Infostealers are getting bolder – and more ambitious.
Long focused on stealing human credentials – like usernames, passwords, cookies, session tokens, and autofill information – infostealers have expanded to target non-human identities. With the rise of cloud-native architectures, microservices, and automation, the number of non-human identities representing workloads, services, applications, and devices has surged to support these dynamic environments.
This rapid growth has made them an appealing target for attackers, underscoring the need to secure them as part of a resilient posture.
The Rise of Infostealers and the Non-Human Identity Risk
Infostealers are malicious software tools designed to infiltrate systems and exfiltrate sensitive data like credentials, secrets, or API keys. Often distributed through phishing attacks, compromised software packages, or as part of a malware-as-a-service (MaaS) model, infostealers lower the barriers to entry for cybercriminals.
Data-stealing malware has become a pervasive threat, increasing by sevenfold since 2020, with recent attacks exposing hundreds of millions of records across major companies. By harvesting credentials from various sources, these malware tools empower attackers to infiltrate organizations on an unprecedented scale.
Just this week, a massive breach affecting nearly 57 million accounts at retailers like Hot Topic, Torrid, and Box Lunch came to light. The compromise began with an infostealer infecting a device at a third-party provider, allowing a hacker known as “Satanic” to access sensitive customer data stored in the cloud.
While human credentials have traditionally been in the cross-hairs, the expanding attack surface driven by cloud and DevOps practices makes non-human identities an increasingly attractive target.
The consequences of compromised non-human identities are severe. When an infostealer harvests API keys, certificates, or other authentication tokens used by applications and services, attackers can gain privileged access, move laterally within environments, or even disrupt critical business operations.
CISOs and security architects must implement robust identity and access management (IAM) practices for workloads, emphasizing robust identity verification, secure credential management, and adherence to Zero Trust principles.
Strengthening Identity Verification for Workloads
Effective identity verification for workloads ensures that each service, application, or container can reliably prove its identity before accessing sensitive resources. Traditional methods, such as static API keys or long-lived credentials, are easy targets for infostealers and can be exploited without human intervention. Here’s how organizations can enhance their workload identity verification strategies:
- Use Attestation Mechanisms: Attestation validates that a workload runs on a trusted platform and has not been tampered with. This may involve technologies such as AWS instance identity documents, Kubernetes service accounts, or other cloud-specific security features. Organizations reduce the risk of unauthorized access by ensuring that only verified workloads access sensitive data.
- Implement Conditional Access Controls Based on Security Posture: Conditional access policies evaluate the security posture of the workload’s environment before granting access. This may include verifying its endpoint protection status and compliance with specific configurations. Such measures ensure that attackers must overcome stringent access conditions even if a system is compromised.
Enforcing Robust Access Policies for Workloads
Workload interactions with APIs, databases, and other services demand precise, granular access policies to minimize exposure risks. Security teams should enforce controls to guarantee that only authorized workloads access critical resources under predefined conditions. Key considerations include:
- Defining Clear Access Policies: Organizations should establish policies specifying which workloads can access specific APIs, databases, or services. Dynamic IAM tools capable of context-based enforcement are essential for managing these policies effectively.
- Continuous Monitoring and Policy Auditing: Static policies alone are inadequate in dynamic environments. Security teams must continuously monitor access patterns and audit policies to maintain their effectiveness and adapt to changing risks. Auditing access authorizations and interactions between workloads and services is critical to detecting potential misuse.
Secure Credential Distribution and Short-Lived Access Tokens
Secure credential management is essential for reducing the risk posed by infostealers. Traditional practices, such as embedding long-lived API keys in code or configurations, expose systems to exploitation. (I’ve previously called on API vendors to move away from API keys and adopt more secure methods, like workload identity federation, to better protect against evolving security threats.)
Organizations must prioritize secure credential distribution and minimize exposure:
- Short-Lived Tokens Over Long-Lived Credentials: Short-lived tokens (e.g., OAuth 2.0) reduce attackers’ window of opportunity, even if tokens are compromised. These tokens can include context-specific claims for enhanced security.
- Automated Credential Rotation: Regularly rotating secrets and credentials ensures that any stolen credentials become quickly obsolete. Automated tools facilitate this process without manual intervention, further minimizing risk.
Applying Zero Trust Principles to Workload Security
A Zero Trust security approach assumes no entity—human or machine—should be trusted by default. Every access request must be verified. Applying Zero Trust principles to workload security helps mitigate infostealer threats by continuously validating identities and permissions:
- Context-Aware Access Controls: These controls make access decisions dynamically based on the security posture and context of the requesting workload, reducing exposure to potential threats.
Next Steps for Defending Non-Human Identities Against Infostealers
As infostealers evolve to target non-human identities, organizations can no longer afford to rely on outdated practices like static credentials. The time to act is now, with a clear focus on dynamic, context-driven security controls. By strengthening identity verification with attestation mechanisms, enforcing conditional access policies, and adopting Zero Trust principles, businesses can better safeguard their critical workloads. Now is the time to make that shift – before malicious hackers increasingly prioritize non-human identities over human ones.
For more information on how Aembit can help, visit aembit.io.