The Ultimate Guide to Non-Human Identities Report

NHI Workshop – How Attackers Compromise NHIs

Introduction to Panel and Session Overview

The session features Vincenzo Iozzo and Michael Silva discussing how attackers compromise NHIs, with a live demo to illustrate attack techniques and defense mechanisms. The goal is to provide insights into the ease of breaching organizational security and how to mitigate such risks.

Speaker Backgrounds and Focus

  • Vincenzo Iozzo – CEO at SlashID, specializes in posture management and active threat detection for both human and non-human identities.
  • Michael Silva – Director Solution Engineering at Astrix Security, with 20 years of experience in offensive and defensive security, focuses on threat actor behavior, emphasizing real-world attack techniques rather than management strategies.

Evolution of Identity Attacks

  • Since 2019, the prevalence of identity-based attacks has increased significantly.
  • In 2019, about 40% of attacks involved direct, hands-on keyboard methods without malware.
  • Currently, this figure has risen to between 75% and 83%, indicating a shift towards attacks that rely on stolen credentials and lateral movement.
  • Attackers increasingly avoid traditional breaches, favoring credential theft and reuse to access systems.

Key Statistics on Breaches and Credential Leaks

  • Approximately 31% of all breaches involve credential storage, based on Verizon data spanning 10 years.
  • Recent reports from CrowdStrike indicate a six-fold increase in credential stuffing attacks.
  • 66% of AWS breaches involve leaked or valid credentials, making credential compromise the primary attack vector.

Typical Attack Lifecycle

  • Initial breach often occurs via phishing or credential leaks, which can involve human or organizational credentials.
  • Attackers then use identity-based techniques to move laterally within the network, often harvesting tokens or credentials.
  • The attacker’s goal may be persistence or executing ransomware campaigns.

Common Attack Vectors

  1. Phishing – Evolved with AI-generated deepfakes and convincing campaigns, including sophisticated OAuth flows and MFA fatigue tactics.
  2. Credential Leaks – More advanced than simple API key leaks, involving private keys stolen from sources like crash dumps (e.g., Microsoft breach in 2023). Attackers forge valid tokens to move laterally.
  3. Supply Chain Attacks – Compromising third-party packages (e.g., NPM) to harvest credentials and infiltrate production environments.

Post-Compromise Techniques

Once inside, attackers typically:

  • Register secondary MFA factors to maintain persistence.
  • Create fake identity providers for impersonation.
  • Use token forging techniques such as Kerberos token hijacking.

Detection and Response Challenges

  • The average time from initial compromise to breach is about 62 minutes.
  • Breaches often go undetected for approximately 10 days.
  • Over half (54%) of breaches are not detected internally, especially in identity-based attacks, which tend to have longer dwell times.
  • High-profile breaches, like Cloudflare, are exceptions where internal detection occurs.

Why Are Identity Attacks Increasing?

Endpoint protections have improved, making identity attacks more attractive.
Core issues with identity security include:

  • Stateless tokens – Once stolen, tokens can be used freely without device binding.
  • Complex authentication protocols – Protocols like OAuth have corner cases that can be exploited.
  • Over-permissioned identities – Large privilege sets (e.g., 15,000 entitlements in AWS) make privilege escalation easier.

Security Challenges and Recommendations

  • Full coverage of human and non-human identities is crucial, as attackers often move between these.
  • Existing identity providers often generate partial logs; comprehensive logging is necessary.
  • MFA and FIDO2 have improved security but are insufficient alone; additional detection (ITDR) is needed.
  • Moving towards device-bound tokens can reduce the attack surface.
  • Regularly and automatically resizing permissions helps prevent privilege escalation.

Future Outlook and Final Notes

  • The speaker hints at future predictions but emphasizes the importance of ongoing vigilance.
  • Encourages continued discussion and awareness of evolving attack techniques.
  • The session concludes with an invitation for further engagement and questions.