Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/rung/threat-matrix-cicd

Threat matrix for CI/CD Pipeline
https://github.com/rung/threat-matrix-cicd

Last synced: about 1 month ago
JSON representation

Threat matrix for CI/CD Pipeline

Awesome Lists containing this project

README

        

# Common Threat Matrix for CI/CD Pipeline
This is an ATT&CK-like matrix focus on CI/CD Pipeline specific risk.
[MITRE ATT&CK®](https://attack.mitre.org/) is a knowledge base of adversary tactics and techniques.
To map the threat of CI/CD Pipeline, I use the same classification as the framework.
(Feedback is welcome)

## Table of Contents
- [Background](#background)
- [Threat Matrix](#threat-matrix)
- [Components of CI/CD](#components-of-cicd)
- [Techniques and Mitigation](#techniques-and-mitigation)
- [Initial Access](#initial-access)
- [Execution](#execution)
- [Execution (Production)](#execution-production)
- [Persistence](#persistence)
- [Privilege Escalation](#privilege-escalation)
- [Defense Evasion](#defense-evasion)
- [Credential Access](#credential-access)
- [Lateral Movement](#lateral-movement)
- [Exfiltration](#exfiltration)
- [Impact](#impact)
- [Common Question](#common-question)
- [Supply-chain attacks are the only risk of CI/CD pipeline, correct?](#supply-chain-attacks-are-the-only-risk-of-cicd-pipeline-correct)

## Background
This threat map is published in conjunction to the presentation “[Attacking and Securing CI/CD Pipeline](https://speakerdeck.com/rung/cd-pipeline)” at CODE BLUE 2021 Opentalks.
The purpose of this matrix is to share knowledge on securing CI/CD environments with Cybersecurity community.
This matrix was created by Mercari Security Team, and reviewed by Platform Team.

## Threat Matrix
![threat matrix](images/matrix.png "threat matrix")

## Components of CI/CD
![components](images/components.png "components")

| Name | Tools |
|------------------------|-------------------------------------------------------------------------------------------------------------------------------------|
| Device | - Developer Workstation: Mac/Win/Cloud-based |
| Git Repository Service | - GitHub, GitLab |
| CI | - CI/CD Services (e.g. CircleCI, Cloud Build, Codebuild, GitHub Actions) |
| CD | - CI/CD Services (e.g. CircleCI, Cloud Build, Codebuild, GitHub Actions)
- CD Services (e.g. Spinnaker, ArgoCD) |
| Secret Management | - Secret Management Services (e.g. AWS Secret Manager, GCP Secret Manager, HashiCorp Vault) |
| Production environment | - Cloud Services (e.g AWS, Google Cloud, Microsoft Azure)
- Other Resources (e.g. Container Registry, Linux Server, Kubernetes) |

## Techniques and Mitigation
### Initial Access


Techniques

Description

Mitigation



Supply Chain Compromise on CI/CD

Supply Chain Attacks to Application Library, Tools, Container Images in CI/CD Pipelines.


  1. (CI, CD) Limit egress connection via Proxy or IP Restriction


  2. (CI, CD) Audit Logging of the activities


  3. (CI, CD) Security Monitoring using IDS/IPS, and EDR


  4. (CI, CD) Check each tool’s Integrity


  5. (CI, CD) Doesn’t allow untrusted libraries, tools





Valid Account of Git Repository


(Personal Token, SSH key, Login password, Browser Cookie)


Use developer’s credentials to access to Git Repository Service \
(Personal token, SSH key, browser cookie, or login password is stolen)


  1. (Device) Device security is out of scope


  2. (Git Repository) Network Restriction


  3. (Git Repository) Limit access permission of each developer (e.g. no write permission, limited read permission)


  4. (CI, CD) Use GitHub App and enable IP restriction





Valid Account of CI/CD Service


(Personal Token, Login password, Browser Cookie)


Use SSH key or Tokens to access to CI/CD Service Servers directly


  1. (CI, CD) Strict access control to CI/CD pipeline servers


  2. (CI, CD) Hardening CI/CD pipeline servers





Valid Admin account of Server hosting Git Repository

Use SSH key, Tokens to access to Server hosting Git Repository


  1. (Git Repository) Strict access control to server hosting Git Repository


  2. (Git Repository) Hardening git repository servers



### Execution


Techniques

Description

Mitigation



Modify CI/CD Configuration

Modify CI/CD Configuration on Git Repository


(CircleCI: .circleci/config.yml, CodeBuild: buildspec.yml, CloudBuild: cloudbuild.yaml, GitHub Actions: .github/workflows/*.yaml)



  1. (Git Repository) Only allow pushing of signed commits


  2. (CI, CD) Disallow CI/CD config modification without review (CI/CD must not follow changes of a branch without review)


  3. (CI, CD) Add signature to CI/CD config and verify it


  4. (CI, CD) Limit egress connections via Proxy and IP restrictions


  5. (CI, CD) Audit Logging of activities


  6. (CI, CD) Security Monitoring using IDS/IPS, and EDR





Inject code to IaC configuration

For example, Terraform allows code execution and file inclusion. The code is executed during CI(plan stage)


Code Execution: Provider installation(put provider binary with .tf), Use External provider

File inclusion: file Function



  1. (Git Repository) Only allow pushing of signed commits


  2. (CI, CD) Restrict dangerous code through Policy as Code


  3. (CI, CD) Restrict untrusted providers


  4. (CI, CD) Limit egress connections via Proxy and IP restrictions


  5. (CI, CD) Audit Logging of activities


  6. (CI, CD) Security Monitoring using IDS/IPS, and EDR





Inject code to source code

Application executes test code during CI


  1. (CI, CD) Restrict dangerous code through Policy as Code


  2. (CI, CD) Limit egress connections via Proxy and IP restrictions


  3. (CI, CD) Audit Logging of the activities


  4. (CI, CD) Security Monitoring using IDS/IPS, and EDR





Supply Chain Compromise on CI/CD

(Repeated)





Inject bad dependency

Inject bad dependency


  1. (CI, CD) Code checks by SCA(Software composition analysis)


  2. (CI, CD) Restrict untrusted libraries, and tools


  3. (CI, CD) Limit egress connections via Proxy and IP restrictions


  4. (CI, CD) Audit Logging of activities


  5. (CI, CD) Security Monitoring using IDS/IPS, and EDR





SSH to CI/CD pipelines

Connect to CI/CD pipeline servers via SSH or Valid Token


  1. (CI, CD) Implement strict access control to CI/CD pipeline servers


  2. (CI, CD) Disallow SSH access



### Execution (Production)


Techniques

Description

Mitigation



Modify the configuration of Production environment

Modify the configuration of Production environment via stolen credentials


  1. (Secret Manager) Rotate credentials regularly or issue temporary tokens only


  2. (Production environment) Network Restriction to Cloud API


  3. (Production environment) Enable Audit Logging


  4. (Production environment) Security Monitoring of data access


  5. (Production environment) Enforce principle of least privilege to issued credentials


  6. (Production environment) Rate limiting





Deploy modified applications or server images to production environment

Deploy modified applications or server images (e.g. container image, function, VM image) to production environment via stolen credentials


  1. (Secret Manager) Rotate credentials regularly or issue temporary tokens only


  2. (Git Repository) Require multi-party approval(peer review)


  3. (Production environment) Verify signature of artifacts


  4. (Production environment) Network Restriction to Cloud API


  5. (Production environment) Enable Audit Logging


  6. (Production environment) Security Monitoring of deployment


  7. (Production environment) Enforce principle of least privilege to issued credentials


  8. (Production environment) Rate limiting



### Persistence


Techniques

Description

Mitigation



Compromise CI/CD Server

Compromise CI/CD Server from pipeline


  1. (CI, CD) Clean environment created on every pipeline run





Implant CI/CD runner images

Implant container images for CI/CD with malicious code to establish persistence


  1. Use signed/trusted CI runners only


  2. Implement strict access controls to container registry


  3. (CI, CD) Audit Logging of activities





(Modify CI/CD Configuration)

(Repeated)





(Inject code to IaC configuration)

(Repeated)





(Inject code to source code)

(Repeated)





(Inject bad dependency)

(Repeated)



### Privilege Escalation


Techniques

Description

Mitigation



Get credential for Deployment(CD) on CI stage

Get high privilege credential in CI stage (not CD)


  1. (CI, CD) Limit the scope of credentials in each step.


  2. (CI) Always enforce Least Privilege. CI(not CD) must not have credentials for deployment


  3. (CI, CD) Use different Identities between CI and CD


  4. (CI, CD) Maintain strong isolation between CI and CD





Privileged Escalation and compromise other CI/CD pipeline

Privilege Escalation from CI/CD Environment to other components


  1. (CI, CD) Hardening of CI/CD pipeline servers


  2. (CI, CD) Isolate CI/CD pipeline from other systems.



### Defense Evasion


Techniques

Description

Mitigation



Add Approver using Admin permission

Change Approver using Git Repository Service Admin permission


  1. (Git Repository) Limit admin users


  2. (Git Repository) Require multi-party approval(peer review)





Bypass Review

Bypass Peer Review of Git Repository


  1. (Git Repository) Restrict repository admin from pushing to main branch without a review


  2. (CD) Require additional approval from reviewer to kick CD





Access to Secret Manager from CI/CD kicked by different repository

Use a CI/CD system in a different repository to leverage stolen credentials to access secret manager


  1. (Secret Manager) Restrict and separate access from different workloads





Modify Caches of CI/CD

Implant bad code to caches of CI/CD pipeline


  1. (CI, CD) Clean environment on every pipeline run





Implant CI/CD runner images

(Repeated)



### Credential Access


Techniques

Description

Mitigation



Dumping Env Variables in CI/CD

Dump Environment Variables in CI/CD


  1. (CI, CD) Don’t use environment variables for storing credentials


  2. (Secret Manager) Use secret manager which has network restriction


  3. (Secret Manager) Enable Audit Logging


  4. (Secret Manager) Security Monitoring to detect malicious activity


  5. (Secret Manager) Rotate credentials regularly or issue temporary tokens only


  6. (CI, CD) Enable Audit Logging


  7. (CI, CD) Security Monitoring using IDS/IPS, and EDR





Access to Cloud Metadata

Access to Cloud Metadata to get access token of Cloud resources


  1. (CI, CD) Restrict metadata access from suspicious processes


  2. (Secret Manager) Use secret manager which has network restriction


  3. (Secret Manager) Enable Audit Logging


  4. (Secret Manager) Security Monitoring to detect malicious activity


  5. (Secret Manager) Rotate credentials regularly or issue temporary tokens only


  6. (CI, CD) Enable Audit Logging


  7. (CI, CD) Security Monitoring using IDS/IPS, and EDR





Read credentials file

Read credentials file mounted in CI/CD pipeline


  1. (CI, CD) Disable or mask contents of files in results of CI/CD


  2. (Secret Manager) Use secret manager which has network restriction


  3. (Secret Manager) Enable Audit Logging


  4. (Secret Manager) Security Monitoring to detect malicious activity


  5. (Secret Manager) Rotate credentials regularly or issue temporary tokens only


  6. (CI, CD) Enable Audit Logging


  7. (CI, CD) Security Monitoring using IDS/IPS, and EDR





Get credential from CI/CD Admin Console

See credential from CI/CD admin console


  1. (CI, CD) Doesn’t use CI/CD services that expose credentials from the system console



### Lateral Movement


Techniques

Description

Mitigation



Exploitation of Remote Services

Exploit services from CI/CD Pipeline


  1. (CI, CD) Isolate CI/CD pipeline systems from other services





(Monorepo) Get credential of different folder's context

In monorepo architecture of Git Repository, there are many approvers.


Need to set access controls carefully



  1. (Git Repository) Set approver for each folder


  2. (CI, CD, Secret Manager) Avoid sharing CI/CD environment and credentials between different folders.


  3. (CI, CD) should be isolated by environment folder or context





Privileged Escalation and compromise other CI/CD pipeline


(Repeated)






### Exfiltration


Techniques

Description

Mitigation



Exfiltrate data in Production environment

Exfiltrate data in Production environment via stolen credentials


  1. (CI/CD) Doesn’t put data access credential in CI/CD


  2. (Production environment) Network Restriction to Cloud API


  3. (Production environment) Enable Audit Logging


  4. (Production environment) Security Monitoring of data access


  5. (Production environment) Enforce principle of least privilege to issued credentials


  6. (Production environment) Rate limiting





Clone Git Repositories

Exfiltrate data from Git Repositories


  1. (Git Repository) Network Restriction


  2. (Git Repository) Use temporary tokens instead of long life static tokens


  3. (Git Repository) Limit access permission of each developer (e.g. no write permission, limited read permission)


  4. (Git Repository) Enable Audit Logging


  5. (Git Repository) Security Monitoring of data access


  6. (Git Repository) Rate limiting



### Impact


Techniques

Description

Mitigation



Denial of Services

Denial of Services of CI/CD pipeline


  1. (CI, CD) Scalable Infrastructure




## Common Question
### Supply-chain attacks are the only risk of CI/CD pipeline, correct?

Supply-chain attacks are one of the most serious risks. But it is not the only risk for CI/CD Pipelines. The entire attack surface need to be considered. You can check my slide: “[Attacking and Securing CI/CD Pipeline](https://speakerdeck.com/rung/cd-pipeline)” to know risks of CI/CD pipeline