GitHub user anomalously downloaded data as a ZIP file
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、
お気軽にご連絡ください。
Goal
Detect and respond to unusual or unauthorized downloads of repository data in ZIP format by a GitHub user.
Strategy
This detection triggers when a user downloads repository data as a ZIP file under circumstances that are inconsistent with normal behavior, suggesting possible data exfiltration.
Triage & Response
- Identify the user and context of the download:
- Review GitHub audit logs for the user involved in the ZIP file download.
- Examine relevant fields such as:
@actor
– Who performed the download.
@repository
– Which repository’s data was downloaded.
@timestamp
– When the download occurred.
- Determine if this is consistent with the user’s regular role or access to the repository.
- Analyze for anomalies:
- Verify the location and device used:
- Is the
@actor_location.country_code
or @network.client.ip
from an unusual or unexpected location?
- Does the
@http.useragent
match the user’s typical device/browser?
- Check access history:
- Review previous actions by the same user in the last 30-60 days. Have there been any prior similar downloads or other anomalies, such as increased access or changes in permissions?
- Repository sensitivity:
- Assess the sensitivity or classification of the data within the repository. Does it contain proprietary, sensitive, or confidential information?
- Incident investigation:
- Contact the user to verify if the download was legitimate. Use caution, as the account may be compromised. Ensure the communication method is secure.
- If the download appears unauthorized or cannot be verified, temporarily restrict the user’s access to prevent further downloads or actions on GitHub. Instructions for managing access.
Investigate further:
- Review other actions taken by the user to look for additional suspicious behavior, such as pull requests, branch cloning, or large file downloads.
- Check for potential compromise:
- Look for signs of account takeover, such as changes to the user’s profile, email, or login credentials.
- Review access logs for any unusual or failed login attempts prior to the ZIP download.
- Cross-reference with other detections: Check if there are related security events, such as anomalous login alerts or unauthorized repository access.
- If unauthorized activity is confirmed:
- Revoke user access to the repository and reset credentials or tokens used by the user.
- Audit repository access to ensure no other unauthorized users or malicious activity is present.
- Begin incident response plan for further actions.