New Trends in Cyber Security: The Rising Threat of Non-Human Access
As we navigate through 2023, numerous cyber attacks have highlighted a disturbing trend: non-human access is becoming a prevalent attack vector that poses significant security risks to organizations. Recent reports indicate that there have been "11 high-profile attacks in 13 months," underscoring the vulnerabilities associated with unmonitored access points, also referred to as non-user identities. These identities, which include API keys, tokens, service accounts, and secrets, represent an expansive and largely unregulated attack surface.
The growing prevalence of non-human access can be attributed to the ease with which cybercriminals exploit such vulnerabilities. Threat actors consistently seek pathways that allow for quick and unobstructed entry into systems, and the prevailing trend in 2023 shows a concerning reliance on non-user access credentials. A staggering statistic reveals that nearly half of the active access tokens connecting Salesforce to third-party applications remain unused, while in environments such as GitHub and Google Cloud Platform (GCP), this figure is around 33%. This lack of governance and oversight makes these credentials attractive targets for malicious actors.
Understanding how cybercriminals leverage these vulnerabilities requires an examination of the types of non-human access. Broadly, non-human access can be categorized into external and internal types. External access is prominently created by employee connections to third-party services—examples include APIs and service accounts that are frequently established without proper security governance. Unfortunately, the rise of bottom-up software adoption means many of these integrations are occurring without due diligence, often allowing unvetted applications to connect to critical business systems. Research indicates that 90% of the applications integrated with Google Workspace are not vetted by an official marketplace, a troubling stat that speaks volumes about security protocols being overlooked.
In contrast, internal non-human access is facilitated through internal credentials known as "secrets." These access methods are routinely generated by research and development teams for the purpose of connecting various services and resources. The challenge does not just lie in their creation; often, these secrets are stored across various secret managers, making them difficult for security teams to monitor effectively. Alarmingly, 74% of Personal Access Tokens in GitHub environments lack expiration dates, and 59% of webhooks exhibit misconfigurations, rendering them unsecure and exposed, which broadens the effective attack surface.
The implications of these vulnerabilities have already manifested in significant breaches throughout the year. Notable incidents include the exploitation of a leaked service account by attackers at Okta, wherein sensitive customer support documents were accessed. Additionally, GitHub faced a breach when hackers seized Personal Access Tokens, facilitating unauthorized code commits under the guise of Dependabot. Microsoft’s accidental exposure of over 38TB of sensitive data due to a misconfigured SAS token exemplifies the dire yet preventable consequences of insufficient non-human access management.
Nonetheless, the issue has been exacerbated by the rapid adoption of Generative AI tools, which have surged in popularity during 2023. With applications like ChatGPT achieving unprecedented download figures, the integration of these unvetted AI applications into core business systems poses new security risks. Research indicates that 32% of GenAI applications connected to Google Workspace environments operate with broad access permissions, raising alarms about unchecked access to sensitive data.
Given these increasing threats, security must evolve to become an enabler rather than a barrier to business efficiency and growth. Organizations that fail to secure non-human access could inadvertently invite supply chain attacks, data breaches, and compliance violations. Implementing comprehensive security policies and automated enforcement tools is now imperative for businesses aiming to protect against this expanding attack surface while continuing to harness the benefits of cloud adoption and automation.
To safeguard organizational assets effectively, it is crucial for business leaders to remain vigilant and proactive in managing non-human identity security. As noted in MITRE ATT&CK frameworks, tactics such as initial access, credential access, and execution techniques are likely employed by attackers in these types of breaches. Understanding these tactics enables businesses to anticipate potential threats and fortify their defenses accordingly.
The cybersecurity landscape is continuously changing, and staying informed will be key to navigating the complexities of managing non-human access in a cloud-centric world.
