details.
- The New York Times in 2024: An over-privileged GitHub token was exploited, giving attackers access to all of the Times’ source code repositories.
While each breach had its unique entry point — from support platform tokens to development credentials to GitHub access — they all underscore a critical reality: the security of your digital assets is only as strong as your credential management strategy.
Defense strategies
Let’s face it — managing non-human identities isn’t exactly a walk in the park. While comprehensive identity lifecycle management forms the foundation of securing these digital entities, there are specific strategies that can significantly reduce the risk of lateral movement through compromised NHIs.
Context-based automated secrets rotation
First up is intelligent secrets rotation. Gone are the days of static rotation schedules that either rotate too frequently (causing operational disruptions) or too rarely (leaving you vulnerable). Modern rotation needs to be smart and adapt to usage patterns, risk levels, and suspicious activities. When a service account shows unusual behavior or a PAT is used from an unexpected location, automatic rotation should kick in before attackers can exploit these credentials.
Zero trust architecture for machine identities
Contemporary security demands zero trust for every identity type. This means implementing temporary, purpose-specific access controls for both human and non-human identities. Every machine-to-machine interaction is continuously verified, ensuring that compromised credentials can’t be used for extended periods.
Real-time behavioral monitoring and threat detection
This is where things get interesting. Modern systems need to understand what “normal” looks like for each non-human identity. Is that CI/CD pipeline token usually active at 3 AM? Does that service account typically access production databases?
By analyzing usage patterns and detecting anomalies in service-to-service communication, we can spot potential compromises early. But it’s not just about detection now, is it? The system needs to be smart enough to distinguish between genuine threats and false alarms, ensuring your security team isn’t chasing shadows.
Comprehensive secrets visibility
You can’t protect what you can’t see. So, what you need is a centralized view of all the non-human identities — a single pane of glass showing you every PAT, service account, and API key in your environment. But don’t just list them out. You need to know who owns each identity, what permissions it has, and most importantly, its current risk level. This visibility will go a long way in helping you spot potential security gaps before attackers can exploit them.
Parting thoughts
The bottom line? From where I stand, the earth has moved from under our feet and our traditional idea of identity security no longer exists. As attackers increasingly target non-human identities through compromised human credentials, traditional security measures fall short. Organizations need a new approach that combines comprehensive visibility, intelligent rotation, and real-time monitoring of these critical digital assets.
Entro offers exactly that — providing automated lifecycle management and seamless integration to protect your non-human identities. Our context-based approach has helped organizations discover 80% more NHIs and detect 24x more types of non-human identities than traditional solutions.
Don’t wait for a breach to finally open your eyes. Click here to see Entro in action.
