Preventing Unauthorized Usage of Non-Person Entities (NPEs)

Originally published by TrueFort.

Written by Trish Reilly, TrueFort.

What is an “NPE”?

For those of you not working at a Federal agency, the acronym ‘NPE’ may be foreign. Or you may know it as service accounts for non-federal organizations. Like any other industry, the US Federal government often has a language of its own. In this instance, NPE stands for non-person entity and is defined as “An entity with a digital identity that acts in cyberspace, but is not a human actor.” This cyberspace includes machines, organizations, hardware devices, software applications, code, containers, and information artifacts. For those of you outside of the federal government, think of NPEs as service accounts in the commercial sector.

Why you should be monitoring NPE behavior

74% of data breaches start with privileged credential abuse. (source)

Federal agencies and commercial businesses rely on a stable and secure foundation of infrastructure, applications, and data. Protecting this foundation has become a huge security challenge given the diversity and ever-expanding types of devices, applications, and workload types (cloud, virtual, containers, bare metal) while maintaining operations and services. To exacerbate this, add the potential risks associated with undetected or unmanaged non-person entities. Where is an agency or team to start?

NPEs have a long shelf life, as they are deployed to support administrative or infrastructure processes (used to act on the behalf of a person) mostly to support applications. They are not easily traceable to an individual user which enables them to be run unbeknownst to security teams, enabling unfettered access. They run in the background, execute system commands, and are rarely rotated which makes them a valuable target for attackers. Once compromised, unmonitored NPEs can enable a “free for all” across your infrastructure and sensitive data without you knowing they are there – helping themselves to a bountiful harvest.

The Federal government has put forth a memorandum M-19-17 from the Office of Management and Budget (OMB) that defines managing identities, credentials and access in modern government. Within this memorandum, the Government states “Agencies shall manage the digital identity lifecycle of devices, non-person entities (NPEs), and automated technologies such as Robotic Process Automation (RPA) tools and Artificial Intelligence (AI), ensuring the digital identity is distinguishable, auditable, and consistently managed across the agency. This includes establishing mechanisms to bind, update, revoke, and destroy credentials for the device or automated technology.”

Overall, “as technology evolves, the Government must offer flexible solutions to meet changing technology needs and shift the focus from managing the lifecycle of credentials to the lifecycle of identities.” Without key controls around detecting and managing the risks of these entities, bad actors are able to “live off the land” and move laterally and with impunity once the NPE credentials have been accessed.

Enabling Real Time Visibility To Manage NPE Risks

Security teams of all kinds – federal and commercial focused – need to take a focused approach to NPE risk protection. It’s important to:

1. Enhance Visibility – establish an inventory of users, identities, non-person entities (NPE), and service accounts, where and how they are used across the infrastructure and all applications.
2. Improve Risk Posture – identify the risks associated with NPEs and know where and how they are used across the application environment.
3. Profile and Baseline Normal Behavior – profile the behavior of all NPE across the application environment in real-time to automatically establish allow-list policies and interactions based on known and normal behavior.
4. Proactively Detect and Respond in Real Time – detect anomalous NPE behaviors inconsistent with the known normal behavior, generate alerts only on suspicious behavior, and respond in real-time to compromised NPEs.