GitHub mass exfiltration via cloning of repositories using a personal access token

이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Goal

Detects mass cloning of GitHub repositories using personal access tokens, indicating potential data exfiltration attempts. Alerts when users clone an unusually high number of distinct repositories within a short timeframe.

Strategy

This rule monitors GitHub audit logs for git.clone actions performed using personal access tokens (both classic and fine-grained). The rule implements multiple severity thresholds based on the volume of repositories cloned and incorporates threat intelligence enrichment to identify cloning activity from suspicious IP addresses. Mass repository cloning using programmatic access tokens is a common technique used by malicious actors to exfiltrate large amounts of source code and sensitive data from organizations.

Triage & Response

  • Examine the cloning activity timeline for {{@github.actor}} to determine if the volume and pattern of repository access aligns with legitimate business activities.
  • Review the specific repositories cloned to assess their sensitivity level and whether the user has legitimate access requirements for all targeted repositories.
  • Check the source IP addresses associated with the cloning activity and correlate with known user locations and typical access patterns.
  • Analyze the user’s recent GitHub activity history to identify any changes in behavior patterns or access requests.
  • Determine if the cloned repositories contain sensitive data, proprietary code, or intellectual property that could pose significant risk if exfiltrated.