A delete repository attack technique in a CI/CD pipeline is a type of denial-of-service (DoS) attack that targets the code repositories used by the pipeline.
The goal of the attack is to delete the repositories or make them unavailable, thus disrupting the pipeline's ability to build and deploy software.
In a typical CI/CD pipeline, code repositories are an essential component as they contain the source code for the application that is being built and deployed.
In a delete repository attack, an attacker gains unauthorized access to the repositories and deletes the source code.
This can cause significant disruptions to the pipeline, leading to delays in software releases or even complete downtime of the system.
ID:T0149
Type:Technique
Tactic:Impact
Summary:Delete repositories
State:Draft
Mitigations
ID
TYPE
SUMMARY
DESCRIPTION
M1490
Mitigation
Mitigation Restrict the ability to delete repositories Restricting the ability to delete repositories protects the organization from intentional and unintentional data loss.
This ensures that users cannot delete repositories or cause other potential damage — whether by accident or due to their account being hacked — unless they have the correct privileges. Enforce repository deletion by a few trusted and responsible users only.
M1491
Mitigation
Mitigation Implement backup and recovery Implement a backup and recovery strategy for the code repositories used by the CI/CD pipeline.
This can help you restore the code repositories in case they are deleted or become unavailable due to an attack.
M1860
Mitigation
Mitigation Implement strong authentication mechanisms Authentication is the process of verifying the identity of a user or entity accessing the SCM system.
Strong authentication typically involves using multiple factors to verify the user's identity, beyond just a username and password. This may include factors such as something the user knows (e.g., password), something the user has (e.g., smart card or token), and something the user is (e.g., biometric data like fingerprint or facial recognition). Multi-factor authentication (MFA) can significantly enhance the security of SCM systems by adding an additional layer of protection against unauthorized access.
M1861
Mitigation
Mitigation Implement strong authorization mechanisms Strong authorization ensures that users only have access to the resources and actions that are necessary for their job functions and responsibilities, and nothing more.
This can be achieved through proper access controls, such as role-based access control (RBAC) or attribute-based access control (ABAC), which define fine-grained permissions and privileges for users, groups, and repositories in the SCM system. Regularly review user permissions and remove all unnecessary permissions for specific users.
Detections
ID
TYPE
SUMMARY
DESCRIPTION
D1490
Detection
Detection Monitor repository access Monitor the access logs for the code repositories used by the CI/CD pipeline.
Look for unusual activity such as unauthorized access attempts, multiple failed login attempts, or access from unfamiliar IP addresses.
D1590
Detection
Detection Implement continuous monitoring and logging of the CI/CD process Continuous monitoring and logging of the CI/CD process can help organizations detect any unusual activities or deviations from the standard workflow.
This can include monitoring the pipeline for unusual resource requests or unauthorized access attempts, as well as analyzing logs for unusual activity that may indicate a potential security breach. By establishing a baseline of normal behavior and regularly comparing it to current activity, organizations can quickly identify and respond to any anomalous behavior. Implementing automated alerts and notifications for suspicious activity can also help security teams respond promptly to potential threats.
AppSec teams are overwhelmed by useless alerts, managing numerous applications with vulnerabilities across various kill-chain stages, making them increasingly susceptible to successful attacks.
