Feature Release

Spotlight on Sweet Security’s Advanced Identity Threat Detection and Response

Lea Edelstein

Head of Product

September 23, 2024

Share

Managing secrets and identities is crucial to maintaining a secure environment as attackers are leveraging credentials to exploit cloud systems. One exposed secret or an unmanaged identity can be the “open door” that an attacker exploits, risking your entire infrastructure. Sweet Security’s identities capability delivers a comprehensive solution that enhances visibility, improves risk management, and detects identity-based attacks, empowering your team to stay ahead of evolving threats.

Visibility: Uncovering the Pandora’s Box of Secrets and Identities

Secrets and identities are often hidden away, much like opening a Pandora’s box. Without a clear view of what’s inside, you could be unknowingly exposing your environment to significant risks. Sweet Security provides unparalleled visibility into every secret and identity across your infrastructure, ensuring nothing stays hidden.

Comprehensive Secrets Inventory

Secrets are prime targets for attackers, and their exposure can lead to devastating breaches. Sweet Security ensures that all secrets, including those hidden in configuration files, exposed in environment variables, or stored in plaintext, are accounted for and monitored:

  • Secrets Discovery and Usage: The platform identifies every secret across your cloud environment, tracks how it’s used at runtime, and highlights whether they’re securely managed or at risk of exposure.
  • Managed vs. Unmanaged Secrets: Integrating with popular secret management systems like AWS Secrets Manager, Azure Key Vault, and HashiCorp Vault, Sweet Security identifies unmanaged secrets and helps onboard them into secure management, reducing the risks associated with exposed or mishandled credentials.
Identify every secret across your cloud environment, track how it’s used at runtime, and highlight if they’re securely managed or at risk.

Detailed Inventory of Human and Non-Human Identities

Managing who or what accesses your resources is just as important as securing the secrets themselves. Sweet Security provides a detailed inventory of both human and non-human identities:

  • Human Identities: Integrations with identity providers such as Azure Active Directory, Google Identity Platform, and Okta give you visibility into human identity usage. This includes tracking login times, locations, devices, and behaviors, enabling quick detection of unusual or unauthorized access attempts.
  • Non-Human Identities: From service accounts to API keys, we track the usage of non-human identities, providing insights into their interactions with cloud resources and highlighting any anomalies that could signal a security threat.
Determine who and/or what accesses your cloud resources.

Risk Management for Identities: Reducing Exposure and Mitigating Threats

With complete visibility, Sweet Security enhances risk management by identifying and mitigating risks related to secrets and identities:

  • Detecting Insecure Credential Storage: Identifies secrets stored in plaintext or exposed through environment variables and alerts your team to take action, preventing unauthorized access.
  • Dormant and Over-Privileged Identities: Highlights unused or dormant identities, particularly those with high privileges, which can be exploited by attackers. Sweet Security flags these identities for review, allowing teams to deactivate or reassign them, reducing the attack surface.
  • Enforcing Secure Management Practices: By integrating with secret managers, Sweet Security flags unmanaged secrets and facilitates their onboarding into secure management, ensuring that sensitive information is always protected.
  • Over-Privileged Identities Monitoring: Identifies non-human identities, like service accounts or API keys, with excessive permissions, minimizing the risk of these identities being used maliciously.
  • Admin Account Usage Review: Monitors admin account usage and flags any accounts being overused or accessed in unusual patterns, potentially indicating compromised credentials or insider threats.
  • Static Secrets Rotation: Identifies long-standing static secrets that haven’t been updated, prompting regular rotation to reduce the risk of using stale or compromised credentials.

Identity Threat Detection and Response: Stopping Breaches in Action

Sweet Security’s identities capability goes beyond risk management by detecting identity-based attacks in real-time, leveraging advanced monitoring and anomaly detection to identify suspicious activities involving secrets and identities.

Attack #1: Account Takeover

Overview:
An attacker steals a legitimate user’s credentials and attempts to blend in with normal activities. However, Sweet Security detects deviations from the user’s baseline—such as logging in at strange hours, from unusual locations, or accessing resources outside their typical role.

Example of an account takeover.

Attacker’s Steps:

  1. Credential Compromise: The attacker acquires credentials through phishing or a data breach.
  2. Suspicious Login: They attempt to log in from an unfamiliar IP address or at a time that deviates from the user’s usual pattern.
  3. Uncharacteristic Actions: The attacker accesses sensitive resources or performs actions outside the scope of the stolen identity’s usual behavior.
  4. Anomaly Detection: They mimic normal user activities to avoid detection, but the deviations from baseline behaviors trigger alerts.

Attack #2: Compromised Non-Human Identity

Overview:
An attacker gains access to a machine and discovers non-human identities, such as a service account with broad access. They use this compromised identity to perform unauthorized actions, like accessing a database or reading sensitive data from a storage bucket, deviating from its normal usage patterns.

Example of a compromised non-human identity.

Attacker’s Steps:

  1. Compromised Entry Point: The attacker gains access to a machine, perhaps through a vulnerability exploit.
  2. Identity Discovery: They locate a service account or API key with significant access rights.
  3. Unauthorized Access: The attacker uses this identity to access sensitive data in databases or storage buckets that the identity typically does not interact with.
  4. Data Exfiltration: They leverage the access to escalate privileges or extract sensitive information, setting the stage for further attacks.

Attack #3: Secret Hunting and Exploitation

Overview:
An attacker gains access to a compromised machine and starts searching for secrets—plain text credentials, tokens, or API keys—to facilitate lateral movement or privilege escalation within the cloud environment.

Example of secret hunting and exploitation.

Attacker’s Steps:

  1. Initial Compromise: The attacker breaches a machine using phishing or exploiting a vulnerability.
  2. Secret Search: They hunt for secrets stored on disk, within configuration files, or exposed in environment variables.
  3. Using Stolen Secrets: The attacker uses these discovered secrets to move laterally within the environment or escalate privileges.
  4. Broader Network Access: With the acquired access, they attempt further infiltration, such as with code injection, which changes the operation of the environment.

Attack #4: Exploited Vulnerability in an Identity Provider / Management Solution

Overview:

Credential theft combined with lateral movement can lead to further breaches, as seen with successful credential stuffing attacks or in the example of Okta’s customer support system breach.  The diagram below showcases how an attacker can easily impersonate an employee via credential theft from the SaaS ID provider and move laterally within the environment using authorized tokens.  

Example of credential theft with lateral movement.

Attacker’s Steps:

  1. Initial access: The attacker exploited a vulnerability in the identity provider (e.g., Okta) to gain initial access to the environment of the identity provider’s customer.
  2. Lateral Movement: Using the stolen employee credentials, the attacker moved laterally within the environment to access critical workloads, which allowed them to navigate through the network and find further opportunities for exploitation.
  3. Exfiltration: After gaining sufficient access and moving laterally, the attacker accessed the company’s database and exfiltrated sensitive data.

Strengthen Your Cloud with Sweet Security

Sweet Security’s identities capability offers a robust solution for enhancing cloud security through the mixture of identities management and detection and response. By providing a full inventory of secrets and identities, monitoring for insecure practices and anomalies, and integrating with leading identity and secret management solutions, Sweet Security enables organizations to protect their cloud environments against sophisticated identity-based threats.

Enhancing Security with Identity and Secrets Integrations

Sweet Security integrates seamlessly with leading identity providers (OIDC) offering comprehensive visibility into human identity usage.

Our platform also integrates with secret management systems, such as AWS Secrets Manager, Azure Key Vault, and CyberArk Conjur, to manage secrets more securely and onboard with one click unmanaged secrets. By identifying unmanaged secrets and facilitating their onboarding into secure management systems, Sweet Security reduces exposure risks and ensures that all sensitive information is handled correctly.

Ready to secure your cloud environment like never before? Contact us today for a demo and discover how Sweet Security can provide the attack detection you need to stay one step ahead of adversaries.

Share the Sweetness