T0103 - Scan public artifacts for secrets

 This technique involves scanning publicly available artifacts, such as code repositories and container images, for sensitive information such as passwords, access keys, and other secrets.
 By scanning these artifacts, an attacker can gain unauthorized access to the application or underlying system and potentially cause significant damage.
 For example, an attacker might use this technique to scan a public code repository for hardcoded passwords or access keys, which could then be used to gain unauthorized access to the application or the underlying system.
 Alternatively, an attacker might scan a public container image for sensitive information such as database credentials, which could be used to gain access to sensitive data.

ID: T0103
Type: Technique
Tactic: Reconnaissance
Summary: Scan public artifacts for secrets
State: draft

Mitigations

id

type

summary

description

M1120
Mitigation
Store credentials in vault
Sensitive data like credentials and API tokens should not be stored directly in code. Modern applications talk to many third-party APIs, SaaS solutions and other dependecies. This integration usually requires an API token, username & password credential or other similar variable. Sometimes these sensitive credentials include database host strings or hostnames. All of these credentials should not be stored directly in code. Software engineers often don't understand the consequences of embedding these credentials in code. This is especially true for Javascript applications that run client side as these credentials are often visible by inspecting the Javascript files running in the local browser
M1732
Mitigation
Implement code scanning for security risks
Scanning pull requests to detect risks allows for early detection of vulnerable code and/or dependencies and helps mitigate potentially malicious code. For every repository in use, enforce risk scanning on every pull request.
M1890
Detection
Encrypt secrets
Sensitive information stored in configuration files should be encrypted to protect it from unauthorized access.

Detections

id

type

summary

description

D1120
Detection
Implement source code scanning for credentials and tokens
Set up monitoring of reported issues based on regular credentials scanning results. Scan web applications for embedded secrets and credentials. It is particularily important after deployment to a web endpoint that you scan that newly deployed app for secrets, credentials and other sensitive data.
D1261
Detection
Implement penetration testing
Penetration testing, also known as ethical hacking or vulnerability assessment, is a proactive approach to mitigating cybersecurity risks. It involves simulating real-world cyber attacks on a system, network, or application in a controlled and authorized manner to identify vulnerabilities and weaknesses that could be exploited by malicious actors.
D1262
Detection
Implement vulnerability assesment
Vulnerability assessment is a proactive approach to mitigating cybersecurity risks by systematically identifying, evaluating, and prioritizing vulnerabilities in a system, network, or application. It involves conducting regular assessments to identify potential weaknesses that could be exploited by attackers, and taking appropriate actions to remediate or mitigate those vulnerabilities.

References

  1. https://cycode.com/introducing-container-secret-scanning/
  2. https://docs.gitlab.com/ee/user/application_security/secret_detection/