Do you know where your secrets are? Exploring the problem of secret sprawl and secret management maturity
@mcdwayne
@mcdwayne
Hi, I’m Dwayne
Dwayne McDaniel
@mcdwayne
@mcdwayne
About GitGuardian
GitGuardian is the code security platform for the DevOps generation.
—
We help enterprises answer the issue of "Where are my hardcoded secrets and have they been leaked?"
@mcdwayne
Code Leaks Are A Problem
@mcdwayne
@mcdwayne
“I must not fear. Fear is the mind-killer. Fear is the little-death that brings total obliteration. I will face my fear. I will permit it to pass over me and through me. And when it has gone past I will turn the inner eye to see its path. Where the fear has gone there will be nothing. Only I will remain.”
― Frank Herbert, Dune
Bene Gesserit Litany Against Fear
@mcdwayne
@mcdwayne
CircleCI – January 2023
Development System
CircleCI Platform
Embedded Malware Used To Steal Secrets
Remote Engineer
Hardcoded AWS, GCP, Google Drive, Internal employee dashboards, unencrypted customer data …
Customer secrets stolen, unauthorised access to GitHub repos and third-party systems
CircleCI Internal Network
Attacker
Customer Application
Hardcoded AWS, GCP, Google Drive, Internal employee dashboards, unencrypted customer data …
Customer Application
Hardcoded AWS, GCP, Google Drive, Internal employee dashboards, unencrypted customer data …
Customer Application
GitHub
@mcdwayne
@mcdwayne
Uber Breach – September 2022
2FA/MFA spamming
VPN Access
Scanning
Uber’s Infra
PowerShell scripts in network share
PowerShell script contained hardcoded credentials
Credential access
Discovery
Initial access
Privilege escalation
Admin access to
Thycotic PAM
Access to internal apps
AWS, GCP, Google Drive, Slack, SentinelOne, HackerOne admin console, Internal employee dashboards…
Uber Internal Network
Lateral movement
1 Exposed Secret
One exposed secret leads to many others!
Some mistakes are more expensive than others. One hardcoded secret giving access to Uber’s PAM solution led to a an organization wide IT takeover…
@mcdwayne
@mcdwayne
A Few Incidents
Toyota
@mcdwayne
@mcdwayne
A Few Incidents
AstraZeneca
@mcdwayne
@mcdwayne
https://www.gitguardian.com/state-of-secrets-sprawl-report-2023
@mcdwayne
@mcdwayne
@mcdwayne
@mcdwayne
@mcdwayne
@mcdwayne
@mcdwayne
@mcdwayne
@mcdwayne
Stop Hardcoding Secrets�� Use secrets managers like �Hashicorp Vault or Azure Key Vault
�
@mcdwayne
@mcdwayne
Three pillars of a secrets management program
Train devs to use the tools and follow the processes
People
Tools
Automate detection and remediation
Use vaults, secrets managers and KMS to manage secrets
Processes
Document the steps to follow for incident remediation by devs
Create clear processes for provisioning, manaaging, and rotating secrets
Raise awareness around secrets sprawl and secure coding practices
@mcdwayne
@mcdwayne
blog.gitguardian.com/a-maturity-model-for-secrets-management
Level 0
Uninitiated
Level 1
Beginners
Level 2
Intermediate
Level 3
Advanced
Level 4
Experts
No processes or tools for managing secrets – secrets sprawl in the SDLC.
No detection (and remediation) in place.
Secrets are unencrypted at rest and shared across teams. Scanning for secrets is triggered manually at times,
Secrets are scoped, stored in a vault and shared using a secrets manager. Automated detection on shared repositories and final artifacts is continuous.
Secrets are checked encrypted into repositories with decryption keys stored in a secure vault.
Secrets scanning and rotation are performed periodically.
Secrets are scoped, stored and called from a vault
Detection is preventive and integrated into dev workflows.
@mcdwayne
@mcdwayne
Level 4 – Experts
Secrets management
Secrets detection
Developer environments
Source Control
(Source code
& Infra-as-Code)
CI/CD pipelines &
software artifacts
Runtime environments
Limited exposure risk
@mcdwayne
@mcdwayne
@mcdwayne
@mcdwayne
What Attackers Want
@mcdwayne
@mcdwayne
Cyber Deception
Use the attacker's SOP against them
@mcdwayne
@mcdwayne
A Brief History Of Cyber Deception
@mcdwayne
@mcdwayne
Trojan Horse
~ 1200 BCE
"I thought I was getting a horse, what I got was defeat"
- Trojan security officer
Brief History of Deception
@mcdwayne
@mcdwayne
Art of War
~ 400 BCE
"Appear weak when you are strong, and strong when you are weak"
- Sun Tzu
Brief History of Deception
@mcdwayne
@mcdwayne
Ghost Army
1942
"The first mobile, multimedia, tactical deception unit in U.S. Army history"
- James Linn - Curator National WWII Museum
Brief History of Deception
@mcdwayne
@mcdwayne
The First Honeypot
1985
"Hi, is this the FBI? At my girlfriend's suggestion, I used fake documents to trick someone working with the KGB into keeping their connection to a Lawrence Berkeley National Laboratory computer open long enough to trace their exact location."
- Cliff Stoll
Brief History of Deception
@mcdwayne
@mcdwayne
Fred Cohen’s Deception Toolkit
1991
"Under DTK, deceptions are spread among the normal systems in a network in such a way that unused services on those systems are consumed with deceptions. This increases the likelihood of an intelligence probe encountering a deception rather than a vulnerability"
- Fred Cohen
Brief History of Deception
@mcdwayne
@mcdwayne
First Commercial Honeypots
1998
"These hackers aren't kids on a digital joyride, ... It's clear their motive is financial gain."
- Alfred Huger,
Creator of CyberCop Sting
Brief History of Deception
@mcdwayne
@mcdwayne
"Honeytokens" is coined
1998
"I was developing an idea that I call 'honeytokens'... Basically, information that shouldn't be flowing over the network and, if you can detect it, something wrong is happening."
- Augusto Paes de Barros
Brief History of Deception
@mcdwayne
@mcdwayne
Canarytokens
2015
"Added aws token
Added svn + smtp tokens to generate"
- nickrohrbs, Thinkst developer - git commit message upon adding aws tokens to the code in 2016.
Brief History of Deception
@mcdwayne
@mcdwayne
Brief History of Deception
Honeytokens Becomes Default 2nd Line Defence at Google
2023
"Honeytokens are your early warning signs"
- Kevin Mandia from Mandiant /Google Cloud - The state of Cybersecurity - Year in Review talk at RSA 2023
@mcdwayne
@mcdwayne
What Is A Honeytoken?
@mcdwayne
@mcdwayne
Definition
—
Honeytokens are decoy credentials that do not allow any access to any resources or data. Instead they trigger alerts that reveal the IP address of the user who attempted to use the honeytoken.��Honeytokens look identical to real credentials to an attacker.
@mcdwayne
@mcdwayne
@mcdwayne
@mcdwayne
Honeytoken Options
vs
@mcdwayne
@mcdwayne
Open Source - The DIY Route
@mcdwayne
@mcdwayne
Commercial Options - Off The Shelf
@mcdwayne
@mcdwayne
Honeytoken Best Practices
@mcdwayne
@mcdwayne
Honeytoken Best Practices�Do:
Put honeytokens in your private environments
@mcdwayne
@mcdwayne
Honeytoken Best Practices�Do:
Use a 1:1 ratio of honeytokens to repo/environment
@mcdwayne
@mcdwayne
Honeytoken Best Practices�Do:
Use automation to scale deployment
@mcdwayne
@mcdwayne
Honeytoken Best Practices�Do:
Think in terms of 'Blue Team'
@mcdwayne
@mcdwayne
Honeytoken Best Practices�Do:
Remember this is a journey, not a one off exercise
@mcdwayne
@mcdwayne
Honeytoken Best Practices�DO NOT:
List honeytokens in public
@mcdwayne
@mcdwayne
Honeytoken Best Practices�DO NOT:
Go hunting the attacker…unless you are LEA
@mcdwayne
@mcdwayne
In Conclusion
@mcdwayne
@mcdwayne
@mcdwayne
@mcdwayne
Definition
—
Honeytokens are decoy credentials that do not allow any access to any resources or data. Instead they trigger alerts that reveal the IP address of the user who attempted to use the honeytoken.��Honeytokens look identical to real credentials to an attacker.
@mcdwayne
@mcdwayne
Honeytoken Options
vs
@mcdwayne
@mcdwayne
Hi, I’m Dwayne
Dwayne McDaniel
@mcdwayne
@mcdwayne
Do you know where your secrets are? Exploring the problem of secret sprawl and secret management maturity
@mcdwayne
@mcdwayne
A Few Incidents
Samsung
@mcdwayne
@mcdwayne