This attack technique involves searching for short-lived tokens that are used during the CI/CD process and extracting them for later use in unauthorized activities.
Short-lived tokens are often used in CI/CD systems to authenticate communication between different components, such as the build server and the deployment server.
An attacker can obtain these tokens from CI/CD logs, variable groups, secure files, etc.
These tokens typically have a limited lifespan, but if an attacker is able to capture them, they can use them to gain unauthorized access to the system or associated resources.
ID:T0183
Type:Technique
Tactic:Credential Access
Summary:Harvesting short-lived token
State:Draft
Mitigations
ID
TYPE
SUMMARY
DESCRIPTION
M1120
Mitigation
Mitigation Store credentials in vault Sensitive data like credentials and API tokens should not be stored directly in code.
Modern applications talk to many third-party APIs, SaaS solutions and other dependecies. This integration usually requires an API token, username & password credential or other similar variable. Sometimes these sensitive credentials include database host strings or hostnames. All of these credentials should not be stored directly in code. Software engineers often don't understand the consequences of embedding these credentials in code. This is especially true for Javascript applications that run client side as these credentials are often visible by inspecting the Javascript files running in the local browser
M1830
Mitigation
Mitigation Restrict access to short-lived tokens to only authorized users and components.
This can be achieved by using access controls and permissions within the CI/CD system.
Detections
ID
TYPE
SUMMARY
DESCRIPTION
D1590
Detection
Detection Implement continuous monitoring and logging of the CI/CD process Continuous monitoring and logging of the CI/CD process can help organizations detect any unusual activities or deviations from the standard workflow.
This can include monitoring the pipeline for unusual resource requests or unauthorized access attempts, as well as analyzing logs for unusual activity that may indicate a potential security breach. By establishing a baseline of normal behavior and regularly comparing it to current activity, organizations can quickly identify and respond to any anomalous behavior. Implementing automated alerts and notifications for suspicious activity can also help security teams respond promptly to potential threats.
AppSec teams are overwhelmed by useless alerts, managing numerous applications with vulnerabilities across various kill-chain stages, making them increasingly susceptible to successful attacks.
