T0180 - Compromise services / servers

Services (servers) compromise attack in the supply chain is a type of attack that targets the servers hosting the software development and distribution infrastructure. This attack can happen when an attacker gains access to the server through a vulnerability, misconfiguration, or social engineering attack. Once the attacker gains access to the server, they can modify the source code or software packages being distributed to include malicious code or backdoors. This attack can compromise multiple software projects and potentially all users who download or use the compromised software.

ID: T0180
Type: Technique
Tactic: Initial Access
Summary: Compromise services / servers
State: draft

Mitigations

id

type

summary

description

M1272
Mitigation
Audit server configuration
Regularly audit server configurations to ensure that there are no misconfigurations that allow unauthorized database access. Check for misconfigured firewall rules, open ports, and any other configurations that may expose the database to the public internet. Follow security best practices and recommendations from your cloud service provider for securing database instances
M1720
Mitigation
Implement regular patches and updates
Regular patches and updates are necessary to improve the security, performance, and reliability of software and systems. They include bug fixes, security updates, and performance improvements. Regular patches and updates also ensure compatibility with new technologies and can help maintain compliance with regulatory standards. Failure to install patches and updates can leave systems vulnerable to security threats, cause system failures or crashes, and limit the functionality of software and systems.

Detections

id

type

summary

description

D1261
Detection
Implement penetration testing
Penetration testing, also known as ethical hacking or vulnerability assessment, is a proactive approach to mitigating cybersecurity risks. It involves simulating real-world cyber attacks on a system, network, or application in a controlled and authorized manner to identify vulnerabilities and weaknesses that could be exploited by malicious actors.
D1262
Detection
Implement vulnerability assesment
Vulnerability assessment is a proactive approach to mitigating cybersecurity risks by systematically identifying, evaluating, and prioritizing vulnerabilities in a system, network, or application. It involves conducting regular assessments to identify potential weaknesses that could be exploited by attackers, and taking appropriate actions to remediate or mitigate those vulnerabilities.
D1500
Detection
Configure monitoring of used artifacts and open-source libraries
Implement regular scanning of used artifacts and open-source libraries for known vulnerabilities. Set up monitoring of reported issues based on regular scanning results.
D1510
Detection
Implement Intrusion Detection System and anti-malware
An intrusion detection system (IDS) is a security tool designed to detect and alert on unauthorized access to a computer system or network. Implementing intrusion detection systems (IDS) and anti-malware software can help to identify and block malicious activity. IDS is a critical security tool that helps organizations to detect and respond to security incidents in a timely manner. By providing real-time monitoring and analysis of network traffic, IDS can help organizations to stay ahead of potential threats and reduce the risk of a security breach.

References

  1. https://research.nccgroup.com/2022/01/13/10-real-world-stories-of-how-weve-compromised-ci-cd-pipelines/