Mar 28, 2024The Hacker NewsSecrets Management / Zero Trust

In the whirlwind of modern software development, teams race against time, constantly pushing the boundaries of innovation and efficiency. This relentless pace is fueled by an evolving tech landscape, where SaaS domination, the proliferation of microservices, and the ubiquity of CI/CD pipelines are not just trends but the new norm.

Amidst this backdrop, a critical aspect subtly weaves into the narrative — the handling of non-human identities. The need to manage API keys, passwords, and other sensitive data becomes more than a checklist item yet is often overshadowed by the sprint toward quicker releases and cutting-edge features. The challenge is clear: How do software teams maintain the sanctity of secrets without slowing down their stride?

Challenges in the development stage of non-human identities

The pressure to deliver rapidly in organizations today can lead developers to take shortcuts, compromising security. Secrets are the credentials used for non-human identities. Some standard practices like hard-coding secrets or reusing them across environments are quite well known. But while they may expedite the workload, they open up significant vulnerabilities. Let’s discuss these challenges and vulnerabilities further:

• Hard-coded secrets: Embedding secrets directly into source code is a prevalent yet risky practice. It not only makes secrets easily accessible in the event of a code leak but also creates a real challenge to keep track of that secret and complicates the process of secret rotation and management. When secrets are hard-coded, updating them becomes a cumbersome task, often overlooked in the rush of development.
• Scalability challenges: As systems grow, so does the complexity of managing secrets security. Large-scale infrastructures and cloud-native environments exacerbate the difficulty of tracking and securing an increasing number of secrets spread across various systems and platforms.
• Compliance and auditing difficulties: Ensuring compliance with various regulations becomes arduous in the face of sprawling secrets. In dynamic development environments, keeping a vigilant eye on how secrets are used and preventing misuse is essential but can be challenging.
• Integration with IAM systems: Any robust secrets management system ideally integrates effortlessly with IAM systems to enhance security and streamline processes. However, aligning these systems to work cohesively often presents a significant challenge.

Why is securing non-human identities neglected during software development?

In the world of software development, the relentless drive for speed frequently overshadows the equally crucial aspect of security, particularly in handling sensitive information. This disregard stems from the prevailing mindset governing the development process, where priorities lie in introducing new features, resolving bugs, and meeting tight product launch deadlines. The process for onboarding and offboarding developers is becoming increasingly shorter as well, leaving room for mistakes and vulnerabilities in the haste.

For many developers, immediate functional requirements and enhancements to user experience take precedence. The concept of a security breach resulting from mishandling sensitive data often appears distant, especially when there are no immediate repercussions or mechanisms in the development cycle to highlight the associated risks. This mentality is further ingrained in environments lacking a strong culture of security or adequate training, causing developers to view secrets and non-human identity management as an afterthought.

This imbalance between prioritizing speed in development and ensuring robust security creates a perilous blind spot. While rapid development offers tangible and immediate benefits, the advantages of implementing comprehensive secrets management—such as averting potential breaches and safeguarding confidential data—are more nuanced and long-lasting.

Why is the shift-left security approach no longer enough?

The shift-left approach to software security, which prioritizes integrating security early in the development lifecycle, marks a positive advancement. However, it’s not a cure-all solution. While it effectively targets vulnerabilities in the initial stages, it fails to address the continuous nature of security challenges throughout the software development journey. In the shift-left process, overlooking expired secrets can lead to build failures and significant slowdowns in the development pace.

On the other hand, a developer-centric security strategy recognizes that security should be an ongoing, pervasive concern. Mere initiation of security measures isn’t sufficient; it must be a consistent thread woven through every stage of development. This necessitates a cultural shift within security and engineering teams, acknowledging that security is no longer solely the responsibility of security professionals but a shared obligation for all involved.

6 Best practices for non-human identity and secrets security during development

Organizations need to grow out of the mindset that development stage security is just another checkpoint and accept it as the art that it is that blends into the canvas of coding. Here are some best practices to help materialize this image:

1. Centralized secrets management: Picture a scenario where all your secrets are consolidated into one accessible location, effortless to monitor and oversee. Employing a centralized method for managing secret vaults streamlines the process of tracking and regulating them. However, relying on a single, secure secrets vault is no longer practical in today’s landscape. Instead, you’re likely to have multiple vaults per environment, including various types like Kubernetes secrets, GitHub secrets, a main vault, and others. The most effective approach lies in adopting a centralized secrets management and security platform that seamlessly connects to all these vaults, providing the comprehensive solution needed to effectively manage your secrets.
2. Access control: Access to non-human identities should be as tight as the security at a top-secret facility. Employing stringent authentication practices, like multi-factor authentication, plays a pivotal role in safeguarding sensitive data, ensuring access is reserved exclusively for authorized users.
3. CI/CD pipeline security: The CI/CD pipeline forms the critical infrastructure of the software development cycle. Integrating continuous security scanning within the pipeline helps identify vulnerabilities in real time, ensuring that every build is efficient,secure and secrets free.
4. Threat modeling and code reviews: Identifying potential threats early in the development stage and thoroughly reviewing code for exposed secrets is like having a quality check at every step.
5. Incident response plan: When the unexpected hits, this plan is your go-to guide for a cool, collected response. It’s all about quick containment, slick investigation, and clear communication. Post-breach, it’s your chance to turn hindsight into foresight, fine-tuning your defenses for the next round.
6. Secure coding frameworks and server configuration: Utilizing secure coding frameworks and libraries and ensuring servers are configured with security in mindsets is a strong foundation for development stage secrets security.

Incorporating these practices into the daily workflow makes becoming a guardian of your secrets a natural part of the development process.

Entro: a case study in efficient secrets management

Wrapping up our deep dive into securing non-human identities, during development, it’s evident that with the right secrets management tools and strategies, you can go a long way in your cybersecurity journey — which brings us to Entro.

Entro slides in with a cool, low-key approach to enhance your development stage non-human identity and secrets management without stepping on your R&D team’s toes. It’s almost like the backstage crew at a concert, making sure everything runs without the audience ever noticing. It works completely out of band, through APIs and reading logs, ensuring your secrets are safe without demanding any spotlight or code changes.

Furthermore, Entro differentiates itself in the development stage security arena with features that make managing secrets safer and smarter. One of its standout features is secrets enrichment, where Entro adds layers of context to secrets, giving them their own profile – who owns that secret, who created it, its rotation history, and the privileges it holds.

With Entro, you get to know exactly who’s using what secret and for what, keeping everything tight and right. Click here to learn more.

Mar 13, 2024The Hacker NewsSaaS Security / Webinar

Identities are the latest sweet spot for cybercriminals, now heavily targeting SaaS applications that are especially vulnerable in this attack vector.

The use of SaaS applications involves a wide range of identities, including human and non-human, such as service accounts, API keys, and OAuth authorizations. Consequently, any identity in a SaaS app can create an opening for cybercriminals to compromise, leading to data breaches, compliance violations, and financial losses.

Many safeguards have been developed to better protect human identities, including multi-factor identification and single sign-on (SSO). These measures can protect enterprises against attacks using stolen credentials, such as password sprays.

Protecting non-human identities is more challenging, as MFA and SSO are usually not feasible with accounts that are not associated with any individual employee. Non-human accounts are also more sensitive since they come with the high privileges needed for integration activities. Cybersecurity for non-human entities requires different tactics, including monitoring tools to detect abnormal behavior indicative of different types of suspicious activity.

Despite the risks, the activity of non-human accounts is often overlooked. For non-human identities, advanced methods such as automated security checks must be deployed to detect unusual activity. Tools such as ITDR provide a defensive layer to help boost identity fabric to protect enterprises from attacks.

Join an informative webinar with Maor Bin, CEO and co-founder of Adaptive Shield, where he will dive into the identity risks in SaaS applications, and explain how to defend the SaaS environment through a strong identity security posture.

Topics to be covered during the webinar:

• The new attack surface: Discover how identities, including human users, service accounts, and API keys, are being exploited by cybercriminals.
• Identity-centric threats: Understand the unique risks posed by compromised identities within your SaaS environment.
• Managing Identities: Learn how to detect Identity threats through SSPM and ITDR

Register for this free webinar today and gain the insights you need to protect your organization from evolving cyber threats.

Incident response (IR) is a race against time. You engage your internal or external team because there’s enough evidence that something bad is happening, but you’re still blind to the scope, the impact, and the root cause. The common set of IR tools and practices provides IR teams with the ability to discover malicious files and outbound network connections. However, the identity aspect – namely the pinpointing of compromised user accounts that were used to spread in your network – unfortunately remains unattended. This task proves to be the most time-consuming for IR teams and has become a challenging uphill battle that enables attackers to earn precious time in which they can still inflict damage.

In this article, we analyze the root cause of the identity of IR blind spots and provide sample IR scenarios in which it acts as an inhibitor to a rapid and efficient process. We then introduce Silverfort’s Unified Identity Protection Platform and show how its real-time MFA and identity segmentation can overcome this blind spot and make the difference between a contained incident and a costly breach.

IR 101: Knowledge is Power. Time is Everything

The triggering of an IR process can come in a million shapes. They all share a resemblance in that you think – or are even sure – that something is wrong, but you don’t know exactly what, where, and how. If you’re lucky, your team spotted the threat when it’s still building up its power inside but hasn’t yet executed its malicious objective. If you’re not so lucky, you become aware of the adversarial presence only after its impact has already broken out – encrypted machines, missing data, and any other form of malicious activity.

That way or the other, the most urgent task once the IR starts rolling is to dissolve the darkness and get clear insights into the compromised entities within your environment. Once located and validated, steps can be taken to contain the attacks by quarantining machines, blocking outbound traffic, removing malicious files, and resetting user accounts.

As it happens, the last task is far from trivial when dealing with compromised user accounts and introduces a yet unaddressed challenge. Let’s understand why that is.

Identity IR Gap #1: No Playbook Move to Detect Compromised Accounts

Unlike malware files or malicious outbound network connections, a compromised account doesn’t do anything that is essentially malicious – it merely logs in to resources in the same manner a normal account would. If it’s an admin account that accesses multiple workstations and servers on a daily basis – which is the case in many attacks – its lateral movement won’t even seem anomalous.

The result is that the discovery of the compromised account takes place only after the compromised machines are located and quarantined, and even then, it entails manually checking all the accounts that are logged there. And again – when racing against time, the dependency on manual and error-prone investigation creates a critical delay.

Identity IR Gap #2: No Playbook Move to Immediately Contain the Attack and Prevent Further Spread

As in real life, there’s a stage of immediate first aid that precedes full treatment. The equivalent in the IR world is to contain the attack within its current boundaries and ensure it doesn’t spread further, even prior to discovering its active components. On the network level, it’s done by temporarily isolating segments that potentially host malicious activity from those that are not yet compromised. At the endpoint level, it’s done by quarantining machines where malware is located.

Here again, the identity aspect needs to catch up. The only available containment is disabling the user account in AD or resetting its password. The first option is a no-go due to the operational disruption it introduces, especially in the case of false positives. The second option is not good either; if the suspected account is a machine-to-machine service account, resetting its password is likely to break the critical processes it manages, ending up with additional damage on top of the one the attack has caused. If the adversary has managed to compromise the identity infrastructure itself, resetting the password will be immediately addressed by shifting to another account.

Identity IR Gap #3: No Playbook Move to Reduce Exposed Identity Attack Surfaces That Adversaries Target Within the Attack

The weaknesses that expose the identity attack surface to malicious credential access, privilege escalation, and lateral movement are blind spots for the posture and hygiene products in the security stack. This deprives the IR team of critical indications of compromise that could have significantly accelerated the process.

Prominent examples are vulnerable authentication protocols like NTLM (or, even worse, NTLMv1), misconfigurations like accounts set with unconstrained delegation, shadow admins, stale users, and many more. Adversaries feast on these weaknesses as they make their Living Off The Land route. The inability to locate and reconfigure or protect accounts and machines that feature these weaknesses turns the IR into a cat herding, where while the analyst is busy analyzing to see if Account A is compromised, the adversaries are already leveraging compromised Account B.

Bottom Line: No Tools. No Shortcuts. Just Slow and Manual Log Analysis While the Attack is in Full Gear

So, that’s the status quo: when the IR team needs to finally discover who the compromised user accounts are that the attacker is using to spread in your environment. This is a secret no one talks about and the true root cause as to why lateral movement attacks are so successful and hard to contain, even when the IR process is taking place.

This is the challenge Silverfort solves.

Silverfort Unified Identity Protection for IR Operations

Silverfort’s Unified Identity Protection platform integrates with the identity infrastructure on-prem and in the cloud (Active Directory, Entra ID, Okta, Ping, etc.). This integration enables Silverfort to have full visibility into any authentication and access attempt, real-time access enforcement to prevent malicious access with either MFA or access block, and automated discovery and protection of service accounts.

Let’s see how these capabilities accelerate and optimize the identity IR process:

Detection of Compromised Accounts with MFA with Zero Operational Disruption

Silverfort is the only solution that can enforce MFA protection on all AD authentication, including command line tools like PsExec and PowerShell. With this capability, a single policy that requires all user accounts to verify their identity with MFA can detect all compromised accounts in minutes.

Once the policy is configured, the flow is simple:

1. The adversary attempts to continue its malicious access and logs into a machine with the account’s compromised credentials.
2. The true user is prompted with MFA and denies that they have requested access to the specified resource.

Goal #1 achieved: There’s now evidence beyond doubt that this account is compromised.

Side Note: Now that there’s a validated compromised account, all we need to do is filter all the machines that this account has logged into in Silverfort’s log screen.

Contain the Attack with MFA and Block Access Policies

The MFA policy we’ve described above not only serves to detect which accounts are compromised but also to prevent any additional spread of the attack. This enables the IR team to freeze the adversary’s foothold where it is and ensure that all the yet non-compromised resources stay intact.

Protection with Operational Disruption Revisited: Zoom-in On Service Accounts

Special attention should be given to service accounts as they are heavily abused by threat actors. These machine-to-machine accounts are not associated with a human user and cannot be subject to MFA protection.

However, Silverfort automatically discovers these accounts and gains insights into their repetitive behavioral patterns. With this visibility, Silverfort enables the configuration of policies that block access whenever a service account deviates from its behavior. In that manner, all of the standard service account activity is not disrupted, while any malicious attempt to abuse it is blocked.

Goal #2 achieved: Attack is contained and the IR team can rapidly move to investigation

Eliminating Exposed Weaknesses in the Identity Attack Surface

Silverfort’s visibility into all authentications and access attempts within the environment enables it to discover and mitigate common weaknesses that attackers take advantage of. Here are a few examples:

• Setting MFA policies for all shadow admins
• Setting block access policies for any NTLMv1 authentications
• Discover all accounts that were configured without pre-authentication
• Discover all accounts that were configured with unconstrained delegation

This attack surface reduction will usually take place during the initial’ first aid’ stage.

Goal #3 achieved: Identity weaknesses are mitigated and cannot be used for malicious propagation.

Conclusion: Gaining Identity IR Capabilities is Imperative – Are You Ready?

Compromised accounts are a key component in over 80% of cyber attacks, making the risk of getting hit an almost certainty. Security stakeholders should invest in having IR tools that can address this aspect in order to ensure their ability to respond efficiently when such an attack happens.

To learn more about the Silverfort platform’s IR capabilities, reach out to one of our experts to schedule a quick demo.