By Splunk Threat Research Team November 18, 2021
DevSecOps stands for Development, Security and Operations. This is a practice aimed to automate or design security integration throughout the software development lifecycle or workflow.
Nowadays, collaborative frameworks and projects that share security protocols from end to end are really common, so DevSecOps practices attempt to emphasize building infrastructure with a strong security foundation and stable automation workflow and phases.
Watch the video below to learn more about Securing DevSecOps.
Some of the tools and workflow we used to illustrate the DevSecOps lifecycle are shown below:
- GDrive (Plan Phase): plan,track and manage software development of this project
- GitHub (Code Phase): Contains the version controlled code
- Semgrep (Build Phase): Code Quality, Code Security, Vulnerability Scanning of the application
- CircleCI (Test Phase): CI/CD pipelines
- AWS Elastic Container Registry (Release Phase): Storage of Docker Images used for the application
- Kube-Hunter (Deploy Phase): Security Scanner for Kubernetes Cluster
- Kubernetes (Operate Phase): Container Deployment, Scaling and Management
- Splunk (Monitor Phase): To monitor all these tools
The goal of this blog is to focus on detecting various suspicious scenarios or anomalies that may happen within the phases of the DevSecOps lifecycle: Plan, Code, Build, Test, Release, Deploy, Operate and Monitor.
In order to accomplish this, Splunk Threat Research Team created a simple proof-of-concept web application to collect events and study the phases of DevSecOps lifecycle. The architecture for this simple web application can be seen below:
The website built on a modern web development stack looks like this:
With this proof-of-concept and other system that may give us insight to the DevSecOps phases, we develop detections that includes the following:
- AWS ECR Container Scanning Findings High
- AWS ECR Container Scanning Findings Low Informational Unknown
- AWS ECR Container Scanning Findings Medium
- AWS ECR Container Upload Outside Business Hours
- AWS ECR Container Upload Unknown User
These detections are designed to leverage AWS logs to monitor AWS Elastic Container Service (ECR) events for possible anomalies and suspicious behavior in the Release phase of DevSecOPs:
Detections related to bypassing circle CI security features to stop or disturb the Build phase of the workflow:
Detections for possible anomalies and suspicious modification or pulling of code and disabling security features in github Code phase workflow:
- GSuite Drive Share In External Email
- GSuite Email Suspicious Attachment
- GSuite Email Suspicious Subject With Attachment
- GSuite Email With Known Abuse Web Service Link
- GSuite Outbound Email With Attachment To External Domain
- GSuite Suspicious Shared File Name
Detections for suspicious GSuite events as part of the initial stage of attack or Plan phase of the DevSecOps workflow:
And these detections are designed for suspicious events happening in the Deploy or Operate Phase of the DevSecOps workflow.
A Summary of all Detections In Security Content for the Dev Sec Ops Analytics
Name |
Technique ID |
Tactic |
Description |
Persistence |
This search looks for disable security jobs in the CircleCI pipeline. |
||
Persistence |
This search looks for disable security step in the CircleCI pipeline. |
||
Initial Access |
This search is to detect push or commit to master or main branch. |
||
|
|
Initial Access |
This search is to detect a push or commit to a Develop branch. |
|
Initial Access |
This search looks for Dependabot Alerts in Github logs. |
||
Initial Access |
This search looks for Pull Request from unknown user |
||
Exfiltration |
This search is to detect suspicious google drive or google docs filesshared outside or externally |
||
Initial Access |
This search is to detect a suspicious attachment file extension in GSuite email that may related to spear phishing attack |
||
Initial Access |
This search is to detect a GSuite email contains suspicious subject having known file type used in spear phishing |
||
Initial Access |
This analytics is to detect a gmail containing a link that are knownto be abused by malware or attacker like pastebin, telegram and discord to deliver malicious payload |
||
Exfiltration |
This search is to detect a suspicious outbound e-mail from internal email to external email domain. |
||
Initial Access |
This search is to detect a shared file in google drive with suspiciousfile name that are commonly used by spear phishing campaign |
||
Credential Access |
This search uses the Kubernetes logs from a nginx ingress controllerto detect local file inclusion attacks |
||
Credential Access |
This search uses the Kubernetes logs from a nginx ingress controllerto detect remote file inclusion attacks |
||
Discovery |
This search uses the Kubernetes logs from Splunk Connect from Kubernetesto detect Kubernetes Security Scanner |
||
Execution |
This search looks for AWS CloudTrail events for scanning high findings ecr info |
||
AWS ECR Container Scanning Findings Low Informational Unknown |
Execution |
This search looks for AWS CloudTrail events for scanning low findings ecr info |
|
Execution |
This search looks for This search looks for AWS CloudTrail events for scanning medium findings ecr info |
||
Execution |
This search looks for AWS CloudTrail events for upload outside business hours |
||
Execution |
This search looks for AWS CloudTrail events for upload made by unknown users. |
Automating with SOAR Playbooks
Many of the detections we’ve created as part of this Analytic Story are of the type Anomaly. If you’re unfamiliar with the types of analytics we create, you can read more about them here. Anomaly analytics do not necessarily indicate an attack, but can be used to modify risk. With that being said, the Splunk Threat Research Team wants to highlight the Risk Notable Playbook Pack released by Philip Royer and Kelby Shelton. You can view the talk they presented at .conf21 that highlights these playbooks here. These are available today, in product, for all Splunk SOAR customers. The implementation guide is available on docs.splunk.com and you can preview any individual playbook within this pack on research.splunk.com.
Why Should You Care?
We call DevSecOps a practice for a reason. DevSecOps isn’t a checkbox or a thing you can do sometimes. For an organization to practice DevSecOps, they need to integrate aspects of it into their day to day activities. These new methods of developing software come with their own risks and exposures. The Splunk Threat Research Team’s DevSecOps analytic story can help you mitigate those risks as you go.
Learn More
You can find the latest content about security analytic stories on GitHub and in Splunkbase. Splunk Security Essentials also has all these detections now available via push update. In the upcoming weeks, the Splunk Threat Research team will be releasing a more detailed blog post on this analytic story. Stay tuned!
For a full list of security content, check out the release notes on Splunk Docs.
Feedback
Any feedback or requests? Feel free to put in an issue on Github and we’ll follow up. Alternatively, join us on the Slack channel #security-research. Follow these instructions If you need an invitation to our Splunk user groups on Slack.
Contributors
We would like to thank the following for their contributions to this post.
- Patrick Bareiss
- Lou Stella
- Teoderick Contreras