Evidence-based research reveals how attackers rapidly discover and exploit exposed secrets, with compromises occurring in mere seconds.
TEL AVIV, ISRAEL, December 2, 2024 /EINPresswire.com/: Clutch Security, a leading innovator in non-human identity (NHI) security and management, today released groundbreaking research challenging the effectiveness of traditional secret rotation practices. The study uncovers how attackers—using automated tools—exploit leaked NHIs faster than organizations can respond, with some compromises occurring in under a minute.
For years, secret rotation has been a cybersecurity staple, with API keys, tokens, service accounts, certificates, and other credentials rotated on intervals of 120, 90, or even 30 days. But Clutch’s research reveals this practice now creates inefficiencies and a false sense of security, leaving organizations vulnerable to rapidly evolving threats.
Key Findings
Clutch’s research team conducted controlled experiments, intentionally leaking various NHIs across platforms, including cloud environments, SaaS applications, CI/CD pipelines, and developer forums. The results are alarming:
Compromise in Seconds: On high-traffic platforms, exposed secrets were exploited within seconds, with unauthorized activity spiking during early morning UTC hours.
Rotations’ Failures: Secrets rotated hourly and re-leaked were still compromised at the same rate, proving attackers act faster than even aggressive rotation schedules.
GitHub is Hotspot: Credentials leaked on GitHub were often accessed almost immediately, with attackers deploying bots to scrape for exposed secrets.
Sophisticated Exploits: Attackers used exposed secrets to escalate privileges and pivot laterally, showcasing their advanced and highly organized techniques.
The False Promise of RotationSecret: Rotation remains a compliance checkbox for many organizations, but Clutch’s findings expose its limitations. The gap between exposure and rotation—often days, weeks, or months—is more than enough for attackers to inflict damage. Worse, over-reliance on rotation fosters complacency, creating blind spots in overall security strategies.
These findings align with the updated NIST guidelines (SP 800-63B), which recommend against periodic password changes unless there’s evidence of compromise. This shift reflects a broader industry awakening: traditional security measures are falling short against modern threats.
A Call to Action
“Attackers are moving at machine speed, and outdated playbooks aren’t keeping up,” said Ofir Har-Chen, co-founder and CEO of Clutch Security. “Even the best security processes can’t compete once a secret is exposed. We need to rethink our defenses, focusing on proactive measures like Zero Trust architectures and ephemeral identities to shrink the attack surface and limit damage.”
To support this shift, Clutch has introduced community-focused tools like AWSKeyLockdown, an open-source solution enabling teams to instantly revoke exposed AWS access keys, cutting attackers off before they can exploit them. “If tools like this can stop even one compromise, we’ve done our job,” Har-Chen added.
Also read: Viksit Workforce for a Viksit Bharat
Do Follow: The Mainstream formerly known as CIO News LinkedIn Account | The Mainstream formerly known as CIO News Facebook | The Mainstream formerly known as CIO News Youtube | The Mainstream formerly known as CIO News Twitter
About us:
The Mainstream formerly known as CIO News is the premier platform dedicated to delivering the latest news, updates, and insights from the CIO industry. As a trusted source in the technology and IT sector, we provide a comprehensive resource for executives and professionals seeking to stay informed and ahead of the curve. With a focus on cutting-edge developments and trends, The Mainstream formerly known as CIO News serves as your go-to destination for staying abreast of the rapidly evolving landscape of technology and IT. Founded in June 2020, The Mainstream formerly known as CIO News has rapidly evolved with ambitious growth plans to expand globally, targeting markets in the Middle East & Africa, ASEAN, USA, and the UK
