Analytics Story: Dev Sec Ops

Date: 2021-08-18 ID: 0ca8c38e-631e-4b81-940c-f9c5450ce41e Author: Patrick Bareiss, Splunk Product: Splunk Enterprise Security

Description

This story is focused around detecting attacks on a DevSecOps lifeccycle which consists of the phases plan, code, build, test, release, deploy, operate and monitor.

Why it matters

DevSecOps is a collaborative framework, which thinks about application and infrastructure security from the start. This means that security tools are part of the continuous integration and continuous deployment pipeline. In this analytics story, we focused on detections around the tools used in this framework such as GitHub as a version control system, GDrive for the documentation, CircleCI as the CI/CD pipeline, Kubernetes as the container execution engine and multiple security tools such as Semgrep and Kube-Hunter.

1`risk_index` | fillnull | stats sum(risk_score) as risk_score values(source) as signals values(repository) as repository by user | sort - risk_score | where risk_score > 80 | `correlation_by_user_and_risk_filter`

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
ASL AWS ECR Container Upload Outside Business Hours Malicious Image, User Execution Anomaly
ASL AWS ECR Container Upload Unknown User Malicious Image, User Execution Anomaly
AWS ECR Container Scanning Findings High Malicious Image, User Execution TTP
AWS ECR Container Scanning Findings Low Informational Unknown Malicious Image, User Execution Anomaly
AWS ECR Container Scanning Findings Medium Malicious Image, User Execution Anomaly
AWS ECR Container Upload Outside Business Hours Malicious Image, User Execution Anomaly
AWS ECR Container Upload Unknown User Malicious Image, User Execution Anomaly
Circle CI Disable Security Job Compromise Host Software Binary Anomaly
Circle CI Disable Security Step Compromise Host Software Binary Anomaly
GitHub Actions Disable Security Workflow Compromise Software Supply Chain, Supply Chain Compromise Anomaly
Github Commit Changes In Master Trusted Relationship Anomaly
Github Commit In Develop Trusted Relationship Anomaly
GitHub Dependabot Alert Compromise Software Dependencies and Development Tools, Supply Chain Compromise Anomaly
GitHub Pull Request from Unknown User Compromise Software Dependencies and Development Tools, Supply Chain Compromise Anomaly
Gsuite Drive Share In External Email Exfiltration to Cloud Storage, Exfiltration Over Web Service Anomaly
GSuite Email Suspicious Attachment Spearphishing Attachment, Phishing Anomaly
Gsuite Email Suspicious Subject With Attachment Spearphishing Attachment, Phishing Anomaly
Gsuite Email With Known Abuse Web Service Link Spearphishing Attachment, Phishing Anomaly
Gsuite Outbound Email With Attachment To External Domain Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol Hunting
Gsuite Suspicious Shared File Name Spearphishing Attachment, Phishing Anomaly
Kubernetes Nginx Ingress LFI Exploitation for Credential Access TTP
Kubernetes Nginx Ingress RFI Exploitation for Credential Access TTP
Kubernetes Scanner Image Pulling Cloud Service Discovery TTP

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
AWS CloudTrail DescribeImageScanFindings AWS icon AWS aws:cloudtrail aws_cloudtrail
AWS CloudTrail PutImage AWS icon AWS aws:cloudtrail aws_cloudtrail
CircleCI N/A circleci circleci
G Suite Drive N/A gsuite:drive:json http:gsuite
G Suite Gmail N/A gsuite:gmail:bigquery http:gsuite
GitHub AWS icon AWS aws:firehose:json github

References

Source: GitHub | Version: 1