In early January, development-pipeline service provider CircleCI warned users of a security breach, urging companies to immediately change the passwords, SSH keys, and other secrets stored on or managed by the platform.
The attack on the DevOps service left the company scrambling to determine the scope of the breach, limit attackers’ ability to modify software projects, and determine which development secrets had been compromised. In the intervening days, the company rotated authentication tokens, changed configuration variables, worked with other providers to expire keys, and continued investigating the incident.
“At this point, we are confident that there are no unauthorized actors active in our systems; however, out of an abundance of caution, we want to ensure that all customers take certain preventative measures to protect your data as well,” the company stated in an advisory last week.
The CircleCI compromise is the latest incident that underscores attackers’ increasing focus on fundamental enterprise services. Identity services, such as Okta and LastPass, have disclosed compromises of their systems in the past year, while developer-focused services, such as Slack and GitHub, hastened to respond to successful attacks on their source code and infrastructure as well.
The glut of attacks on core enterprise tools highlights the fact that companies should expect these types of providers to become regular targets in the future, says Lori MacVittie, a distinguished engineer and evangelist at cloud security firm F5.
“As we rely more on services and software to automate everything from the development build to testing to deployment, these services become an attractive attack surface,” she says. “We don’t think of them as applications that attackers will focus on, but they are.”
Identity & Developer Services Under Cyberattack
Attackers lately have focused on two major categories of services: identity and access management systems, and developer and application infrastructure. Both types of services underpin critical aspects of enterprise infrastructure.
Identity is the glue that connects every part of an organization as well as connecting that organization to partners and customers, says Ben Smith, field CTO at NetWitness, a detection and response firm.
“It doesn’t matter what product, what platform, you are leveraging … adversaries have recognized that the only thing better than an organization that specializes in authentication is an organization that specializes on authentication for other customers,” he says.
Developer services and tools, meanwhile, have become another oft-attacked enterprise service. In September, a threat actor gained access to the Slack channel for the developers at Rockstar Games, for instance, downloading videos, screenshots, and code from the upcoming Grand Theft Auto 6 game. And on Jan. 9, Slack said that it discovered that “a limited number of Slack employee tokens were stolen and misused to gain access to our externally hosted GitHub repository.”
Because identity and developer services often give access to a wide variety of corporate assets — from application services to operations to source code — compromising those services can be a skeleton key to the rest of the company, NetWitness’s Smith says.
“They are very very attractive targets, which represent low-hanging fruit,” he says. “These are classic supply chain attacks — a plumbing attack, because the plumbing is not something that is visible on a daily basis.”
For Cyberdefense, Manage Secrets Wisely & Establish Playbooks
Organizations should prepare for the worst and recognize that there are no simple ways to prevent the impact of such wide-ranging, impactful events, says Ben Lincoln, managing senior consultant at Bishop Fox.
“There are ways to protect against this, but they do have some overhead,” he says. “So I can see developers being reluctant to implement them until it becomes evident that they are necessary.”
Among the defensive tactics, Lincoln recommends the comprehensive management of secrets. Companies should be able to “push a button” and rotate all necessary password, keys, and sensitive configuration files, he says.
“You need to limit exposure, but if there is a breach, you hopefully have a push button to rotate all those credentials immediately,” he says. “Companies should plan extensively in advance and have a process ready to go if the worst thing happens.”
Organizations can also set traps for attackers. A variety of honeypot-like strategies allow security teams to have a high-fidelity warning that attackers may be in their network or on a service. Creating fake accounts and credentials, so-called credential canaries, can help detect when threat actors have access to sensitive assets.
In all other ways, however, companies need to apply zero-trust principles to reduce their attack surface area of — not just machines, software, and services — but also operations, MacVittie says.
“Traditionally, operations was hidden and safe behind a big moat [in the enterprise], so companies did not pay as much mind to them,” she says. “The way that applications and digital services are constructed today, operations involve a lot of app-to-app, machine-to-app identities, and attackers have started to realize that those identities are as valuable.”