In most attacks, the adversarial actors do not manually look through each file, line by line, to find secrets. They very much use your secrets to move laterally throughout your system, but most of the time, they use scanning tools as they gain a lay of the land. Very commonly, these scans will immediately attempt to use any credentials to test if they are active, which will trigger the honeytoken. Once you know they are there, you can react before they can do much damage or exfiltrate anything.
Once you have their IP address and user agent, you can kick them out of your network and systems and quickly look for any unauthorized actions they have taken. If there were any valid secrets in the codebases where a honeytoken was triggered, then you will be able to escalate appropriately and invalidate those credentials as soon as possible.
For when your code gets leaked
Unfortunately, as we have seen in so many cases, private code repositories can unexpectedly become public repos. When that happens, any and all secrets in that codebase can be seen by anyone outside your organization to be used for any number of potentially nefarious purposes. You want to know right away that a leak has occurred, not waiting five years, as was the case with Toyota. A large number of public scans are continually being performed to try to find new commits and any secrets they contain.
Fortunately, we can use these public scanners to our advantage and leverage GitGuardain honeytokens to detect when private code becomes public. Get alerted immediately when eyes outside your org can see your secrets. If you have legitimate, valid secrets in that repo, then you know it is time to rotate those secrets as quickly as you can.
Prioritizing your action plan
Now that you have a way to know if a repo is under attack or being shared in public, you can prioritize your action plan to tackle secrets sprawl. Of course, GitGuardian can help in a larger capacity as well, gathering all the needed data in one place, performing validity checks, and automatically assigning severity scores and tags. The platform will make it easy to see who is working on closing which incidents, as well as track your progress over time.
Since there is no legitimate use for honeytokens other than as traps, you can safely leave them in any cleaned repo, giving you the same protection for repos with all the real secrets removed. Setting it once produces the long-term benefit without any additional work. Hopefully, though, your honeytokens will never be triggered.
Cleaning up technical debt takes time
We know that security is challenging and causes a lot of headaches as you are endlessly playing defense. We are here to help you tackle secrets sprawl at scale, no matter how many devs you have or how much legacy code you have to deal with. Honeytokens can make sure that if someone is snooping around, they will trigger an alert. They can also let you know if your private code becomes public. In the larger picture, GitGuardian can help you prioritize and coordinate your remediation plans.
We at GitGuardian want you to sleep soundly, knowing that you have a plan in place and the best cyber deception tools to get alerts when a breach or a leak occurs. The best part is honeytokens provide protection long after you resolve all your secrets-related incidents, helping you continuously improve your response times. No matter where you are on your security or secrets management security journey, we invite you to leverage the GitGuardian platform for better peace of mind.
Top comments (0)