Adversaries may exfiltrate data to a code repository rather than over their primary command and control channel.
Code repositories are often accessible via an API (ex: https://api.github.com, https://gitlab.com/api). Access to these APIs are often over HTTPS, which gives the adversary an additional level of protection.
Exfiltration to a code repository can also provide a significant amount of cover to the adversary if it is a popular service already used by hosts within the network.
ID:T0168
Type:Technique
Tactic:Exfiltration
Summary:Exfiltration to code repositories
State:Draft
Mitigations
ID
TYPE
SUMMARY
DESCRIPTION
M1680
Mitigation
Mitigation Limit access to code repositories Limit the access to code repositories to only those who need it.
Use strong authentication and access control measures such as multi-factor authentication, role-based access control, and restricted access to only specific IP addresses.
Detections
ID
TYPE
SUMMARY
DESCRIPTION
D1510
Detection
Detection Implement Intrusion Detection System and anti-malware An intrusion detection system (IDS) is a security tool designed to detect and alert on unauthorized access to a computer system or network.
Implementing intrusion detection systems (IDS) and anti-malware software can help to identify and block malicious activity. IDS is a critical security tool that helps organizations to detect and respond to security incidents in a timely manner. By providing real-time monitoring and analysis of network traffic, IDS can help organizations to stay ahead of potential threats and reduce the risk of a security breach.
D1590
Detection
Detection Implement continuous monitoring and logging of the CI/CD process Continuous monitoring and logging of the CI/CD process can help organizations detect any unusual activities or deviations from the standard workflow.
This can include monitoring the pipeline for unusual resource requests or unauthorized access attempts, as well as analyzing logs for unusual activity that may indicate a potential security breach. By establishing a baseline of normal behavior and regularly comparing it to current activity, organizations can quickly identify and respond to any anomalous behavior. Implementing automated alerts and notifications for suspicious activity can also help security teams respond promptly to potential threats.
D1680
Detection
Detection Monitor code repositories activity Monitoring activity in code repositories can help identify unusual or suspicious activity, such as large or unusual commits or code changes outside of normal work hours.
Detection Monitor code repositories activity Monitoring activity in code repositories can help identify unusual or suspicious activity, such as large or unusual commits or code changes outside of normal work hours.
AppSec teams are overwhelmed by useless alerts, managing numerous applications with vulnerabilities across various kill-chain stages, making them increasingly susceptible to successful attacks.
