The Trigger pipeline execution (Poisoned pipeline execution) attack abuses permissions against an SCM repository, in a way that causes a CI pipeline to execute malicious commands.
Users that have permissions to manipulate the CI configuration files, or other files which the CI pipeline job relies on, can modify them to contain malicious commands, ultimately poisoning the CI pipeline executing these commands.
Pipelines executing unreviewed code, for example those which are triggered directly off of pull requests or commits to arbitrary repository branches, are more susceptible to Trigger pipeline exectuion.
The reason is that these scenarios, by design, contain code which has not undergone any reviews or approvals.
Once able to execute malicious code within the CI pipeline, the attacker can conduct a wide array of malicious operations, all within the context of the pipelines identity.
ID:T0166
Type:Technique
Tactic:Execution
Summary:Trigger pipeline execution
State:Draft
Mitigations
ID
TYPE
SUMMARY
DESCRIPTION
M1660
Mitigation
Mitigation Isolate pipeline for unreviewed code Ensure that pipelines running unreviewed code are executed on isolated nodes, not exposed to secrets and sensitive environments.
For sensitive pipelines, for example those that are exposed to secrets, ensure that each branch that is configured to trigger a pipeline in the CI system has a correlating branch protection rule in the SCM. Each pipeline should only have access to the credentials it needs to fulfill its purpose. The credentials should have the minimum required privileges.
M1661
Mitigation
Mitigation Revoke user permissions Remove permissions granted on the SCM repository from users that do not need them.
Limit access to configuration files. Only grant access to users who need it to modify the configuration files.
M1662
Mitigation
Mitigation Evaluate pipeline execution permissions Evaluate the need for triggering pipelines on public repositories from external contributors.
Where possible, refrain from running pipelines originating from forks, and consider adding controls such as requiring manual approval for pipeline execution.
M1730
Mitigation
Mitigation Implement code reviews Code reviews are a valuable tool for improving code quality, reducing technical debt, and ensuring the security and reliability of software applications.
Most crucial changes should be reviewed and validated to ensure there are no any security risks. Code reviews can identify defects and vulnerabilities in the code before it's deployed, reducing the likelihood of security breaches, system failures, and other issues. Require code reviews for any changes to source code or configuration files, especially for those affecting the CI/CD pipeline.
M1732
Mitigation
Mitigation Implement code scanning for security risks Scanning pull requests to detect risks allows for early detection of vulnerable code and/or dependencies and helps mitigate potentially malicious code.
For every repository in use, enforce risk scanning on every pull request.
Detections
ID
TYPE
SUMMARY
DESCRIPTION
D1590
Detection
Detection Implement continuous monitoring and logging of the CI/CD process Continuous monitoring and logging of the CI/CD process can help organizations detect any unusual activities or deviations from the standard workflow.
This can include monitoring the pipeline for unusual resource requests or unauthorized access attempts, as well as analyzing logs for unusual activity that may indicate a potential security breach. By establishing a baseline of normal behavior and regularly comparing it to current activity, organizations can quickly identify and respond to any anomalous behavior. Implementing automated alerts and notifications for suspicious activity can also help security teams respond promptly to potential threats.
D1510
Detection
Detection Implement Intrusion Detection System and anti-malware An intrusion detection system (IDS) is a security tool designed to detect and alert on unauthorized access to a computer system or network.
Implementing intrusion detection systems (IDS) and anti-malware software can help to identify and block malicious activity. IDS is a critical security tool that helps organizations to detect and respond to security incidents in a timely manner. By providing real-time monitoring and analysis of network traffic, IDS can help organizations to stay ahead of potential threats and reduce the risk of a security breach.
AppSec teams are overwhelmed by useless alerts, managing numerous applications with vulnerabilities across various kill-chain stages, making them increasingly susceptible to successful attacks.
