The Recursive PR attack technique is a persistence tactic that involves an attacker submitting a pull request to a repository that contains a malicious code change.
Once the pull request is merged and the code change is deployed, the malicious code is executed and establishes a persistent presence in the CI/CD pipeline.
The attack works by creating a chain of pull requests where each subsequent pull request is used to modify the code introduced in the previous pull request.
This creates a recursive loop where the pipeline will continuously build and deploy new versions of the code that contain the attacker's modifications.
By doing so, the attacker can maintain a persistent presence in the CI/CD pipeline and potentially use it to execute further attacks.
ID:T0167
Type:Technique
Tactic:Persistence
Summary:Recursive PR
State:Draft
Mitigations
ID
TYPE
SUMMARY
DESCRIPTION
M1730
Mitigation
Mitigation Implement code reviews Code reviews are a valuable tool for improving code quality, reducing technical debt, and ensuring the security and reliability of software applications.
Most crucial changes should be reviewed and validated to ensure there are no any security risks. Code reviews can identify defects and vulnerabilities in the code before it's deployed, reducing the likelihood of security breaches, system failures, and other issues. Require code reviews for any changes to source code or configuration files, especially for those affecting the CI/CD pipeline.
Detections
ID
TYPE
SUMMARY
DESCRIPTION
D1510
Detection
Detection Implement Intrusion Detection System and anti-malware An intrusion detection system (IDS) is a security tool designed to detect and alert on unauthorized access to a computer system or network.
Implementing intrusion detection systems (IDS) and anti-malware software can help to identify and block malicious activity. IDS is a critical security tool that helps organizations to detect and respond to security incidents in a timely manner. By providing real-time monitoring and analysis of network traffic, IDS can help organizations to stay ahead of potential threats and reduce the risk of a security breach.
D1590
Detection
Detection Implement continuous monitoring and logging of the CI/CD process Continuous monitoring and logging of the CI/CD process can help organizations detect any unusual activities or deviations from the standard workflow.
This can include monitoring the pipeline for unusual resource requests or unauthorized access attempts, as well as analyzing logs for unusual activity that may indicate a potential security breach. By establishing a baseline of normal behavior and regularly comparing it to current activity, organizations can quickly identify and respond to any anomalous behavior. Implementing automated alerts and notifications for suspicious activity can also help security teams respond promptly to potential threats.
AppSec teams are overwhelmed by useless alerts, managing numerous applications with vulnerabilities across various kill-chain stages, making them increasingly susceptible to successful attacks.
