Non-human identity attacks on the supply chain: the new attack path

When data flows like water across the connected cloud ecosystem, we can’t define security perimeters in terms of physical boundaries. We must consider the silent enablers of our online efficiency, entities that interact with our systems. While most organizations today have fortified their defenses around human user access with robust Identity and Access Management (IAM) policies, multi-factor authentication (MFA), and Single Sign-On (SSO) solutions, a critical vulnerability remains largely unaddressed: non-human identities.

These programmable credentials, ranging from API keys and cloud tokens to service accounts and secrets, are the backbone of modern automation and efficiency but are often the weakest link in the chain. Organizations, lulled into a false sense of security by strong human identity protections, are blindsided by the stark reality: non-human identities are the Achilles’ heel of their defense paradigm. 

This blog post dissects the anatomy of supply chain attacks through the lens of non-human identities, revealing the chinks in the armor and understanding how exploiting non-human identity vulnerabilities has become a favored attack path for adversaries.

What is a supply chain attack?

Digital supply chain attacks represent a critical cybersecurity threat vector that targets the network of processes, people, and technologies involved in the production and distribution of software. These attacks are designed to infiltrate the supply chain at any point — from software development inception to CI/CD production deployment and ongoing maintenance. The goal is to inject malicious code, secure unauthorized access, or engage in espionage. 

Now, the crosshairs are set on non-human identities that facilitate the authentication of applications and automated tools that handle tasks like updating software or moving data around — stuff we don’t usually see. The software supply chain is particularly vulnerable here as it relies heavily on these entities for functions like code commits, build processes, and deployment automation. By exploiting vulnerabilities in the non-human identity attack path, adversaries can manipulate software updates or compromise development tools and infrastructure, paving the way for their malicious activities.

And the highlight? Because we don’t interact with them directly, there’s a high chance breaches may go unnoticed, easily slipping under the radar. The pervasive presence of non-human identities in the software supply chain, coupled with their typically broad and ungoverned access, poses a significant risk. A single compromise can trigger a domino effect, potentially unleashing widespread disruption across an organization’s entire digital infrastructure.

The new wave of supply chain attacks and lessons learned

Here are some of the notable, recent non-human identity access attacks. We will discuss what caused these attacks, how sophisticated they were, and the sheer scale of the impact each had.

1. Okta breach (October 2023)

Unauthorized actors accessed Okta’s support case management system using a compromised service account, allowing them to view sensitive customer files.

Root cause: A service account with excessive permissions was not properly secured or monitored, as it was stolen from Okta’s employee laptop, highlighting the risks associated with non-human identities.

Takeaway: Tightening control over service accounts with stringent monitoring for abnormal access and behavior and applying the principle of least privilege is essential to prevent similar breaches. Additionally, it’s critical that all non-human identities will be adequately stored in a vault and all human access should be monitored or prevented.

2. GitHub Dependabot incident (September 2023)

Attackers appropriated GitHub Personal Access Tokens and used them to make unauthorized changes to repositories, impersonating Dependabot.

Root cause: The theft of access tokens, which are a type of non-human identity. In other words, inadequate protection of non-human credentials.

Takeaway: Secure token management with robust encryption, regular rotation, scope limitation, and monitoring for abnormal access and behavior of access tokens is crucial to mitigate such threats.

3. Microsoft SAS key exposure (September 2023)

A Shared Access Signature (SAS) token mistakenly published by Microsoft researchers granted unrestricted access to a storage account, leading to a significant data leak.

Root cause: A misconfigured non-human identity, in this case, a SAS token, resulted in overly broad permissions being publicly exposed.

Takeaway: Proper configuration and strict management of access tokens are vital, ensuring they are only granted necessary permissions and are not inadvertently disclosed.

4. Slack GitHub repositories compromise (January 2023)

Slack’s GitHub repositories were accessed by threat actors using stolen employee tokens, leading to the download of private code repositories.

Root cause: Compromised employee tokens, which are non-human identities, demonstrate the risks when such identities are not sufficiently safeguarded.

Takeaway: Implementing additional security measures for non-human identities, such as advanced secrets detection platforms, is critical for defense. Those platforms make sure all tokens are monitored and their lifecycle is managed.

5. CircleCI engineering employee targeted (January 2023)

An engineering employee’s computer at CircleCI was infected with malware, resulting in the theft of session tokens and unauthorized system access.

Root cause: Malware targeting non-human identities, such as tokens.

Takeaway: A comprehensive non-human identity security strategy that includes full non-human identity lifecycle management and security platform is necessary to defend against sophisticated non-human identity attacks. 

6. Codecov supply chain attack (April 2021)

Codecov’s Bash Uploader script was compromised, affecting numerous clients by potentially exposing sensitive credentials and tokens used in their CI environments.

Root cause: The attackers exploited the Bash Uploader script, which had a hard-coded non-human identity, to exfiltrate data from the CI environments of Codecov’s clients.

Takeaway: discovering and eliminating secrets and non-human identities in exposure location is the first step in achieving non-human identity security 

7. Microsoft Office 365 OAuth phishing attack (September 2022)

In 2022, Microsoft issued a warning about a phishing campaign aimed at Office 365 customers. The attackers had sent emails designed to deceive recipients into granting OAuth permissions to a fraudulent app named ‘Upgrade’. Once permissions were granted, the attackers could then read and write emails, create inbox rules, access calendar items, and read contacts. 

Takeaway: Users must be cautious when granting app permissions and verify the legitimacy of requests. Organizations should educate their employees about such phishing tactics and implement security solutions that can detect and block suspicious non-human identity requests.

Addressing the non-human identity security gap

The oversight of non-human identities and their vulnerabilities has led to gaping holes in the cybersecurity infrastructure of organizations globally and has made the non-human identity attack path the new default.

IAM tools are half the answer

IAM tools like Active-Directory and Okta have played a key role in securing human identities within organizations, enforcing policies like multi-factor authentication and least privilege access. However, their effectiveness wanes when applied to non-human identities. The automated processes and interactions driven by non-human entities often bypass the controls set for human users, exposing a critical vulnerability in the digital supply chain. This limitation underscores the necessity for specialized security solutions that can understand and manage the complexities of non-human identities, ensuring they are governed with the same rigor as human users.

Sprawling third-party non-human access

The unchecked proliferation of third-party non-human access points has also emerged as a growing concern for cybersecurity teams. These entities, often integrated to enhance functionality and efficiency, can subtly become conduits for data breaches if not properly managed. The challenge lies in effectively tracking and governing these non-human identities, as their operations and permissions can easily go unnoticed, leading to significant security oversights and vulnerabilities within the supply chain.

TPRM rules are just not keeping pace

Traditional Third-Party Risk Management (TPRM) rules are finding themselves outpaced by the dynamic nature of non-human identities and the continuous evolution of the digital supply chain. These programs, designed with human interactions in mind lack the agility and specificity required to monitor and manage the risks associated with non-human entities. 

Bridging the gap with Entro

Non-human identities are super important for keeping things running smoothly, but they often fly under the radar because we’re not keeping a close enough eye on them. Addressing this gap necessitates specialized security measures that can adeptly handle the unique challenges posed by non-human identities. By stepping up our game in how we handle non-human identities, we can make our cloud a lot safer from cyber threats that try to sneak in through the supply chain.

Entro’s non-human identity management platform emerges as a specialized solution tailored to safeguard non-human identities. It addresses the inherent vulnerabilities by providing a single pane of glass to help you govern your secrets and other non-human identities.

Entro enhances traditional security frameworks by offering comprehensive visibility into all non-human identities and secrets across various environments, enriching these secrets with critical metadata for governance, and ensuring continuous monitoring for any anomalies. By integrating seamlessly with existing vaults and collaboration platforms, Entro empowers organizations to enforce the principle of least privilege and mitigate risks through proactive misconfiguration alerts. This approach not only bridges the security gap left by conventional tools but also fortifies the supply chain against sophisticated threats, ensuring a robust defense for both human and non-human identities.