CyberArk Central
Credential Provider Token
Service Name: CyberArk Privileged Access Security
Service Description: CyberArk is a privileged access management solution that secures, manages, and monitors privileged accounts and credentials. The Central Credential Provider (CCP) is a component that enables applications to retrieve credentials from the CyberArk vault without direct access to the vault itself.
Service Address: https://www.cyberark.com/
Validation Type: API Auth
IP Allow list: IP restrictions can be configured at the application level in CyberArk's Privileged Access Security solution.
Secret Access Scope: Grants applications the ability to retrieve credentials from the CyberArk vault through the Central Credential Provider service.
Secret Revokement URL: https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/SDK/CCP_Revoke_Cred.htm
Secret Example: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJDQ1BDbGllbnQiLCJleHAiOjE2M TIzNjU0MjAsImlhdCI6MTYxMjM2MTgyMH0.7HbT93SjnvU9aBWBz0OPyRnQsX9yGFx3kQXJxKqr wXY
Suspicious Activity Investigation Instructions:
- Review CyberArk audit logs for unusual credential retrievals or access patterns
- Check for applications accessing credentials they don't normally use
- Monitor for credential retrievals outside of normal business hours
- Verify if there are multiple failed authentication attempts using the token
- Examine network traffic to identify unusual source IPs accessing the CCP
Mitigation Instructions:
- Immediately revoke the compromised token through the CyberArk management console
- Generate a new token with appropriate permissions and update authorized applications
- Review and update the application's IP restrictions in CyberArk
- Verify that all applications using the CCP are properly authenticated
- Update the CyberArk policies to enforce stricter access controls
- Enable additional monitoring for credential retrievals through the CCP
- Consider implementing just-in-time access for sensitive credentials