T0122 - Vulnerability in third-party CI/CD actions
The use of 3rd party Github actions is very common.
Similar to using 3rd party libraries this can also introduce security risks - a malicious Github action has access to very sensitive information - i.e exfiltrating environment variables, including backdoors or malware in source code, infecting build artifcats.
ID: T0122
Type:
Technique
Tactic:
Initial Access
Summary:
Vulnerability in third-party CI/CD actions
State:
draft
Mitigations
id
type
summary
description
M1120
Mitigation
Store credentials in vault
Sensitive data like credentials and API tokens should not be stored directly in code.
Modern applications talk to many third-party APIs, SaaS solutions and other dependecies.
This integration usually requires an API token, username & password credential or other similar variable.
Sometimes these sensitive credentials include database host strings or hostnames.
All of these credentials should not be stored directly in code.
Software engineers often don't understand the consequences of embedding these credentials in code.
This is especially true for Javascript applications that run client side as these credentials are often visible by inspecting the Javascript files running in the local browser
M1220
Mitigation
Use only trusted third-party Github actions from reputable sources
Using only trusted third-party Github actions from reputable sources is an important security practice that reduces the risk of vulnerabilities in the CI/CD pipeline.
Reputable sources include established Github action providers with a history of creating high-quality, secure actions. Organizations can verify the reputation of a third-party Github action by researching the provider, reviewing their Github action repositories, and checking for reported security issues.
M1221
Mitigation
Review the Github action source code
Reviewing the Github action code and checking if it has been audited or reviewed by security experts is an important security practice to reduce the risk of vulnerabilities in the CI/CD pipeline.
By inspecting the code and checking if it has been audited, organizations can identify potential security issues and increase their confidence in the security of the Github action.
M1222
Mitigation
Limit the permissions granted to third-party Github actions
Limiting the permissions granted to third-party Github actions to only the necessary access required for the task is a security practice that can reduce the risk of vulnerabilities in the CI/CD pipeline.
This involves evaluating the required permissions of each action and granting access on a least privilege basis, meaning that only the minimum level of access required for the intended task is granted.
By limiting permissions, organizations can reduce the risk of unauthorized access or exposure of sensitive data, thereby improving the overall security of the CI/CD pipeline.
Detections
id
type
summary
description
D1260
Detection
Implement regular security audit and review
Conduct regular security audits and vulnerability assessments of your systems and storages configurations to identify and address any potential misconfigurations or vulnerabilities that could lead to exposed storage.
This includes reviewing access controls, encryption settings, and other security configurations to ensure they are aligned with best practices and organizational security policies.
D1261
Detection
Implement penetration testing
Penetration testing, also known as ethical hacking or vulnerability assessment, is a proactive approach to mitigating cybersecurity risks.
It involves simulating real-world cyber attacks on a system, network, or application in a controlled and authorized manner to identify vulnerabilities and weaknesses that could be exploited by malicious actors.
D1262
Detection
Implement vulnerability assesment
Vulnerability assessment is a proactive approach to mitigating cybersecurity risks by systematically identifying, evaluating, and prioritizing vulnerabilities in a system, network, or application.
It involves conducting regular assessments to identify potential weaknesses that could be exploited by attackers, and taking appropriate actions to remediate or mitigate those vulnerabilities.
D1590
Detection
Implement continuous monitoring and logging of the CI/CD process
Continuous monitoring and logging of the CI/CD process can help organizations detect any unusual activities or deviations from the standard workflow.
This can include monitoring the pipeline for unusual resource requests or unauthorized access attempts, as well as analyzing logs for unusual activity that may indicate a potential security breach.
By establishing a baseline of normal behavior and regularly comparing it to current activity, organizations can quickly identify and respond to any anomalous behavior.
Implementing automated alerts and notifications for suspicious activity can also help security teams respond promptly to potential threats.