Earlier today, a story broke that GitHub repositories of Slack were breached over the holiday weekend. Slack detected the breach after noticing suspicious activity, and in their investigation found that stolen Slack employee tokens were the source of the breach.
As a result of the attack, private Slack code repositories were downloaded, but no customer data was exposed.
While Slack is in the news today, they are definitely not the first, and will not be the last. Among the numerous breaches thus far, the Dropbox breach consisting of 130 Dropbox GitHub repositories is noteworthy. This was done using credentials that were stolen in a phishing attack, the current method of choice for bad actors. This also was discovered by noticing suspicious activity. GitHub itself has fallen victim to a breach that resulted in stolen repositories using stolen OAuth user tokens issued to two third-party OAuth integrators – Heroku and Travis-CI.
These breaches show how important it is to secure repositories. This is even more true in the modern cloud-based world where repositories are hosted within SaaS platforms for managing Git – such as GitHub, GitLab, Bitbucket, and others. These repositories are the keys to the kingdom. Sometimes repositories include databases of customers, patients, assets, and other sensitive data. This type of breach is a disaster for any company.
Once accessed, the attacker has an intimate understanding of how the product was built and can use that information to compromise the product in follow-up attacks.
To protect against such attacks, organizations should follow these security measures:
- Implement a strong password policy
- Require MFA using strong factors (avoid SMS)
- Require password rotation in any sign of unexpected behavior
- API keys should be rotated, managed, and monitored
- API keys not in use should be disabled
- API keys should have limited access to the minimum required repositories and permissions
As seen in the incidents mentioned above, monitoring is key. Make sure to enable audit logs and consume them to gain visibility to user actions, in addition to having tools, like a SaaS Security Posture Management solution (SSPM), for threat detection.
These are just some of the many methods, tools, and configurations that should be used to secure access to a repository. In addition, employees should be trained to detect phishing and keep their credentials safe and secure.
A breach of a repository in a Git SaaS is not a force majeure. With proper security tools and training the risk can be reduced drastically.