Adversaries may leverage code repositories to collect valuable information. Code repositories are tools/services that store source code and automate software builds. They may be hosted internally or privately on third party sites such as Github, GitLab, SourceForge, and BitBucket. Users typically interact with code repositories through a web application or command-line utilities such as git.
Once adversaries gain access to a victim network or a private code repository, they may collect sensitive information such as proprietary source code or Unsecured Credentials contained within software's source code. Having access to software's source code may allow adversaries to develop Exploits, while credentials may provide access to additional resources using Valid Accounts.(Citation: Wired Uber Breach)(Citation: Krebs Adobe)
Note: This is distinct from Code Repositories, which focuses on conducting Reconnaissance via public code repositories.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1213.003 | Code Repositories |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
References
|
| PR.PS-01.02 | Least functionality | Mitigates | T1213.003 | Code Repositories |
Comments
This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
References
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1213.003 | Code Repositories |
Comments
This diagnostic statement protects against Code Repositories through the use of privileged account management and the use of multi-factor authentication.
References
|
| PR.PS-01.07 | Cryptographic keys and certificates | Mitigates | T1213.003 | Code Repositories |
Comments
This diagnostic statement protects against Code Repositories through the use of revocation of keys and key management. Employing key protection strategies such as removing keys from code repositories, limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to glean credentials from code repositories.
References
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1213.003 | Code Repositories |
Comments
This diagnostic statement protects against Code Repositories through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| attribute.confidentiality.data_disclosure | None | related-to | T1213.003 | Code Repositories |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| devops_security | Microsoft Defender for Cloud: DevOps Security | technique_scores | T1213.003 | Code Repositories |
Comments
This control can protect against repository misconfigurations.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| cloud_identity | Cloud Identity | technique_scores | T1213.003 | Code Repositories |
Comments
MFA and enforcing the principal of least privilege can be used to control adversaries and possibly hinder them from gaining access to a victim network or a private code repository.
References
|
| security_command_center | Security Command Center | technique_scores | T1213.003 | Code Repositories |
Comments
Using Web Security Scanner, SCC is able to detect repositories (e.g., Git or SVN) that are exposed to the public. Adversaries may use this lapse in security configuration to collect information about the target. Because of the near-real time temporal factor to detect against this cyber-attack this was graded as significant.
References
|