On April 12th, GitHub publicly announced they’d uncovered evidence of an attacker abusing stolen OAuth user tokens – which were issued to two third-party OAuth integrators, Heroku and Travis-CI – to download data from dozens of their customers. Third-party applications are not always as innocent as they might seem. The applications maintained by these two platform service providers were used by GitHub users, which makes this breach a new addition to the growing list of recent attacks that utilized unauthorized access to target suppliers' systems.
GitHub’s analysis of the threat actor's behaviors suggests that they mined the downloaded private repository (GitHub’s own npm) contents. These “behaviors” were mainly read operations, which made them extremely difficult to track as the threat actor did not mutate anything. The attacker scanned the code within these private repos to which the stolen OAuth token had access, seeking out secrets that could be used to pivot into other infrastructure – a classic supply chain example. GitHub is now performing damage control and urging its customers to scan their private repos for any credentials stored within, among other standard security recommendations.
As stated in their announcement:
“We are sharing this today as we believe the attacks may be ongoing and action is required for customers to protect themselves.” - GitHub
Uh-oh.
GitHub hasn't disclosed how they became aware of the attack, when it actually unfolded, or how the attackers became successful in gaining access to the OAuth applications in the first place. Monitoring all aspects of your supply chain is no easy feat. But there are steps organizations can take to prevent unauthorized access to business-critical resources and mitigate the risk of supply chain attacks.
Here are a few countermeasures to consider:
- Establish full visibility: You can’t protect what you don’t know exists, or can’t see. Having strong visibility into the full IT estate, especially business-critical resources such as Software as a Service (SaaS) applications, is critical. You should be able to gain full awareness of every identity and entity – individual or organization, internal or external – that has access to your organization’s crown jewels (it’s sensitive data). Knowing who has access to what – and to what level they have access – is the first step in preventing unauthorized users from accessing sensitive resources.
- Correlate events and activities: Once you have visibility, being able to aggregate and correlate all events and activities will help identify indicators of compromise, malicious activities, data loss or leakage and many other potential negative outcomes. From there, establishing a baseline of data access across the entire stack, and extracting the business context of every interaction. This patterning provides the insight required to understand if activity is part of the normal course of doing business, or actually exposes some level of risk. Once the risky activity has been identified, IT and security teams should be alerted automatically to monitor and review the events. Correlating events, various data points and incorporating insightful contextual data should drive these meaningful security alerts; which should be prioritized and addressed and handled as soon as possible to reduce the Mean Time to Respond (MTTR).
- Implement automated remediation: Now that we can see everything, and we've extracted the business context from each event to understand what is actually taking place, the next logical step is doing what you can to prevent the negative outcomes listed above. Automate what needs to be automated, and do it through pre-defined secure workflows. There should always be room for manual intervention of the security operations team to take whatever action necessary (which can be more easily achieved once you have full visibility). Implementing least privilege access – providing and revoking as necessary – and doing it in an automated fashion will strengthen your approach in preventing unauthorized access to critical data.
Today, DoControl provides a complete inventory of identities and events for end-to-end visibility of every interaction and connection – for all flesh-and-blood SaaS users. From there, we enable the creation of very granular data access control policies to remediate the risk of data exfiltration and overexposure. It is a natural evolution to expand our reach into non-human identities, as well as to cover third-party applications of the integrated SaaS apps. This will allow the potential risk those apps might expose (i.e. invalid tokens, extensive or unused permissions, listed versus unlisted apps, etc.) to be identified and blocked. As a first phase we've launched Microsoft third-party apps view (see the image below which was a part of the recent DoControl hackathon), and for phase two we are going to expand additional applications to include Slack, Google, and GitHub. Beyond providing the visibility you need, we further provide support for on-demand remediation (i.e. removal of apps/token), relevant events digestion --> workflows automation (i.e. notification, remediation and delegation to other controls).
The trend of supply-chain-based attacks continues to rise – and for good reason. These attacks are a type of cardinality of one-to-many; whereby you compromise one victim organization (the supplier) and gain an entry point into some or all of its customers (the consumers of the service provider). The GitHub attack proves the importance of protecting the supply chain, and ensuring the companies your organization is partnering with are as committed to that protection as you are. Preventing this kind of attack is a challenge, but doing nothing is folly. Learn more about how DoControl can help close SaaS application security gaps and strengthen security programs to mitigate the risk of supply chain attacks.
