Skip to main content
banner image
venafi logo

How You Can Become a Machine Identity Threats Pro!

How You Can Become a Machine Identity Threats Pro!

June 10, 2021 | Yana Blachman
Attacks on Machine Identities

There are more machines and automated connections in the world today than ever before due to the shift to cloud, the adoption of DevOps technologies, and the modern application architecture. More automated connections mean more machine identities, and this inevitably leads to a larger attack surface for malicious actors to exploit. Unfortunately, attackers are developers themselves and understand the lack of machine identity protection prevalent in far too many organizations. Therefore, there has been a massive increase in attacks on machine identities, including Hildegard, KOBALOS and the infamous SUNBURST attack, just to name a few. Most other reports you read on these attacks will specifically cite lack of machine identity management as the root cause, but that is what all of these events boil down to. 

Actionable Threat Intelligence

So what does this all mean for you, and how can you make knowledgeable decisions about your security and machine identity program? Let’s turn to David Bianco’s classic Pyramid of Pain.

Relevant to virtually every security context, it represents the types of intelligence artifacts that we use in detection and protection programs. Essentially, the idea here is that certain actions that attackers will take against you are more difficult to change than others. For instance, indicators of compromise (IoC) is incredibly low on the list. You can register a new IP address or change a hash value relatively easily, yet these types of actions remain too high a focus for many security operations centers. The further up the list you go, the harder it is for attackers to change. The most painful thing for attackers to reinvent is their tactics, techniques and procedures (TTPs). Katie Nichols of MITRE explains that “adversaries are humans just as we are, and they have their own preferred behaviors.” Those behaviors are TTPs, and it is our best chance of detecting them in our networks, particularly now that we understand just securing the perimeter is not enough.

What exactly is ATT&CK?

This is where ATT&CK by MITRE is uniquely valuable. It is a knowledge base of such adversaries’ behaviors, including their preparation stage, what they do once on the network, and how they get out. Consider this a Wikipedia for threat behavior, a resource you can use to detect bad actors on your network quickly and efficiently. This standard knowledgebase of TTPs is open and free, based on information shared by the wider security community from real-world incidents and experiences.

Venafi Machine Identity Threat Model

Experts at Venafi took this general framework and created the Machine Identity Threat Model. It is free and accessible to all when you visit  It looks at the problem from the perspective of the attacker, with carefully mapped and documented TTPs that are associated with machine identities and real-world machine identity attacks.

Check out this video for a details technical demo on how exactly the Venafi Machine Identity Threat Model works:


The threat model is continuously updated on a daily basis, always representing the very latest in threat intelligence. As new attacks come to light, that information will always be added as additional content to this matrix. So be sure to regularly check to stay in the loop!

Become a Machine Identity Threats Pro

As you can see, this model is a unique resource created by Venafi and available to anyone who is ready to become a pro at identifying and preventing machine identity threats. But if you want to take it to the next level, you can share this model with your team to garner organization-wide support for your machine identity management program. Here are a few areas where it can be implemented today:


Always ensure your detection team is collecting the right data and be aware of how this behavior looks within your environment and toolset. You can use this model to assess your security tools, such as your SIEM or your EDR and your processes, both for identifying attacks on machine identities and for the remediation process. You can also perform gap analysis to identify areas or specific types of behaviors you may currently be blind to.


This is an opportunity to look beyond threat detection and focus on mitigation and prevention. Consider how you plan your resources and tools around machine identities, and make your decisions based on gap analysis. If you did find gaps in the detection process, what tools do you need to fill them in? Security is not just about technology it strongly relies on people and processes. So where can you implement policies that will help you be more secure?

Threat Simulation

If you had a red team or purple team perform threat simulation, make sure they're taking these behaviors into account when stimulating attacks in their drills.

Threat Intelligence

If you have a threat intelligence team, always be positive that they’re tracking these adversaries and inform offenders based on what they are doing and prioritize frequently used techniques.

Final thoughts

This threat model looks at adversaries across the attack life cycle and, guided by the pyramid of pain, looks beyond simply securing your perimeter. It assumes that your attackers may already be in the network and provides you with knowledge and TTPs that will help you make informed decisions on security planning and operations.

Don’t fall prey to attacks that members of this incredible community have already figured out how to avoid! Check out the Venafi Machine Identity Threats Model for free at

Related Posts

Like this blog? We think you will love this.
Featured Blog

Lloyd's Backs Off Insurance for State-Sponsored Cyberattacks

Cyber related businesses are ‘e

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

Subscribe Now

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Yana Blachman
Yana Blachman

Yana is Threat Intelligence Specialist at Venafi and has worked in the field over the last 7 years. Yana’s expertise includes tactical and operational threat analysis, threat hunting, and Dark Web intelligence.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud

Venafi Cloud manages and protects certificates

* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
* Please fill in this field
* Please fill in this field
* Please fill in this field

End User License Agreement needs to be viewed and accepted

Already have an account? Login Here

get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more