External User Accounts attack technique in the CI/CD, SCM posture and cloud security involves compromising external user accounts to gain unauthorized access to CI/CD pipelines, source code repositories or cloud systems.
Attackers may gain unauthorized access to these accounts through various means, such as phishing, social engineering, or password cracking.
Once compromised, attackers can inject malicious code into CI/CD pipelines, tamper with deployment pipelines, manipulate source code repositories, or access cloud systems.
This can result in the deployment of unauthorized or malicious code to production systems, introduction of vulnerabilities or backdoors into source code, theft of intellectual property, or other malicious activities.
ID:T0143
Type:Technique
Tactic:Initial Access
Summary:External user accounts
State:Draft
Mitigations
ID
TYPE
SUMMARY
DESCRIPTION
M1450
Mitigation
Mitigation Implement zero trust Implementing a zero-trust security model can help organizations mitigate the risk of data exfiltration by ensuring that all traffic leaving the network is authenticated, authorized, and encrypted.
This model involves a layered approach to security that requires users and devices to be verified before accessing any resources.
M1451
Mitigation
Mitigation Use network segmentation Network segmentation is a technique that involves dividing a network into smaller segments or subnets to limit the spread of an attack if it occurs.
By segmenting the network and restricting communication between segments, organizations can minimize the impact of data exfiltration.
M1550
Mitigation
Mitigation Implement strict access control for clouds Limit access to cloud resources to only authorized users and ensure that proper authentication and authorization mechanisms are in place.
Mitigation Implement strict access control for clouds Limit access to cloud resources to only authorized users and ensure that proper authentication and authorization mechanisms are in place.
M1661
Mitigation
Mitigation Revoke user permissions Remove permissions granted on the SCM repository from users that do not need them.
Limit access to configuration files. Only grant access to users who need it to modify the configuration files.
M1860
Mitigation
Mitigation Implement strong authentication mechanisms Authentication is the process of verifying the identity of a user or entity accessing the SCM system.
Strong authentication typically involves using multiple factors to verify the user's identity, beyond just a username and password. This may include factors such as something the user knows (e.g., password), something the user has (e.g., smart card or token), and something the user is (e.g., biometric data like fingerprint or facial recognition). Multi-factor authentication (MFA) can significantly enhance the security of SCM systems by adding an additional layer of protection against unauthorized access.
M1861
Mitigation
Mitigation Implement strong authorization mechanisms Strong authorization ensures that users only have access to the resources and actions that are necessary for their job functions and responsibilities, and nothing more.
This can be achieved through proper access controls, such as role-based access control (RBAC) or attribute-based access control (ABAC), which define fine-grained permissions and privileges for users, groups, and repositories in the SCM system. Regularly review user permissions and remove all unnecessary permissions for specific users.
Detections
ID
TYPE
SUMMARY
DESCRIPTION
D1430
Detection
Detection Monitor for failed login attempts Set up monitoring and logging mechanisms to detect and alert on failed login attempts to external user accounts.
Monitor for patterns of suspicious login activity, such as multiple failed login attempts from different IP addresses or unusual login times or locations, which may indicate password cracking attempts.
D1431
Detection
Detection Monitor for changes of user permissions Regularly review and audit user account permissions and monitor for any unauthorized changes to permissions or roles associated with external user accounts.
Detect and alert on any changes that may grant excessive or unauthorized access to critical resources or actions.
D1510
Detection
Detection Implement Intrusion Detection System and anti-malware An intrusion detection system (IDS) is a security tool designed to detect and alert on unauthorized access to a computer system or network.
Implementing intrusion detection systems (IDS) and anti-malware software can help to identify and block malicious activity. IDS is a critical security tool that helps organizations to detect and respond to security incidents in a timely manner. By providing real-time monitoring and analysis of network traffic, IDS can help organizations to stay ahead of potential threats and reduce the risk of a security breach.
AppSec teams are overwhelmed by useless alerts, managing numerous applications with vulnerabilities across various kill-chain stages, making them increasingly susceptible to successful attacks.
