T0138 - Backdoor in code
Backdoor in code attack technique involves inserting a malicious code segment or backdoor into the software codebase, which allows the attacker to maintain access and control over the system even after their initial access has been removed or blocked.
In this attack, the attacker gains access to the codebase through various means, such as exploiting vulnerabilities or stealing credentials.
Once they have gained access, the attacker inserts a malicious code segment or backdoor into the codebase.
This code segment may be designed to execute specific malicious activities, such as stealing sensitive information, or to provide the attacker with continued access and control over the system.
ID: T0138
Type:
Technique
Tactic:
Persistence
Summary:
Backdoor in code
State:
draft
Mitigations
id
type
summary
description
M1550
Mitigation
Implement strict access control for clouds
Limit access to cloud resources to only authorized users and ensure that proper authentication and authorization mechanisms are in place.
M1731
Mitigation
Implement verification of signed commits
Signing commits, or requiring to sign commits, gives other users confidence about the origin of a specific code change.
It ensures that the author of the change is not hidden and is verified by the version control system, thus the change comes from a trusted source.
For each repository in use, enforce the branch protection rule of requiring signed commits, and make sure only signed commits are capable of merging.
M1732
Mitigation
Implement code scanning for security risks
Scanning pull requests to detect risks allows for early detection of vulnerable code and/or dependencies and helps mitigate potentially malicious code.
For every repository in use, enforce risk scanning on every pull request.
Detections
id
type
summary
description
D1260
Detection
Implement regular security audit and review
Conduct regular security audits and vulnerability assessments of your systems and storages configurations to identify and address any potential misconfigurations or vulnerabilities that could lead to exposed storage.
This includes reviewing access controls, encryption settings, and other security configurations to ensure they are aligned with best practices and organizational security policies.
D1261
Detection
Implement penetration testing
Penetration testing, also known as ethical hacking or vulnerability assessment, is a proactive approach to mitigating cybersecurity risks.
It involves simulating real-world cyber attacks on a system, network, or application in a controlled and authorized manner to identify vulnerabilities and weaknesses that could be exploited by malicious actors.
D1262
Detection
Implement vulnerability assesment
Vulnerability assessment is a proactive approach to mitigating cybersecurity risks by systematically identifying, evaluating, and prioritizing vulnerabilities in a system, network, or application.
It involves conducting regular assessments to identify potential weaknesses that could be exploited by attackers, and taking appropriate actions to remediate or mitigate those vulnerabilities.
D1510
Detection
Implement Intrusion Detection System and anti-malware
An intrusion detection system (IDS) is a security tool designed to detect and alert on unauthorized access to a computer system or network.
Implementing intrusion detection systems (IDS) and anti-malware software can help to identify and block malicious activity.
IDS is a critical security tool that helps organizations to detect and respond to security incidents in a timely manner.
By providing real-time monitoring and analysis of network traffic, IDS can help organizations to stay ahead of potential threats and reduce the risk of a security breach.