NHI Token Used by Multiple Devices
Eco-system support
-
AWS IAM Access token
-
Azure app registration token (TBD)
-
GCP Service Account key (TBD)
-
GitHub Personal access token / GitHub App (TBD)
-
Okta app token (TBD)
Description
NHI Token is being used by multiple different devices. This could indicate potential misuse, bad practice of token sharing, or potential exploitation as tokens are originated to be used by a single application.
Severity should increase depending on type and amount of unique devices.
Detection triggers
-
Production NHI Token is being used from 2 ‘unique’ IP-Addresses, User-agents.
-
Non-Production NHI Token will only trigger this detection if being used from 4 ‘unique’ IP-Addresses, User-agents.
Mitigation
Overused NHI Token to be reviewed
SailPoint Entro observed multiple consumers (devices) of the same NHI Token, which could indicate token misuse or potential exploitation by unwanted adversaries.
To eliminate scenarios of token exploitation, please follow these steps:
-
Conduct a detailed review of device information, including user-agent, geolocation, and IP addresses, to verify the legitimacy of consumers.
-
Collaborate with the NHI Token owner to investigate instances of token overuse and seek appropriate justification.
-
Consider revoking tokens that show signs of potential misuse.
-
Educate engineers on the importance of securely managing NHI Tokens, emphasizing their intended use only.
-
Generate distinct tokens for individual consumers as needed.