Another is the codecov breach, where the attack was made on their docker images and credentials, and the private data of thousands of customers were stolen. This shows that the consequences of successful attacks can be severe, as evidenced by these high-profile incidents. In response to these threats, Microsoft has conducted extensive research into the techniques that malicious actors may use to target DevOps environments.
This has resulted in the creation of a comprehensive threat matrix, which maps out potential attacker actions and provides defenders with a clear understanding of the threat landscape. By prioritizing security and implementing best practices, organizations can help ensure that their DevOps environments are protected against potential attacks.
What Is The DevOps Threat Matrix?
The DevOps threat matrix is a tool that helps DevOps teams identify and prioritize potential security threats to their software development and deployment processes. The matrix provides a framework for analyzing risks associated with various aspects of the DevOps pipeline, including code, infrastructure, and operational processes. It helps teams to evaluate risks based on likelihood and impact, thereby enabling them to develop strategies to address potential threats.
The DevOps threat matrix can be customized to suit specific organizational needs and can be used in conjunction with other security frameworks, such as the MITRE ATT&CK framework. Traditionally, security was seen as a separate entity from development and operations. Security teams were responsible for security, and developers were responsible for development. However, the DevOps approach to software development blurs the lines between development and operations, which means security is no longer a separate entity but is integrated into the entire process.
Microsoft’s DevOps Threat Matrix Approach
As the number of DevOps settings keeps growing, it is necessary to watch out for possible threats and holes. Microsoft made a full threat matrix for DevOps to help defenders keep track of important attack techniques and build defenses against them. Using the (MITRE ATT&CK) as a starting point, they put together a grid of attack methods for DevOps environments by collecting techniques and attack vectors related to DevOps environments.
It is vital to note that the tactics in their matrix must be examined from the DevOps perspective, as execution techniques in a virtual machine running Windows or Linux OS differ from execution in a DevOps pipeline. By using this danger matrix to organize attacks and the ways to defend against them, defenders and red teams can work together to constantly test assumptions and find new ways to attack.
The DevOps Threat Matrix Components
The DevOps threat matrix categorizes security threats that DevOps environments may encounter, with execution happening within the pipeline or DevOps resources. By leveraging this matrix to classify attacks and determine defense methods, defenders can work with red teams to continuously test assumptions and uncover new attack techniques. Below, we will explore the components of Microsoft’s DevOps threat matrix and how it enhances DevOps security.
The component of the DevOps threat matrix include;
- Initial access
- Privilege escalation
- Credential access
- Lateral movement
- Defense evasion
1. Initial access
The initial access tactic is a set of techniques that attackers use to gain access to the various resources involved in the DevOps process. These resources include repositories, pipelines, and dependencies. Before proceeding to other steps, attackers often employ certain techniques as preconditions. The first technique is SCM authentication, where the attacker gains access to the organization’s source code management using an authentication method like a personal access token or SSH key. The attacker may use a phishing attack to achieve this technique.
The second technique is CI/CD service authentication, where attackers leverage authentication to the CI/CD service to attack the organization’s DevOps. Thirdly, attackers may gain access to an organization’s public repositories that are made with CI/CD capabilities, which could trigger a pipeline run after a pull request is created. Fourthly, attackers can leverage an existing compromise to gain entry to the organization’s SCM, registry, or other resources to the developer has access to)
Lastly, attackers could use a company’s set-up webhooks as their first point of entry into the company’s network. This could give the attacker access to services that aren’t supposed to be open to the public or that are running old software versions that are insecure on the private network.
The execution tactic involves techniques attackers use to gain execution access to pipeline resources or deployment resources. One of these techniques is Poisoned Pipeline Execution (PPE), where attackers inject code into a repository’s CI/CD system resulting in code execution. There are different sub-techniques, including Direct PPE (d-PPE) and Indirect PPE (i-PPE), which allow attackers to modify configuration files or infect scripts used by the pipeline.
Dependency tampering is another technique where attackers inject malicious code into a repository’s dependencies to execute code in the DevOps or production environment. Sub-techniques used to achieve this include Public Dependency Confusion, Public Package Hijack, and Typosquatting. Attackers can also compromise DevOps resources, such as the pipeline’s compute resources, by exploiting vulnerabilities in the OS or other software installed in the VMs. Lastly, attackers can have control of a registry used by the organization, leading to malicious images or packages executed by the pipeline or production VMs.
The persistence tactic involves attackers using methods to maintain access to a victim’s environment. One technique is to change the repository using automatic tokens to push code and gain access. Sub-techniques include adding scripts to download a backdoor or starter code that executes each time the pipeline runs or modifying the pipeline configuration to download attacker-controlled scripts.
Attackers can also modify dependency locations to use their own packages or inject malicious code into artifacts shared between pipeline executions. They can also plant malicious code by modifying images in the registry. Finally, attackers can create service credentials by leveraging their access to the environment, such as creating an access token to the SCM, the application, or cloud resources, which can be used in case the initial access method is lost.
4. Privilege escalation
Privilege escalation techniques are employed by attackers to gain elevated privileges in a victim’s environment, thereby obtaining higher privileges for already compromised resources. These techniques include scanning private repositories for hidden secrets, leveraging permissive access to the repository to commit/push code directly to protected branches, and accessing metadata services from inside the pipeline to extract certificates and identities.
Private repositories are especially vulnerable to this attack since the secrets are hidden and inaccessible to outsiders. By pushing code directly to protected branches, attackers can inject code into important branches without requiring team intervention. Once attackers gain access to cloud-hosted pipelines, they can extract certificates and identities from metadata services using high privileges.
5. Credential access
Credential access techniques refer to the methods used by an attacker to steal credentials for accessing sensitive information. One common way to achieve this is by obtaining user credentials that are stored in the CI pipeline, such as through CI secrets or environment variables. These credentials may be needed to access external services like databases, making them attractive targets for attackers. Additionally, attackers may also search for service credentials like service principal names (SPN) and shared-access-signature (SAS) tokens, which provide direct access to other services from the pipeline.
6. Lateral movement
In CI/CD environments, attackers may use lateral movement tactics to move through different resources. This may involve compromising build artifacts, infecting registries with malicious images, and spreading to deployment resources. By gaining control of the CI pipelines, attackers can inject malicious code into the building materials before the building is done, allowing them to inject the malicious functionality into the build artifacts. They can also infect the registry with malicious images, which will later be downloaded and executed by containers using this registry. If the pipeline is wired with access to deployment resources, the attacker can spread and potentially execute code, exfiltrate data, and more, depending on the permissions granted to the pipelines.
7. Defense evasion
Attackers use defense evasion techniques to bypass the defenses in a DevOps environment and carry out attacks undetected. One such technique is service logs manipulation, where an attacker can change the logs to prevent defenders from observing the attack. Compilation manipulation is another technique where an attacker changes the compilation process to inject malicious code without leaving traces. This can be done by changing the code on the fly or tampering with the compiler. Additionally, attackers may reconfigure branch protections, which allow an organization to configure steps before a PR/commit is approved into a branch. By changing these configurations, attackers can introduce code into the branch without any user intervention.
In a DevOps environment, the impact tactic refers to techniques used by attackers to exploit access to CI/CD resources for malicious purposes. These techniques are not considered as another step in the attack since they could be easily detected. One such technique is the use of the compute resources gained in order to execute distributed denial of services (DDoS) attacks on external targets. Another technique is the use of the resources for cryptocurrency mining controlled by the adversary. Additionally, an attacker running on CI pipelines can perform a denial service attack from these pipelines to customers by shutting down agents, rebooting, or by overloading the VMs. Lastly, an attacker with access to resources such as cloud resources or repositories could permanently delete these resources to achieve denial of services.
Attackers can use different techniques to exfiltrate sensitive data from a victim’s environment, known as the exfiltration tactic. Once attackers have access to CI pipelines, they can gain access to private repositories, such as using the GITHUB_TOKEN in GitHub, and clone and access the code, leading to gaining access to private IP. The pipeline execution logs can also be accessed by the attacker, allowing them to view the access history, build steps, and potentially sensitive information like credentials to services or user accounts. In some cases, attackers can access production resources through the pipelines and can abuse this access to exfiltrate production data.
The DevOps threat matrix highlights the various attack tactics and techniques that malicious adversaries can use to exploit vulnerabilities in the DevOps pipeline. These threats can range from gaining initial access to the environment to maintaining persistence, exfiltrating sensitive data, and executing malicious code. The DevOps threat matrix serves as a valuable resource for DevOps teams, providing them with insights into the types of attacks they may face and the steps they can take to mitigate these risks. By understanding these threats, DevOps teams can implement robust security measures to safeguard their systems, infrastructure, and data against cyber attacks.