MCP Security Alert: MarkItDown, Archon OS, Kubectl MCP
Read the Latest Research
Open Software Supply Chain Attack Reference (OSC&R) > T0132 - Overprivileged CI/CD Runners

Realms:

CI/CD Posture Container Security

T0132 - Overprivileged CI/CD Runners

A container/runner agent privilege escalation attack is a security threat where an attacker exploits vulnerabilities in a container/runner agent to gain elevated privileges or access to sensitive resources they are not authorized to have. Attackers may exploit software vulnerabilities or weaknesses in container security controls to gain access to privileged resources, execute arbitrary code, or escape the container/runner agent and gain access to the host system.
ID: T0132
Type: Technique
Tactic: Privilege Escalation
Summary: Overprivileged CI/CD Runners
State: Draft

Mitigations

ID
TYPE
SUMMARY
DESCRIPTION
M1320
Mitigation
Mitigation Implement least privilege principle for containers Follow the principle of least privilege by granting only the necessary permissions and privileges to container/runner agents based on their required functionality.
Avoid using privileged containers/runner agents unless absolutely necessary.
M1321
Mitigation
Mitigation Container or runner hardening Apply security best practices for hardening container or runner agent images, configurations, and host systems, including regular patching and updates, disabling unnecessary services and components, and implementing strong authentication and access controls.
Mitigation Container or runner hardening Apply security best practices for hardening container or runner agent images, configurations, and host systems, including regular patching and updates, disabling unnecessary services and components, and implementing strong authentication and access controls.
M1322
Mitigation
Mitigation Container or runner agent runtime security Utilize container or runner agent runtime security solutions that can detect and prevent privilege escalation attempts in real-time, such as container runtime security tools, runtime security scanning, and container or runner agent security policies.
Mitigation Container or runner agent runtime security Utilize container or runner agent runtime security solutions that can detect and prevent privilege escalation attempts in real-time, such as container runtime security tools, runtime security scanning, and container or runner agent security policies.
M1451
Mitigation
Mitigation Use network segmentation Network segmentation is a technique that involves dividing a network into smaller segments or subnets to limit the spread of an attack if it occurs.
By segmenting the network and restricting communication between segments, organizations can minimize the impact of data exfiltration.
M1732
Mitigation
Mitigation Implement code scanning for security risks Scanning pull requests to detect risks allows for early detection of vulnerable code and/or dependencies and helps mitigate potentially malicious code.
For every repository in use, enforce risk scanning on every pull request.

Detections

ID
TYPE
SUMMARY
DESCRIPTION
D1261
Detection
Detection Implement penetration testing Penetration testing, also known as ethical hacking or vulnerability assessment, is a proactive approach to mitigating cybersecurity risks.
It involves simulating real-world cyber attacks on a system, network, or application in a controlled and authorized manner to identify vulnerabilities and weaknesses that could be exploited by malicious actors.
D1262
Detection
Detection Implement vulnerability assesment Vulnerability assessment is a proactive approach to mitigating cybersecurity risks by systematically identifying, evaluating, and prioritizing vulnerabilities in a system, network, or application.
It involves conducting regular assessments to identify potential weaknesses that could be exploited by attackers, and taking appropriate actions to remediate or mitigate those vulnerabilities.
D1510
Detection
Detection Implement Intrusion Detection System and anti-malware An intrusion detection system (IDS) is a security tool designed to detect and alert on unauthorized access to a computer system or network.
Implementing intrusion detection systems (IDS) and anti-malware software can help to identify and block malicious activity. IDS is a critical security tool that helps organizations to detect and respond to security incidents in a timely manner. By providing real-time monitoring and analysis of network traffic, IDS can help organizations to stay ahead of potential threats and reduce the risk of a security breach.
D1520
Detection
Detection Implement endpoint detection and response system An endpoint detection and response (EDR) system is a security tool designed to detect and respond to security incidents on endpoints, such as desktops, laptops, servers, and mobile devices.
There are several reasons why an EDR system is essential for maintaining the security of endpoints: 1. Threat Detection: EDR can detect and alert on a wide range of threats, including malware, ransomware, and other types of attacks that may not be detected by traditional antivirus software. 2. Rapid Incident Response: EDR can help security teams to rapidly detect, investigate, and respond to security incidents on endpoints. EDR systems can provide detailed information about the scope and impact of an attack, enabling security personnel to respond quickly and effectively. 3. Behavioral Analysis: EDR can monitor endpoint behavior to detect and alert on suspicious or anomalous activity. This helps security teams to identify and respond to threats that may be missed by traditional signature-based detection. 4. Endpoint Visibility: EDR provides visibility into endpoint activity, including processes, network connections, and file activity. This helps security teams to identify potential attack vectors and take proactive measures to prevent future incidents.
D1590
Detection
Detection Implement continuous monitoring and logging of the CI/CD process Continuous monitoring and logging of the CI/CD process can help organizations detect any unusual activities or deviations from the standard workflow.
This can include monitoring the pipeline for unusual resource requests or unauthorized access attempts, as well as analyzing logs for unusual activity that may indicate a potential security breach. By establishing a baseline of normal behavior and regularly comparing it to current activity, organizations can quickly identify and respond to any anomalous behavior. Implementing automated alerts and notifications for suspicious activity can also help security teams respond promptly to potential threats.

References

  1. https://www.legitsecurity.com/blog/github-privilege-escalation-vulnerability
  2. https://dl.acm.org/doi/fullHtml/10.1145/3529320.3529325
  3. https://blog.lightspin.io/kubernetes-pod-privilege-escalation
  4. https://learn.snyk.io/lessons/container-runs-in-privileged-mode/kubernetes/
  5. https://sysdig.com/blog/detecting-mitigating-cve-2022-0492-sysdig/
Group 1000004924

OSC&R Threat Report Uncovers Urgent Software Supply Chain Risks

AppSec teams are overwhelmed by useless alerts, managing numerous applications with vulnerabilities across various kill-chain stages, making them increasingly susceptible to successful attacks.
Download Report Download