T0130 - Harvest secrets from logs

M1300

Mitigation

Mitigation Implement log sanitization Implement log sanitization techniques that automatically remove or obfuscate sensitive information from logs, such as passwords, API keys, access tokens, or other types of credentials.

This can prevent sensitive information from being inadvertently logged in the first place.

M1301

Mitigation

Mitigation Implement log sanitization Configure log levels and verbosity to minimize the amount of sensitive information that is logged.

Set appropriate log levels to ensure that only necessary information is logged, and avoid logging sensitive data unless absolutely necessary.

M1302

Mitigation

Mitigation Implement strict access controls for logs Implement strict access controls for logs to ensure that only authorized personnel have access to log files.

Use role-based access controls (RBAC) and least privilege principles to restrict access to logs to only those who need it for their job functions.

M1120

Mitigation

Mitigation Store credentials in vault Sensitive data like credentials and API tokens should not be stored directly in code.

Modern applications talk to many third-party APIs, SaaS solutions and other dependecies. This integration usually requires an API token, username & password credential or other similar variable. Sometimes these sensitive credentials include database host strings or hostnames. All of these credentials should not be stored directly in code. Software engineers often don't understand the consequences of embedding these credentials in code. This is especially true for Javascript applications that run client side as these credentials are often visible by inspecting the Javascript files running in the local browser

D1131

Detection

Detection Implement SIEM Implement a SIEM system to centralize and analyze logs and events from various sources, including user account-related activities.

Use SIEM rules or correlation rules to detect any abnormal or suspicious user account-related activities, such as multiple failed login attempts, changes to account settings outside of normal patterns, or simultaneous login attempts from different locations.

D1300

Detection

Detection Implement regular log reviews Conduct regular manual reviews of logs to identify any sensitive information that may have been inadvertently logged.

This can involve reviewing log files for patterns or anomalies that may indicate sensitive information, or using search and filtering techniques to identify potential incidents.

D1510

Detection

Detection Implement Intrusion Detection System and anti-malware An intrusion detection system (IDS) is a security tool designed to detect and alert on unauthorized access to a computer system or network.

Implementing intrusion detection systems (IDS) and anti-malware software can help to identify and block malicious activity. IDS is a critical security tool that helps organizations to detect and respond to security incidents in a timely manner. By providing real-time monitoring and analysis of network traffic, IDS can help organizations to stay ahead of potential threats and reduce the risk of a security breach.

D1590

Detection

Detection Implement continuous monitoring and logging of the CI/CD process Continuous monitoring and logging of the CI/CD process can help organizations detect any unusual activities or deviations from the standard workflow.

This can include monitoring the pipeline for unusual resource requests or unauthorized access attempts, as well as analyzing logs for unusual activity that may indicate a potential security breach. By establishing a baseline of normal behavior and regularly comparing it to current activity, organizations can quickly identify and respond to any anomalous behavior. Implementing automated alerts and notifications for suspicious activity can also help security teams respond promptly to potential threats.