Introducing the Non-Human Identity Threat Center, a new resource for the cloud security community

We are very excited to launch the NHI Threat Center, a new resource designed to provide education and awareness of the ever-evolving cloud threat landscape. Our goal is to build a platform that will not only offer insights into these threats but may also serve as a threat feed in the near future.

This initiative is the result of dedicated work by Oasis Research. We are relentlessly focused on mapping threat actors, fingerprinting their activities, tracking their movements across the cloud, and gaining a deeper understanding of their tactics, techniques, and procedures.

The Threat Center will display live data. As we discover new threat actors, we will continually add them to our database. Additionally, we will update the stats and activity of existing actors based on our observations. Over time, we plan to introduce additional data types to make your experience more complete, ensuring you gain the most comprehensive insights.

Know Your Threat: The Importance of Understanding the External Threat Landscape

We are kicking off the Threat Center with data from 20 threat actors that we have observed in action. These threat actors are primarily opportunistic in nature, targeting whatever is available, effective, and profitable. However, despite their opportunistic behavior, some of them exhibit targeted tendencies. For example, we have identified patterns suggesting preferences based on industry sectors or the size of organizations.

We have found that every operational tenant is likely to have its NHIs targeted on a frequent basis for gaining an “initial access”, and that these attempts can cause operational issues, even if they fail.

The key takeaway here is that understanding the behavior of these threat actors is crucial. Knowing the extent and nature of these attacks can provide you with valuable context and help bolster your defenses.

‍

How These Actors Work: Understanding the Attack Methods

One of the primary techniques used by these attackers is the constant enrichment of a pool containing credentials and email addresses. The sources of these credentials can be quite varied, and attackers often rely on multiple methods to gather them:

• Leaked Credentials: Credentials obtained from data breaches are often sold on the dark web or shared publicly.
• Dark Web Marketplaces: For example, recently a hacking group used BreachForums to leak the credentials for 15,000 FortiGate devices. This is just one example of many where threat actors gain access to vast repositories of credentials.
• Telegram “Combolists”: Lists of usernames and passwords commonly shared on Telegram or other dark web platforms.
• Public Source Code: Attackers may use publicly available code repositories where developers have inadvertently included hard-coded credentials for service accounts.
• Exposed Configuration Files: A group known as Emerald Whale was observed scanning the web for sensitive configuration files, such as .env files, that were mistakenly left exposed to the public.

Furthermore, publicly exposed email addresses are often harvested by bots that crawl websites, ignoring robots.txt and bypassing normal safeguards. Some bots are even designed to fill out forms in an attempt to gain access to gated content, potentially exposing more email addresses in the process.

Once attackers have gathered credentials and email addresses, the next step is to use them to gain access to accounts. They often rely on credential stuffing and password spraying to achieve this. Credential stuffing involves reusing previously leaked credentials across multiple services in an attempt to gain unauthorized access. In some cases, attackers also use password spraying—a technique where they target multiple accounts at once, attempting to log in with a small set of commonly used passwords. This method is especially effective when cloud or identity providers impose rate limits, as it allows attackers to bypass defenses by spreading their attempts across numerous accounts, reducing the likelihood of triggering account lockouts.

Once attackers gain access, their next steps depend on their intent. They may choose to sell the compromised credentials—either for the account they accessed or for another account they created using the first one. Alternatively, they may decide to abuse the access themselves, leveraging it for their own malicious purposes.

‍

The Invisible Threat: Always Present, Yet Hard to Detect

There are many threat actors operating simultaneously, each targeting dozens to hundreds of organizations at once. Interestingly, most of these attacks fail; however, every failed attempt brings valuable insight into the attackers' methods and the security gaps they attempt to exploit.

Through our research, we’ve found that every operational tenant—whether it's a small organization or a large enterprise—is likely targeted frequently. This constant barrage of attacks represents an invisible threat, ever-present and waiting to strike. These attacks are often unnoticed until they are successful.

Visibility into these attacks can provide a preventative edge. The more you understand this threat, the better you can defend against it.

Moreover, aggressive failed login attempts can cause operational damage, such as account lockouts. If you’re receiving complaints about mysterious account lockouts, it might be an indicator that your systems are being targeted.

To combat these threats proactively, Oasis Security introduces the ITDR solution, featuring OasisScout. This advanced tool leverages AuthPrint technology, which can fingerprint threat actors during the authentication phase. By identifying malicious activity early, OasisScout enables you to remediate threats before they escalate into full attacks. For more details on how Oasis Scout can enhance your security posture, check out the Oasis Scout annonuncement

‍

How to Read the Data: Interpreting Threat Actor Behavior

Each threat actor listed in our Threat Center comes with a detailed description of their behavior, as well as key metrics that can help you understand their operational tactics. We rate these actors based on several parameters, which are visually represented on a radar chart.

Here are the key categories we use to assess and rate each actor:

• Evasive: This parameter measures how stealthy an attacker is. Evasive attackers use techniques and resources that are not yet widely recognized or associated with malicious activity, allowing them to avoid detection and maintain a low profile.
• Aggressive: Aggressive actors tend to cause more disruptions, such as account lockouts, which can affect the operations of the organization being targeted.
• Persistent: Some attackers will focus on the same identity for a brief period, while others will target the same account over a longer time span (weeks or even months), demonstrating persistence in their efforts.
• Global Spread: This metric indicates how broadly the attacker targets. A global spread suggests that the attacker is targeting many organizations across different regions.
• Inner Spread: This measures how many accounts within an organization the attacker targets. A higher inner spread means the actor tends to attack a large number of accounts within each organization.

Note that the data is normalized, so exact numbers are not specified to ensure privacy and to avoid giving specific targets away. Instead, our goal is to help you understand the relative intensity and scope of these attacks.

Discover, Get Involved, Stay Vigilant!

To make the Threat Center even more useful, we have categorized the threat actors based on their preferred industries and organization sizes. This categorization allows you to assess where your organization stands in relation to these actors and improve your situational awareness.

You can take this one step further by subscribing to receive notifications about new threat actors that match your industry of interest. Additionally, we’re offering an opportunity to get involved in our experimental threat feed program—a chance to receive live updates and contribute to ongoing research.

We are committed to providing a valuable and insightful experience. By staying informed and engaged with the Threat Center, you’ll be better equipped to recognize, mitigate, and defend against the evolving threats targeting your organization.

This is just the beginning. Stay tuned for more updates, detailed actor profiles, and critical insights as we continue to track and analyze the ever-changing cloud threat landscape.