Detecting Secrets to Reduce Attack Surface

Dr. Swarup Kumar Sahoo
Dr. Swarup Kumar Sahoo
Sample Secrets JSON Output Deepfence SecretScanner

In our last few articles, we focused on vulnerability scanning of hosts and containers in AWS ECS, Azure AKS, Google GKE, and Oracle OKE. In this post, we will discuss secrets management, another important aspect of cloud native security. We are releasing an open source tool called SecretScanner to detect secrets automatically in container images, VMs, and hosts.

Measuring your attack surface is the first step towards understanding the weaknesses in your infrastructure and protecting against them. Vulnerabilities form one important component of the attack surface, which the attackers can exploit to intrude into your infrastructure and applications. There is a lot of focus on vulnerability scanning and lot of tools are available to detect vulnerabilities. However, there are other important components of your attack surface like secrets. Currently, no open source tools are available to detect secrets in container images. That’s why we have built an open source tool — SecretScanner — to detect secrets that are stored in images inadvertently or through a design flaw.

Secrets

What do we exactly mean by secrets? In the context of cybersecurity, secrets are any kind of sensitive or private data that gives authorized users permission to access their infrastructure (such as accounts, devices, network, and cloud based services), applications, storage, databases, and other kinds of critical data. For example, passwords, AWS access IDs, AWS secret access keys, Google OAuth Key, etc. are secrets. Secrets should be strictly kept private. However, sometimes attackers can easily access secrets due to flawed security policies or inadvertent mistakes by developers. Sometimes developers use default secrets or leave hard-coded secrets such as passwords, API keys, encryption keys, SSH keys, tokens, etc. in container images, especially during rapid development and deployments cycles in CI/CD pipeline. Sometimes users store passwords in plain text. Leakage of secrets to unauthorized entities can put your organization and infrastructure into serious security risk.

Some examples of secrets

  1. User passwords
  2. Auto-generated passwords
  3. Database passwords
  4. SSH keys
  5. API keys
  6. Authorization keys
  7. Private encryption keys
  8. Private certificates for TLS, SSL, etc.
  9. Access tokens

Managing secrets is a big challenge in DevOps and cloud environments due to myriads of tools and technologies being used. During this unprecedented pandemic times, when remote work culture is the new normal, remote access further exacerbates this issue and increases security risks due to mismanagement of secrets.

Secrets are as important as vulnerabilities from a cybersecurity point of view, as attackers can very easily get backdoor access into customer infrastructure and spread laterally to launch multi-stage attacks due to the leakage of secrets. Additionally, managing secrets such as passwords is one of the key requirements of some of the common compliance standards like NIST and HIPAA. Hence, it is imperative that organizations manage their secrets in a systematic way, similar to vulnerability management.

Nine ways to protect secrets

Secrets management is the process of managing the digital authentication credentials, both during transit and at rest, to protect them from unauthorized access. Organizations need to protect secrets from unauthorized access and manipulation during every stage of their lifecycle starting from creation and storage to rotation and revocation. We outline nine simple ways in which you can protect your secrets and prevent unauthorized access to your critical infrastructure and data.

  1. Holistic management policy: Develop a unified policy to manage all your secrets so that you can comply with standard compliance and regulations. Set clear rules and policies regarding who can access what.
  2. Manage privileges: Always follow the principles of least privilege and privilege separation to reduce the blast radius in case of any intrusion. Assign the minimal privileges required for any user or application to accomplish any required task. Limit the validity duration for any privilege escalation to reduce your attack surface.
  3. Comprehensive visibility: Ensure complete visibility into all your systems, applications, services, accounts, users, and all your secrets. Always log and monitor all accesses to secrets and every time secrets pass through your system. This will help in detecting unauthorized accesses and help in auditing when intrusions occur. Decentralized management will limit visibility and complicate security management. Centralized management will provide better visibility and simplify management of secrets, helping plug any security gaps you may have.
  4. Strong secrets: Short, default, or common passwords are easy for attackers to crack using guessing or brute-force attacks. Always try to use long and strong passwords. Do not store or transmit passwords in plain text. Do not reuse secrets for different accounts or users as everything will get compromised in case secrets are leaked. It will also be difficult to track which user or account was responsible for the breach in the case of a security incidence. Avoid embedding secrets in code or container images.
  5. Dynamic secrets: Try to use short-lived temporary secrets as much as possible to reduce your attack surface. Frequently rotate your secrets and have a system in place to revoke secrets immediately in the case of a security breach. This will minimize data loss in security breaches.
  6. Automate secrets management process: Use automated tools to manage secrets throughout their lifecycle in a systematic manner. Try to use secret management tools like secret vaults, PAM tools, encryption services like KMS, etc. as much as possible. It is better to use automatically generated passwords as they are harder to guess.
  7. Detecting unauthorized access: Despite your best efforts, it is possible that some secrets will be leaked. You should have a system to detect unauthorized access as quickly as possible so that you can stop the attacks immediately and mitigate any loss.
  8. Audit: You should also put in place a design to audit your systems in case any security breaches occur. Having a better visibility and logging feature will ensure that you can quickly address any security breaches. This will help you determine the stolen secrets, culprits, or reasons behind the incident so that you can take steps to prevent such incidents in the future.
  9. Automatically detect secrets: Despite following best practices and developers’ best efforts and intentions, sometimes secrets are released into their applications and container images. It is critical to detect these mistakes as early as possible before they are deployed in production. Deepfence has developed an open source tool, SecretScanner, to scan container images and hosts for finding any potential secrets.
Deepfence secret scanning output

We are currently analyzing the filenames including paths and the file contents based on regex patterns to find any potential secrets in container images. We provide a set of basic regex rules, which are configurable and expandable by users, to detect secrets. We are using hyperscan to match our regex patterns. Hyperscan allows us to exploit hardware features for fast scanning. Additionally, it also enables us to scan all the regex patterns at the same time making the secret scanning process super fast. We report details about the possible secrets found in various formats like JSON. For each secret found, we report a severity score in addition to the type of secrets found, the matched text, and regex patterns, etc. You can find a sample JSON output of our tool below.

Sample secrets JSON output

Please contact us if you have any feedback on our new secret scanning tool.