Why DevOps Is An Attractive Target For Cybercrime Syndicates


Late in the month of September 2019, Avast detected an intrusion into its network through a temporary VPN profile. It is believed that this was an attempt to use malware to infect the CCleaner software owned by Avast. CCleaner is a utility that many companies use to remove malware from systems. Cybercrime syndicates had successfully implanted malware into CCleaner in 2017. This attempt in 2019 is largely believed to be a similar attempt, though it failed.

Docker had to deal with a successful intrusion in April 2019. The attackers compromised a single Docker Hub database. Sensitive data from approximately 190,000 accounts was exposed. It’s suspected that hackers implanted malware in the Docker official images used for instantiating containers in its DevOps environment. Docker confirmed that no official images were compromised.

Such attacks are on the rise since it is an easy way for cybercrime syndicates and nation-states to infiltrate millions of systems by compromising one software that is commonly used. These attacks, known as supply chain attacks, are not new, and this category of attack has been on the rise.

Why Target DevOps?

DevOps environments have become targets since they have become more vulnerable in recent times for the following reasons:

• DevOps environments are migrating to the cloud. Keeping pace with the dynamic nature of public cloud environments and the ever-changing components and configurations is challenging. This is an extra load on DevOps teams since they already occupy a high-paced field that requires using new technologies such as containers, serverless, big data and analytics. This exposes DevOps environments to various vulnerabilities, including open accounts without 2FA, storage buckets with public access, containers with open API access and unprotected serverless instances.


| Paid Program
Digital Transformation Isn’t A Project, It’s A Way Of Operating
| Paid Program
Creating A Foundation Of Trust To Instil A Data Culture Within Organisations In Asia Pacific
Grads of Life BRANDVOICE
| Paid Program
How To Build A Culture Of High Expectations
• Software development is no longer about only writing code; it has evolved to code integration from many different sources, including open source. Compromising any component of this ecosystem is good enough for an attacker to gain a foothold.

What Can We Do About It?

Preventive controls — including 2FA, firewalls, WAF, anti-malware and secure email gateways — do raise the bar, but these controls are getting bypassed through advanced attacks. Hence, monitoring the DevOps environment and immediately responding to these attacks is critical. What follows is a list of best practices for monitoring and responding to such attacks:

• Monitor DevOps environments and underlying cloud infrastructure: Early detection of access from cybercrime groups or nation-states goes a long way in limiting damage. Different activities in DevOps — including build, code push and release — should be profiled for geographical, location, IP/URL and user access. Any anomalous access that deviates from a normal profile or access from known bad geographies or IPs should be immediately investigated and responded to. This can be achieved by directly monitoring DevOps platforms. As an example, integrating with Azure DevOps events provides this type of visibility. Continuous monitoring of underlying cloud infrastructure that runs a DevOps environment should be monitored. This will include monitoring VMs, storage groups, cloud console, VMs and PaaS services. This provides the required visibility to understand any intrusions related to the infrastructure that can be used as a steppingstone for compromising a DevOps environment.

• Monitor production container environments: Events within and around a container need to be monitored. Internal container events will enable the detection of compromised processes or malware within the container. The inspection of events within a container will require embedding agents or scripts as part of the golden image. Container communication profiling can enable the detection of any rogue containers. Container communication can be profiled using events from the orchestration layer of container management software.

• Cloud configuration assessment: Benchmark configuration settings across VMs, storage, database, management consoles, containers and identities to ensure there are no open holes for easy access. CIS is a good industry standard to benchmark.

• Scan software components for vulnerabilities and malware: Development today has a lot of component integration, both commercial and open source. These components must be scanned for vulnerabilities and malware before integration. Analyzing different components of software for vulnerabilities and also analyzing code for malware should become an integral part of rolling out secure DevOps.

It is time to start focusing on better protection of the DevOps environment. Cybercrime syndicates and nation-states will only continue to infiltrate software at its source (DevOps) as a way of gaining a stronger foothold in more and more organizations.

Notify of

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Inline Feedbacks
View all comments
Would love your thoughts, please comment.x