Defending your castle: Raising walls versus detecting intruders
When defending your digital assets in 2023, building a moat and a drawbridge might not be the first thing you think about. You probably wouldn't base your defensive posture on tech like trap doors or guard towers. However, there is a reason these methods have been employed for hundreds of years; they worked, at least when what you were guarding was rooms full of gold or holy grails.
When they built ENIAC, the world's first general-use computer, in the 1940s, the security strategy was similar to what the Sumerians had devised nearly 6,000 years earlier, basically armed guards defending a locked room. Of course, this made sense as you had to be in the same building to access that room-sized computer, which took as much power as a small city to operate.
Since then, things have changed quite a bit. We have transitioned from a centrally managed workforce, all gathering in a physical office, to a remote and hybrid workforce, with employees accessing sensitive data from various locations and devices. Unsecured Wi-Fi networks, personal devices, and potential exposure to phishing attacks took focus for our security teams. The castle's walls expanded to include home offices, coffee shops, and airports. Defending against such threats became more complex, requiring solutions that go beyond traditional perimeter-based security.
Organizations also shifted from completely owned, on-premise data centers and networks into cloud services and relying on third-party vendors. Digital assets now reside in an ever-diversifying set of services. Protecting our assets in an ever-expanding 'kingdom' of smaller castles of external services we don't own brought a whole new world of challenges.
The world has shifted, and the job of the security professional has forever changed from keeping people out to being able to detect when the wrong persons get in.
Some classical defenses still make sense
While it is silly to think of a stone barrier protecting our applications, we do build certain types of walls, Web Application Firewalls, WAFs. While not foolproof, they prevent the most basic types of attacks from granting access. Hardening those WAF rules as new vulnerabilities are revealed is not really that different than reinforcing the castle wall as the enemy devises new battlefield tech.
While a guard tower and drawbridge over a moat might seem like a terrible way to deal with authentication in your production environments, this is the role we see tools like multifactor authentication, MFA, and token-based passwordless systems play. "Who goes there?" is not something someone needs to say out loud, as our digital gatekeepers, like OAuth-based solutions, say it for us, only lowering the drawbridge once we verify we are who we say we are.
It is still very practical to use a vault to guard your secrets. Today, instead of iron boxes with complex locking mechanisms, we rely on encryption-based solutions like Vault by HashiCorp, Doppler, or Akeyless to hold our dearest secrets: our credentials.
Modern problems require modern solutions
While some legendary assassins and thieves could get into strongholds, they were not allowed to ransack the place without someone immediately noticing. Unfortunately, this is exactly what malicious actors are doing these days: sneaking in through doors we leave open and laterally expanding their footprint as rapidly as possible. While overall dwell times are much lower today than they were even a few years ago, the fact remains that they are still getting in at alarming rates and, on average, are spending days doing whatever they please before we even detect them being there.
Good news: GitGuardian is here to help ensure you are not leaving those doors open and that those attackers will quickly give themselves away. We focus on helping organizations secure the modern way of building software with our code security solutions, as we will highlight below.
Keeping the doors shut
Attackers can bypass our current defenses by leveraging misconfigurations in our infrastructure as Code, IaC. Unlike castles, which take years to build in some cases and would require many eyes to find defects in materials and design, IaC deployments can be done in minutes and at extreme scale by a single DevOps professional. The nature of IaC means the configuration is likely to be reused over and over again, perhaps hundreds or thousands of times, greatly increasing the potential attack surface. The likelihood that a flaw or misconfiguration sneaks past that single person will never be zero. They need tools to help ensure success.
Helping to ensure common security issues don't make it to production is why we built Infra as Code Security into the GitGuardian platform. Now GitGuardian users can leverage both ggshield to manually scan for over 100 common IaC misconfigurations at the local developer level and Infra as Code Security to automatically scan for any of those same issues in code committed to GitHub and GitLab repositories in your perimeter.
We focus on scanning IaC templates like Terraform and CloudFormation for misconfigurations affecting your AWS, Azure, GCP services, Kubernetes clusters, and Docker containers, safeguarding your deployments.
Bait the traps
Once an attacker is inside, you want them to immediately announce they are inside, preferably over Slack. This does happen occasionally; just ask Uber. Most of the time, attackers go out of their way to hide their presence. Most attacks follow a similar pattern though, which we can leverage to our advantage. First, they breach to gain an initial foothold, mainly through phishing attempts or stolen credentials, and then try to expand as fast as possible laterally. They do this by finding any and all credentials left in plaintext throughout the system. From within any system they can access, the attacker will attempt to escalate privileges and then keep moving laterally, sometimes planting malware and sometimes exfiltrating data, sometimes doing both.
Knowing they will look for any credentials to exploit means they will likely also try to use any decoy credentials you leave lying around. This is where GitGuardian Honeytoken comes in. You can easily create AWS credentials that do not allow any real access to systems or data but instead send you alerts by email or via webhooks that let you know someone is lurking about. Getting their IP address, user agent, what actions they were attempting, and the timestamps of each attempt will help you boot them from the system.
Clean up any and all real keys around your stronghold
While honeytokens make it easy to deploy decoy credentials, ideally, those would be the only real secrets that any attacker finds. GitGuardian has long been known for our legendary Secrets Detection abilities. No matter how many repos you have or how many developers are in your org, GitGuardian can quickly identify any and all instances of secrets in plaintext throughout your codebase, no matter where it is in the software development lifecycle.
Using ggshield, you can even stop hardcoded credentials from ever making it into a commit. And for any incidents where those secrets do make it into your shared repositories, the GitGuardian dashboard makes it very simple to identify the issue and keep track of the remediation process. Make sure that you are making it as hard as possible for attackers to gain further access when they do make it inside your castle walls.
We must prepare for the breach
Building walls and moats in the form of WAFs and Zero Trust architecture is still important when defending your organization. We can't rely on those tactics alone anymore. The reality is we need to adopt an “assumed breach" posture. Modern security means reacting so quickly that attackers are left wondering what they could possibly try next. Malicious actors do not have unlimited time or resources; every time we stop their attempts at infiltration, it is one more round won for the good guys.
Make sure you are prepared for modern attacks. Close any doors you might leave open through IaC misconfiguration by scanning early and often. Lay out traps in the form of honeytokens to trick attackers into giving away their position. Make sure those decoy credentials are the only plaintext secrets they find by using GitGuardian Secrets Detection to discover and eliminate any real keys, certificates, or passwords.
No matter what your castle looks like or what treasures you guard, make sure you leverage the power of modern tools to keep your kingdom secure.