Deploy keys are SSH keys that are used to authenticate a specific machine or service to access a repository or codebase in a SCM system like Git.
They are typically used to automate deployments or integrations between services and repositories.
In this attack technique, an attacker gains access to a machine that has deploy keys configured for access to a repository or codebase.
Once they have access, they can obtain the private key of the deploy key and use it to gain access to the repository or codebase from other machines or services, even if the original machine is no longer accessible.
By doing so, the attacker can maintain persistent access to the repository or codebase, allowing them to steal sensitive information, introduce malicious code or manipulate the codebase to conduct further attacks.
ID:T0178
Type:Technique
Tactic:Persistence
Summary:Deploy keys
State:Draft
Mitigations
ID
TYPE
SUMMARY
DESCRIPTION
M1661
Mitigation
Mitigation Revoke user permissions Remove permissions granted on the SCM repository from users that do not need them.
Limit access to configuration files. Only grant access to users who need it to modify the configuration files.
M1780
Mitigation
Mitigation Restrict access to machines with deploy keys Limit access to machines with deploy keys to only authorized personnel who need it to perform their duties.
Mitigation Restrict access to machines with deploy keys Limit access to machines with deploy keys to only authorized personnel who need it to perform their duties.
M1781
Mitigation
Mitigation Use dedicated machines for deploy keys Consider using dedicated machines for deploy keys and avoid using these machines for other purposes.
This can help reduce the attack surface and make it easier to monitor for suspicious activity.
M1782
Mitigation
Mitigation Securely store private keys Ensure that private keys associated with deploy keys are securely stored and are not accessible to unauthorized individuals or processes.
Use strong encryption to protect private keys when they are not in use.
M1783
Mitigation
Mitigation Rotate deploy keys regularly Rotate deploy keys regularly, just like any other authentication credential, to limit the exposure if a key is compromised.
Mitigation Rotate deploy keys regularly Rotate deploy keys regularly, just like any other authentication credential, to limit the exposure if a key is compromised.
Detections
ID
TYPE
SUMMARY
DESCRIPTION
D1510
Detection
Detection Implement Intrusion Detection System and anti-malware An intrusion detection system (IDS) is a security tool designed to detect and alert on unauthorized access to a computer system or network.
Implementing intrusion detection systems (IDS) and anti-malware software can help to identify and block malicious activity. IDS is a critical security tool that helps organizations to detect and respond to security incidents in a timely manner. By providing real-time monitoring and analysis of network traffic, IDS can help organizations to stay ahead of potential threats and reduce the risk of a security breach.
D1780
Detection
Detection Monitor authentication logs Monitor authentication logs for any unusual activity, such as failed authentication attempts or successful logins from unusual locations or machines.
Detection Monitor authentication logs Monitor authentication logs for any unusual activity, such as failed authentication attempts or successful logins from unusual locations or machines.
D1781
Detection
Detection Audit and review deploy key access Regularly review and audit access to deploy keys and their associated repositories or codebases to identify any unusual activity or unauthorized access attempts.
Detection Audit and review deploy key access Regularly review and audit access to deploy keys and their associated repositories or codebases to identify any unusual activity or unauthorized access attempts.
AppSec teams are overwhelmed by useless alerts, managing numerous applications with vulnerabilities across various kill-chain stages, making them increasingly susceptible to successful attacks.
