SECURITY

Securing DevSecOps - Threat Research Release October 2021

DevSecOps stands for Development, Security and Operations. This is a practice aimed to automate or design security integration throughout the software development lifecycle or workflow.

Nowadays, collaborative frameworks and projects that share security protocols from end to end are really common, so DevSecOps practices attempt to emphasize building infrastructure with a strong security foundation and stable automation workflow and phases.

Watch the video below to learn more about Securing DevSecOps.

 

Some of the tools and workflow we used to illustrate the DevSecOps lifecycle are shown below:

  • GDrive (Plan Phase): plan,track and manage software development of this project
  • GitHub (Code Phase): Contains the version controlled code
  • Semgrep (Build Phase): Code Quality, Code Security, Vulnerability Scanning of the application
  • CircleCI (Test Phase): CI/CD pipelines
  • AWS Elastic Container Registry (Release Phase): Storage of Docker Images used for the application
  • Kube-Hunter (Deploy Phase): Security Scanner for Kubernetes Cluster
  • Kubernetes (Operate Phase): Container Deployment, Scaling and Management
  • Splunk (Monitor Phase): To monitor all these tools

The goal of this blog is to focus on detecting various suspicious scenarios or anomalies that may happen within the phases of the DevSecOps lifecycle: Plan, Code, Build, Test, Release, Deploy, Operate and Monitor.

In order to accomplish this, Splunk Threat Research Team created a simple proof-of-concept web application to collect events and study the phases of DevSecOps lifecycle. The architecture for this simple web application can be seen below:


The website built on a modern web development stack looks like this:



With this proof-of-concept and other system that may give us insight to the DevSecOps phases, we develop detections that includes the following:

These detections are designed to leverage AWS logs to monitor AWS Elastic Container Service (ECR) events for possible anomalies and suspicious behavior in the Release phase of DevSecOPs:

Detections related to bypassing circle CI security features to stop or disturb the Build phase of the workflow:

Detections for possible anomalies and suspicious modification or pulling of code and disabling security features in github Code phase workflow:

Detections for suspicious GSuite events as part of the initial stage of attack  or Plan phase of the DevSecOps workflow:

And these detections are designed for suspicious events happening in the Deploy or Operate Phase of the DevSecOps workflow.

A Summary of all Detections In Security Content for the Dev Sec Ops Analytics 

 

Name

Technique ID

Tactic

Description

CircleCI Disable Security Job 

T1554

Persistence

This search looks for disable security jobs in the CircleCI pipeline.

CircleCI Disable Security Step

T1554

Persistence

This search looks for disable security step in the CircleCI pipeline.

GitHub Commit Changes In Master 

T1199

Initial Access

This search is to detect push or commit to master or main branch.

GitHub Commit In Develop 

T1199


Initial Access

This search is to detect a push or commit to a Develop branch.

GitHub Dependabot Alert 

T1195.001

Initial Access

This search looks for Dependabot Alerts in Github logs.

GitHub Pull Request From Unknown User 

T1195.001

Initial Access

This search looks for Pull Request from unknown user

GSuite Drive Share In External Email 

T1567.002

Exfiltration

This search is to detect suspicious google drive or google docs filesshared outside or externally

GSuite Email Suspicious Attachment 

T1566.001

Initial Access

This search is to detect a suspicious attachment file extension in GSuite email that may related to spear phishing attack 

GSuite Email Suspicious Subject With Attachment 

T1566.001

Initial Access

This search is to detect a GSuite email contains suspicious subject having known file type used in spear phishing

GSuite Email With Known Abuse Web Service Link 

T1566.001

Initial Access

This analytics is to detect a gmail containing a link that are knownto be abused by malware or attacker like pastebin, telegram and discord to deliver malicious payload

GSuite Outbound Email With Attachment To External Domain

T1048.003

Exfiltration

This search is to detect a suspicious outbound e-mail from internal email to external email domain.


GSuite Suspicious Shared File Name 

T1566.001

Initial Access

This search is to detect a shared file in google drive with suspiciousfile name that are commonly used by spear phishing campaign

Kubernetes Nginx Ingress LFI

T1212

Credential Access

This search uses the Kubernetes logs from a nginx ingress controllerto detect local file inclusion attacks

Kubernetes Nginx Ingress RFI 

T1212

Credential Access

This search uses the Kubernetes logs from a nginx ingress controllerto detect remote file inclusion attacks

Kubernetes Scanner Image Pulling 

T1526

Discovery

This search uses the Kubernetes logs from Splunk Connect from Kubernetesto detect Kubernetes Security Scanner

AWS ECR Container Scanning Findings High

T1204.003

Execution

This search looks for AWS CloudTrail events for scanning high findings ecr info

AWS ECR Container Scanning Findings Low Informational Unknown 

T1204.003

Execution

This search looks for AWS CloudTrail events for scanning low findings ecr info


AWS ECR Container Scanning Findings Medium 

T1204.003

Execution

This search looks for This search looks for AWS CloudTrail events for scanning medium findings ecr info


AWS ECR Container Upload Outside Business Hours 

T1204.003

Execution

This search looks for AWS CloudTrail events for upload outside business hours


AWS ECR Container Upload Unknown User 

T1204.003

Execution

This search looks for AWS CloudTrail events for upload made by unknown users.

 

Automating with SOAR Playbooks 

Many of the detections we’ve created as part of this Analytic Story are of the type Anomaly. If you’re unfamiliar with the types of analytics we create, you can read more about them here. Anomaly analytics do not necessarily indicate an attack, but can be used to modify risk. With that being said, the Splunk Threat Research Team wants to highlight the Risk Notable Playbook Pack released by Philip Royer and Kelby Shelton. You can view the talk they presented at .conf21 that highlights these playbooks here. These are available today, in product, for all Splunk SOAR customers. The implementation guide is available on docs.splunk.com and you can preview any individual playbook within this pack on research.splunk.com.

Why Should You Care?

We call DevSecOps a practice for a reason. DevSecOps isn’t a checkbox or a thing you can do sometimes. For an organization to practice DevSecOps, they need to integrate aspects of it into their day to day activities. These new methods of developing software come with their own risks and exposures. The Splunk Threat Research Team’s DevSecOps analytic story can help you mitigate those risks as you go.

Learn More

You can find the latest content about security analytic stories on GitHub and in Splunkbase. Splunk Security Essentials also has all these detections now available via push update. In the upcoming weeks, the Splunk Threat Research team will be releasing a more detailed blog post on this analytic story. Stay tuned!

For a full list of security content, check out the release notes on Splunk Docs.

Feedback

Any feedback or requests? Feel free to put in an issue on Github and we’ll follow up. Alternatively, join us on the Slack channel #security-research. Follow these instructions If you need an invitation to our Splunk user groups on Slack.


Contributors

We would like to thank the following for their contributions to this post.

  • Patrick Bareiss
  • Lou Stella
  • Teoderick Contreras

 

The Splunk Threat Research Team is an active part of a customer’s overall defense strategy by enhancing Splunk security offerings with verified research and security content such as use cases, detection searches, and playbooks. We help security teams around the globe strengthen operations by providing tactical guidance and insights to detect, investigate and respond against the latest threats. The Splunk Threat Research Team focuses on understanding how threats, actors, and vulnerabilities work, and the team replicates attacks which are stored as datasets in the Attack Data repository

Our goal is to provide security teams with research they can leverage in their day to day operations and to become the industry standard for SIEM detections. We are a team of industry-recognized experts who are encouraged to improve the security industry by sharing our work with the community via conference talks, open-sourcing projects, and writing white papers or blogs. You will also find us presenting our research at conferences such as Defcon, Blackhat, RSA, and many more.


Read more Splunk Security Content

TAGS

Securing DevSecOps - Threat Research Release October 2021

Show All Tags
Show Less Tags

Join the Discussion