Cyber attack tactics have significantly evolved over the years. Initially, cybercriminals focused on exploiting vulnerabilities within applications and their architectures. However, contemporary threat actors are increasingly employing lateral movement strategies, whereby they move from one application to another to access sensitive data. This shift means that attackers might not target your Customer Relationship Management (CRM) application directly to obtain your customer list. Instead, they are more likely to aim at systems like collaboration platforms to acquire useful information, such as user credentials, making the breach appear as though a legitimate user is accessing the data.
In their daily operations, developers and security teams frequently collaborate through various systems. These include:
- Project management tools
- Chat platforms
- Helpdesk ticketing systems
- Architecture documentation
- And more
It is common sense that secrets or credentials should not be shared in these systems. However, sometimes users might post passwords or other secrets in these platforms for convenience, even though they are not designed to securely store sensitive information.
The pressing question is: how can organizations set up guardrails and scanning mechanisms for these systems to ensure that all instances of secret exposure are detected? This post delves into this critical question and offers a solution.
Collaboration Tool Breaches in the News
Have you ever shared credentials in a Slack message? Or included a bearer token in a JIRA user story for implementing a third-party feature on your e-commerce storefront? To be honest, many have. The perceived privacy of these tools can make it easy to forget that they are not only within reach of cyber attackers but are also sought-after targets.
For example, in June 2024, a major data solutions provider experienced a significant data breach that exposed the banking and financial details of millions of customers. The attackers did not launch a Distributed Denial of Service (DDoS) attack or inject malicious code. Instead, they gained initial access through a spear-phishing attack, which provided them access to an employee’s laptop. Once on the laptop, the attackers accessed an instance of JIRA containing user credentials to the provider’s accounts.
Unfortunately, this data solutions provider is not alone. Recently, a major entertainment enterprise became a victim of Slack hackers who gained access to approximately 1.1TB of Slack discussions dating back to 2019. Although the initial data dump was removed from the web, the data continues to be shared online, providing attackers with a tool to discover sensitive information that could lead to further breaches.
Mitigating Secret Exposure in Collaboration Tools
Many organizations have adopted “shift-left” practices, such as automated scanning of pull requests, to reduce the likelihood of secrets being leaked into code repositories. As the adoption of secrets scanning tools increases, organizations are likely to discover more unmanaged secrets in collaboration tools. However, since collaboration platforms are outside the developer workflow, discovering and remediating unmanaged secrets becomes even more complex.
The first step organizations need to take is to integrate secret scans into the developer workflow using a platform engineering approach and the right tools. JIRA and Confluence are two of the most common collaboration platforms, used by more than 300,000 organizations to manage and document their technical solutions. Slack is one of the most popular company chat applications. Therefore, a secret scanning solution needs to support scans and comprehensive metadata gathering for these platforms. Additionally, it is crucial to check if secret scanners can support other collaboration systems that your organization might use and potentially share secrets within.
Let’s examine mitigation needs through the lens of an example solution: HCP Vault Radar. Vault Radar is a secrets scanning and remediation product closely tied to the industry-standard secrets manager, HashiCorp Vault.
HCP Vault Radar supports automated scans that can be regularly scheduled to detect unmanaged secrets in near real-time. It also handles remediation workflows, but its most valuable feature is the ability to take important findings and prioritize them effectively for developer and operations teams. This allows them to quickly diagnose the severity of the issue and take immediate remediation actions if needed. Here is a sample of what security teams and developers need to see at a glance:
Vault Radar medium severity event details
Reducing False Positives in Secret Scans
Developer and security teams cannot solve security issues effectively if they are overwhelmed by noise from their scanning and monitoring tools. Alert fatigue is a serious issue in the world of secret scanners, and you need solutions that take combating it seriously. Using Vault Radar as an example, it employs several algorithms to filter out non-secrets and deprioritize low-severity secrets.
To rank the severity of an exposed secret, HCP Vault Radar combines multiple data sets:
Version History
When it discovers a finding in the latest version of a file, HCP Vault Radar assigns a higher priority because it is likely that this finding has not been previously evaluated and is therefore more likely to be a secret.
String Randomness
HCP Vault Radar evaluates the entropy (randomness) of content using entropy algorithms. These algorithms are highly effective at identifying random or complex strings that indicate the content may be an exposed secret. Vault radar also evaluates string literals in code for entropy, which helps identify potentially suspicious strings in any format.
Activeness Checks
Credentials actively being used by applications represent the most significant threat. When HCP Vault Radar finds a credential, it will call out to the associated application to check if the secret is still active. Active credentials are marked as high risk within the prioritization portal. Currently, HCP Vault Radar can test for:
- Google Cloud API keys
- Amazon Web Services (AWS) credentials
- Personal access tokens for GitHub
- JSON web tokens (JWT)
Vault Correlation
To further support prioritization, HCP Vault Radar can correlate if a leaked secret is stored in a Vault secrets manager. Most credentials in Vault are used in critical production environments, so HCP Vault Radar gives exposed secrets a higher severity score when they are also found in Vault’s key-value stores.
Remediating Unmanaged Secrets in Collaboration Tools
Apart from secret scanning, HCP Vault Radar supports a robust set of remediation workflows. Its native integration with HashiCorp Vault makes it ideal for delivering secret remediation by revoking exposed secrets and generating new ones with a proven solution for secrets management.
For exposed secrets that require manual remediation and regeneration, Vault Radar also integrates with industry-standard ticketing and alerting solutions to automatically create tickets for newly detected secrets. Below are workflows for each solution’s Vault Radar integration:
For a deeper look at secret remediation best practices, read our blog on the topic.
Next Steps
Given recent breaches and cyber threat trends, exposed secrets on collaboration platforms represent a clear opportunity for threat actors. HashiCorp can help protect your organization by providing a full set of Security Lifecycle Management (SLM) products, including Vault and HCP Vault Radar, to manage your secrets. To learn more, visit our SLM page or talk to our sales and solution engineering teams about your specific challenges.
Additional Resources
For additional information on how to protect your organization’s secrets and improve your security posture, check out these resources:
- How Hackers Are Utilizing Lateral Movements
- Is Collaboration Software Safe for Your Organization?
- Major Data Breach Exposes Sensitive Information
- Slack Data Breaches: What You Need to Know
- Shift-Left Testing Practices
- How Secret Scanning Works
- What is a Platform Team?
- Industry Standard Secrets Management
- HCP Vault Radar Documentation
- Understanding Alert Fatigue
For more Information, Refer to this article.