THEY'RE OVER-PRIVILEGED
The silent risk: How non-human identities open the door to cyber threats
Attacker uses credentials obtained either in a recent third-party supplier breach or from phishing the credentials of the IT administrator using a fake login page.
They use this access to get to PII data stored in a Snowflake DB (or any other SaaS app from the IdP access they have).
They then search for synced service accounts (naming conventions are a useful guide) until finding one to gain access to the on-prem environment.
Once inside the on-prem environment, the attacker can run code, exfiltrate data, or continue to move laterally.
4
3
2
1
NHIs play a vital role in keeping organizations running smoothly. As such, they often require access to specific resources and permissions tailored to their functions, which can lead to broader access scopes than those typically assigned to human users.
But the issue goes deeper, as we commonly see NHIs with excessive privileges. When establishing machine-to-machine access for NHIs, it’s often far easier and more convenient to grant broad access rather than fine-tune their permissions and ring-fence them to their specific purpose. The risk of friction is lower—but the potential cost to security is much higher.
NHIs’ high access privileges, coupled with the fact that they're under-observed and under-protected, make them lucrative targets for attackers seeking ways to perform lateral movement and privilege escalation. XX% of organizations unknowingly sync more than half of their service accounts to their SaaS directory.
Here’s an example of how a breached NHI (in this case, an AD service account) can also lead to the compromise of an organization’s entire SaaS environment:
Even though service accounts are not supposed to be synced from AD to the cloud identity provider (IdP), it’s extremely common for identity teams to sync them inadvertently. While these accounts can’t be used to access SaaS resources by default, an attacker that has gained admin access privileges to the cloud IdP can activate them and assign them access privileges.
NHIs have high privileges—often more than they need
Sample attack flow
The silent risk: How non-human identities open the door to cyber threats
Attacker uses credentials obtained either in a recent third-party supplier breach or from phishing the credentials of the IT administrator using a fake login page.
They use this access to get to PII data stored in a Snowflake DB (or any other SaaS app from the IdP access they have).
They then search for synced service accounts (naming conventions are a useful guide) until finding one to gain access to the on-prem environment.
Once inside the on-prem environment, the attacker can run code, exfiltrate data, or continue to move laterally.
4
3
2
1
Sample attack flow
NHIs play a vital role in keeping organizations running smoothly. As such, they often require access to specific resources and permissions tailored to their functions, which can lead to broader access scopes than those typically assigned to human users.
But the issue goes deeper, as we commonly see NHIs with excessive privileges. When establishing machine-to-machine access for NHIs, it’s often far easier and more convenient to grant broad access rather than fine-tune their permissions and ring-fence them to their specific purpose. The risk of friction is lower—but the potential cost to security is much higher.
NHIs’ high access privileges, coupled with the fact that they're under-observed and under-protected, make them lucrative targets for attackers seeking ways to perform lateral movement and privilege escalation. XX% of organizations unknowingly sync more than half of their service accounts to their SaaS directory.
Here’s an example of how a breached NHI (in this case, an AD service account) can also lead to the compromise of an organization’s entire SaaS environment:
Even though service accounts are not supposed to be synced from AD to the cloud identity provider (IdP), it’s extremely common for identity teams to sync them inadvertently. While these accounts can’t be used to access SaaS resources by default, an attacker that has gained admin access privileges to the cloud IdP can activate them and assign them access privileges.
NHIs have high privileges—often more than they need