Skip to content

NHI Token Used by Multiple Devices

Eco-system support

  • AWS IAM Access token

  • Azure app registration token (TBD)

  • GCP Service Account key (TBD)

  • GitHub Personal access token / GitHub App (TBD)

  • Okta app token (TBD)

Description

NHI Token is being used by multiple different devices. This could indicate potential misuse, bad practice of token sharing, or potential exploitation as tokens are originated to be used by a single application.

Severity should increase depending on type and amount of unique devices.

Detection triggers

  • Production NHI Token is being used from 2 ‘unique’ IP-Addresses, User-agents.

  • Non-Production NHI Token will only trigger this detection if being used from 4 ‘unique’ IP-Addresses, User-agents.

Mitigation

Overused NHI Token to be reviewed

SailPoint Entro observed multiple consumers (devices) of the same NHI Token, which could indicate token misuse or potential exploitation by unwanted adversaries.

To eliminate scenarios of token exploitation, please follow these steps:

  • Conduct a detailed review of device information, including user-agent, geolocation, and IP addresses, to verify the legitimacy of consumers.

  • Collaborate with the NHI Token owner to investigate instances of token overuse and seek appropriate justification.

  • Consider revoking tokens that show signs of potential misuse.

  • Educate engineers on the importance of securely managing NHI Tokens, emphasizing their intended use only.

  • Generate distinct tokens for individual consumers as needed.