The Bypass Review using admin permission attack technique refers to a defense evasion tactic where an attacker gains administrative access to a CI/CD pipeline and uses that access to bypass security reviews of code changes.
Typically, in a CI/CD pipeline, code changes are subjected to automated and manual reviews before they are deployed.
These reviews help to detect and prevent the introduction of vulnerabilities or malicious code into the production environment.
However, if an attacker is able to gain administrative access to the pipeline, they can bypass these reviews and directly inject malicious code into the final product.
This attack technique can be particularly dangerous because it allows an attacker to bypass critical security controls and deploy malicious code directly to the production environment.
Additionally, since the code is not subject to the normal review process, it may not be detected by traditional security controls.
ID:T0182
Type:Technique
Tactic:Defense Evasion
Summary:Bypass review using admin permission
State:Draft
Mitigations
ID
TYPE
SUMMARY
DESCRIPTION
M1661
Mitigation
Mitigation Revoke user permissions Remove permissions granted on the SCM repository from users that do not need them.
Limit access to configuration files. Only grant access to users who need it to modify the configuration files.
M1662
Mitigation
Mitigation Evaluate pipeline execution permissions Evaluate the need for triggering pipelines on public repositories from external contributors.
Where possible, refrain from running pipelines originating from forks, and consider adding controls such as requiring manual approval for pipeline execution.
Detections
ID
TYPE
SUMMARY
DESCRIPTION
D1260
Detection
Detection Implement regular security audit and review Conduct regular security audits and vulnerability assessments of your systems and storages configurations to identify and address any potential misconfigurations or vulnerabilities that could lead to exposed storage.
This includes reviewing access controls, encryption settings, and other security configurations to ensure they are aligned with best practices and organizational security policies.
D1261
Detection
Detection Implement penetration testing Penetration testing, also known as ethical hacking or vulnerability assessment, is a proactive approach to mitigating cybersecurity risks.
It involves simulating real-world cyber attacks on a system, network, or application in a controlled and authorized manner to identify vulnerabilities and weaknesses that could be exploited by malicious actors.
D1510
Detection
Detection Implement Intrusion Detection System and anti-malware An intrusion detection system (IDS) is a security tool designed to detect and alert on unauthorized access to a computer system or network.
Implementing intrusion detection systems (IDS) and anti-malware software can help to identify and block malicious activity. IDS is a critical security tool that helps organizations to detect and respond to security incidents in a timely manner. By providing real-time monitoring and analysis of network traffic, IDS can help organizations to stay ahead of potential threats and reduce the risk of a security breach.
D1590
Detection
Detection Implement continuous monitoring and logging of the CI/CD process Continuous monitoring and logging of the CI/CD process can help organizations detect any unusual activities or deviations from the standard workflow.
This can include monitoring the pipeline for unusual resource requests or unauthorized access attempts, as well as analyzing logs for unusual activity that may indicate a potential security breach. By establishing a baseline of normal behavior and regularly comparing it to current activity, organizations can quickly identify and respond to any anomalous behavior. Implementing automated alerts and notifications for suspicious activity can also help security teams respond promptly to potential threats.
AppSec teams are overwhelmed by useless alerts, managing numerous applications with vulnerabilities across various kill-chain stages, making them increasingly susceptible to successful attacks.
