How Organizations Can Prepare For Machine Identity Attacks

Forbes

5 days ago

TK Keanini, CTO, DNSFilter.
Today's organizations are grappling with a massive number of identities, and it's not just humans (i.e., employees, contractors, vendors, etc.). There's also been an explosion of machine identities, known as non-human identities (NHIs), that enterprises have to contend with. Machines, including IoT devices, appliances and robotics, now vastly outnumber humans in digital environments. This is true even at the consumer level, given all of the various devices and appliances connected to the internet, even in the average home. Consider this—Cisco once forecasted that "the number of devices connected to IP networks will be more than three times the global population by 2023." 2023 was two years ago.
NHIs are becoming bigger targets for bad actors, and I believe that's only going to intensify. While cybersecurity has traditionally focused on humans, it's now necessary to shift the approach to include machine-centric security. Bad actors have attacked machines from the beginning, but now that there are so many more machine identities than human ones, the attack surface is larger than ever. Machines require a fundamentally different security strategy than humans do.
That means it's time to start thinking about this scenario from an attacker's mindset. In my years in cybersecurity, I've learned that attackers usually prioritize the amount of attack surface they can explore to find a way in. If, as a defender, you don't know your own attack surface, you're already in a weak position. It's simply not enough to secure your human resources; you must also account for machines. And with AI and generative AI creating even more non-human resources, you're likely already behind.
The Growth Of Machine Identities Requires A New Approach
A 2024 report consisting of research by TechTarget's Enterprise Strategy Group that was carried out for AppViewX found that organizations have '20X more non-human identities than human identities … with 52% of organizations predicting an additional 20% increase in NHIs they manage over the next year.'
If you were asked to guess how many machines are currently connected to your home network, you'd likely be underestimating. Many appliances on the market today can be connected to Wi-Fi (whether they should be able to, however, is a whole other debate).
The same question can be asked about your business: Most estimates of the number of connected devices any given organization has today are probably too low, especially for SaaS companies that service the needs of various customers.
This proliferation of machine identities creates massive attack surfaces. Even when machines are no longer in service, they can create problems. From my observations, at many organizations, machine offboarding gets neglected, leaving orphaned credentials and unmonitored access points—major vulnerabilities. De-provisioning is arguably more vital than provisioning, especially after staff turnover or organizational changes.
Organizations usually spend a lot of time and energy protecting their people with tactics like two-factor authentication and education for users. But such tactics aren't enough. Machines massively outnumber the people you are trying to protect, so if they don't get the same amount of cybersecurity attention, you're headed for trouble.
History provides many examples of the dangers of NHIs, as well as the fact that organizations have failed to learn from them.
In the 2013 Target breach, attackers gained access by stealing credentials from an HVAC subcontractor. The attack resulted in the theft of 40 million credit and debit card records.
In the 2016 Mirai botnet attacks, according to the Center for Internet Security (CIS), bad actors went after technology company OVH and the website Krebs on Security. Mirai and its variants still exist today and depend on "the weak security of IoT products and technology." For instance, in January 2025, it was reported by CyberScoop that Cloudflare "successfully managed and mitigated" an attack from a Mirai botnet variant that "originated from over 13,000 Internet of Things (IoT) devices."
Malware exploits weak passwords and remote code execution vulnerabilities. It can cause disruptions for major corporations and financial institutions that have long-term consequences. Systems that are addressable on the network deserve the same amount of care as those that are operated directly by humans. Everything on the network should, in my view, have a zero-trust strategy where AAA principles (authentication, authorization and audit) are enforced, giving users access when authenticated to only the resources they need to operate—nothing more.
Guiding Principles For Securing Machine Identities
While organizations' cybersecurity strategies should extend beyond zero trust in this machine-dominated landscape, the zero-trust model is still essential. Having a solid zero-trust strategy in place will go a long way toward keeping your organization safe. And thanks to having a zero-trust strategy, if an attack occurs, the event will be highly detectable and have a limited negative impact. For company leaders, now is also a good time to consider whether something should be connected to the internet just because it can be.
Getting a handle on machine identities requires a few best practices to all work in harmony with one another.
For one thing, establishing a baseline of behavior is key. Machines should follow strict "allow lists" and behavioral profiles. In other words, every machine identity should have an expected behavioral norm. Deviations in behavior, such as a building access system transferring large volumes of data to an external server, are red flags.
Another best practice is to implement the principle of least privilege access. Grant machines only the access they need, shaped tightly around their expected behavior. Use automation, but do so with caution; automating security policies can be helpful, but it must be done carefully.
One thing all networked-attached identities share is DNS, which means protective DNS can be a critical first line of defense. Nearly all internet-connected devices need to resolve domain names, which means they must perform DNS. Given that, company leaders should create policies so that devices can only receive updates from their manufacturers (and I'll reiterate that many devices don't actually need access to all of the internet).
Defending Against NHI Attacks
As the number of machines and machine identities increases, there's a growing need to rethink cybersecurity strategies in this machine-dominated world. Security models must shift from being primarily human-centric to machine-aware, with a focus on behavioral enforcement, automated policy management and robust identity life cycle practices. Organizations must develop practical, scalable methods to manage and secure machine identities, and the time to do so is now, not later.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?