T0120 - Dependency confusion
Dependency confusion is a type of supply chain attack that occurs when an attacker exploits the way some package managers, such as npm and PyPI, resolve dependencies when installing software libraries.
In a typical software development project, developers rely on a variety of external libraries, often referred to as dependencies, to build their applications.
These libraries are typically stored in a remote repository, and developers use a package manager to install and manage them.
An attacker will utilize prior knowledge of usage of dependencies (*Discover used open-source dependencies*) to upload a malicious package with the same name to a public repository.
This might "confuse" package managers to use to public resource instead of the local one - thus executing or infecting the CI/CD.
This can happen on the developer's machine or the build system and has the potential to further steps of an attack - for example, if the malicious code exfiltrate an access token to production environment
ID: T0120
Type:
Technique
Tactic:
Initial Access
Summary:
Dependency confusion
State:
draft
Mitigations
id
type
summary
description
M1200
Mitigation
Verify package authenticity
Before installing any package, it's important to verify its authenticity. This can include checking the package's digital signature or using a package manager that supports package verification.
M1201
Mitigation
Restrict egresss traffic in CI/CD
Restrict egress traffic from the build system to authorized destinations. This is pretty straightforward and a very feasble mitigation since a build system usually requires access to a very limited destinations.
Controlling the traffic has many benifits:
1. Prevent exfiltration of sensitive information
2. Block download of packages from unauthorized package repositories
3. Block download of malware
M1500
Mitigation
Verify third-party artifacts and open-source libraries
Verify third-party artifacts used in code are trusted and have not been infected by a malicious actor before use.
This can be accomplished, for example, by comparing the checksum of the dependency to its checksum in a trusted source.
If a difference arises, this may be a sign that someone interfered and added malicious code.
If this dependency is used, it will infect the environment and could end in a massive breach, leaving the organization exposed to data leaks and more.
M1502
Mitigation
Define trusted package managers and repositories
When pulling a package by name, the package manager might look for it in several package registries, some of which may be untrusted or badly configured.
If the package is pulled from such a registry, there is a higher likelihood that it could prove malicious.
In order to avoid this, configure packages to be pulled from trusted package registries.
Detections
id
type
summary
description
D1090
Detection
Implement package or image integrity verification
Implement mechanisms to verify the integrity of packages or container images downloaded from public registries, such as digital signatures, checksums, or hash values.
Compare the downloaded packages or images against trusted sources to ensure that they have not been tampered with during the upload process.
D1260
Detection
Implement regular security audit and review
Conduct regular security audits and vulnerability assessments of your systems and storages configurations to identify and address any potential misconfigurations or vulnerabilities that could lead to exposed storage.
This includes reviewing access controls, encryption settings, and other security configurations to ensure they are aligned with best practices and organizational security policies.
D1510
Detection
Implement Intrusion Detection System and anti-malware
An intrusion detection system (IDS) is a security tool designed to detect and alert on unauthorized access to a computer system or network.
Implementing intrusion detection systems (IDS) and anti-malware software can help to identify and block malicious activity.
IDS is a critical security tool that helps organizations to detect and respond to security incidents in a timely manner.
By providing real-time monitoring and analysis of network traffic, IDS can help organizations to stay ahead of potential threats and reduce the risk of a security breach.
D1590
Detection
Implement continuous monitoring and logging of the CI/CD process
Continuous monitoring and logging of the CI/CD process can help organizations detect any unusual activities or deviations from the standard workflow.
This can include monitoring the pipeline for unusual resource requests or unauthorized access attempts, as well as analyzing logs for unusual activity that may indicate a potential security breach.
By establishing a baseline of normal behavior and regularly comparing it to current activity, organizations can quickly identify and respond to any anomalous behavior.
Implementing automated alerts and notifications for suspicious activity can also help security teams respond promptly to potential threats.