Do you know where your secrets are? Hopefully they remain with YOU. If you tell just one other person your secret, then it is not a secret anymore. Next question, where are your cyber secrets? Don’t know? Well, hundreds of CISOs, CSOs, and security leaders, whether from small or large companies, do not know where their cyber secrets are either. It does not matter the organization's size, the certifications, tools, people, and processes: secrets are not visible in 99% of cases.
Keeping secrets is an obvious first thought when thinking about security in the development lifecycle. Whether in the cloud or on premise, you know that your secrets are safely stored behind hard gates that few people can access. It is not just a matter of common sense since it is also an essential compliance requirement for security audits and certifications.[1]
Developers working in an organization are well-aware that secrets should be handled with special care. They have put in place specific tools and procedures to correctly create, communicate, and rotate human or machine credentials. Secrets sprawl everywhere in your systems, and faster than most realize. Secrets are copied and pasted into configuration files, scripts, source code, or private messages without much thought. Think about it: a developer hard-codes an API key to test a program quickly and accidentally commits and pushes their work on a remote repository. Are you confident that the incident can be detected in a timely manner?
Insufficient audit and remediation capabilities are some of the reasons why secrets management is hard. They are also the least addressed by security frameworks. These grey areas where unseen vulnerabilities remain hidden for a long time are blatant holes in your defense layers.
Recognizing this gap, we developed a self-assessment tool to evaluate the size of this unknown. To take stock of your real security posture regarding secrets in your organization, take five minutes to answer the eight questions (it's completely anonymous).
Secrets Management Maturity Model - Sound secrets management is a crucial defensive tactic that requires some thought to build a comprehensive security posture. Here is a framework to help security leaders make sense of their actual posture and adopt more mature enterprise secrets management practices in three phases:
- Assessing secrets leakage risks
- Establishing modern secrets management workflows
- Creating a roadmap to improvement in fragile areas
The fundamental point addressed by this model is that secrets management goes well beyond how the organization stores and distributes secrets. It is a program that not needs to align people, tools, and processes, but also to account for human error. Errors are not evitable! But their consequences are. That is why detection and remediation tools and policies, along with secrets storage and distribution, form the pillars of our maturity model.
The secrets management maturity model considers four attack surfaces of the DevOps lifecycle:
- Developer environments
- Source code repositories
- CI/CD pipelines & artifacts
- Runtime environments
Adding to this, a maturity ramp-up over five levels, going from 0 (Uninitiated) to 4 (Expert). Going 0 to 1 is mostly about assessing the risks posed by insecure software development practices, and starting auditing digital assets for hardcoded credentials. At the intermediate level (level 2), secrets scanning is more systematic, and secrets are cautiously shared across the DevOps lifecycle. Levels 3 (Advanced) and 4 (Expert) are focused on risk mitigation with clearer policies, better controls, and increased shared responsibility for remediating incidents.
Another core consideration for this framework is that making it hard to use secrets in a DevOps context will inevitably lead to the bypassing of the protective layers in place. As with everything else in security, the answers lay between protection and flexibility. This is why the use of a vault/secrets manager starts at the intermediate level only. The idea is that the use of a secrets manager should not be seen as a stand-alone solution but as an additional layer of defense. To be effective, it requires other processes, like continuous scanning of pull requests, to be mature enough.
Here are some questions that this model should raise in order to help you evaluate your maturity:
- How frequently are your production secrets rotated? How easy is it to rotate secrets?
- How are secrets distributed at the development, integration, and production phase?
- What measures are put in place to prevent the unsafe dissemination of credentials on local machines?
- Do CI/CD pipelines' credentials adhere to the least privileges principle?
- What are the procedures in place for when (not if) secrets are leaked?
Reviewing your secrets management posture should be top of mind in 2023. First, everyone working with source code has to handle secrets, if not daily, at least once in a while. Secrets are no longer the prerogative of security or DevOps engineers. They are required by more and more people, from ML engineers, data scientists, product, ops, and even more. Second, if you don't find where your secrets are, hackers will.
Hackers will find your secrets - The risks posed to organizations failing to adopt mature secrets management practices cannot be overstated. Development environments, source code repositories and CI/CD pipelines have become favorite targets for hackers, for whom secrets are a gateway to lateral movement and compromise. Recent examples highlight the fragility of secrets management even in the most technologically mature organizations.
In September 2022, an attacker got access to Uber's internal network, where he found hardcoded admin credentials on a network drive. The secrets were used for logging in to Uber's privileged access management platform, where many more plaintext credentials were stored throughout files and scripts. The attacker was then able to take over admin accounts in AWS, GCP, Google Drive, Slack, SentinelOne, HackerOne, and more.
In August 2022, the password manager LastPass fell victim of an attacker who gained access to its development environment by stealing the credentials of a software developer and impersonating that individual. In December 2022, the firm disclosed that someone used that information to steal source code and customer data.
In 2022, source code leaks have proven to be a true minefield for organizations: NVIDIA, Samsung, Microsoft, Dropbox, Okta, and Slack, among others, have been victims of source code leaks. In May 2022, investigators warned about the important volume of credentials that could be harvested by analyzing these codebases. Armed with these, attackers can gain leverage and pivot into hundreds of dependent systems in what is known as supply chain attacks.
In January 2023, the continuous integration provider CircleCI was also breached, leading to the compromise of hundreds of customer environment variables, tokens, and keys. The company urged its customers to immediately change their passwords, SSH keys, or any other secrets stored on or managed by the platform. Still, victims need to find out where these secrets are and how they are being used to press the emergency button!
The lesson from all these incidents is that attackers have realized that compromising machine or human identities gives a higher return on investment. They are all warning signs of the urgency to deal with hardcoded credentials and to dust off secrets management in general.
There is a saying in cybersecurity: "Encryption is easy, but key management is hard." This still holds true today, although it is not just about encryption keys anymore. The current hyper-connected services world relies on hundreds of types of keys, or secrets, to function properly. These could be as many potential attack vectors if mismanaged.
Knowing where your secrets are, not just in theory but in practice, and how they are used along the software development chain is crucial for security. To help you, we created a maturity model specifically about secrets distribution, leak detection, remediation process, and rotation habits.
The first step is always to get a clear audit of the organization's security posture regarding secrets: where and how are they used? Where do they leak? How to prepare for the worst? This alone could prove to be a lifesaver in an emergency situation. In the wake of recent attacks on development environments and business tools, companies that want to defend themselves effectively must ensure that the grey areas of their development cycle are cleared as soon as possible.
In the intelligence world, a secret is no longer a secret if you tell someone. Interested in learning where your secrets may be found or for sale to the highest bidder?
Please visit: https://www.redskyalliance.com/redpane
This is Red Sky Alliance’s automatic dark web search engine. REDPANE houses millions of indicators from 90+ underground sites, and we are adding new sites weekly. Search dark websites such as black marketplaces, ransomware dump sites, and cybercrime forums. REDPANE allows for constant edits of the search terms to increase results for searched items, such as names, data, data bases and files.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www. redskyalliance. org/
- Website: https://www. wapacklabs. com/
- LinkedIn: https://www. linkedin. com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5504229295967742989
[1] https://thehackernews.com/2023/01/you-dont-know-where-your-secrets-are.html
Comments