WEBINAR | From Deal to Defense: Unifying Cybersecurity Post-M&A
Reduce Alert Noise and False Positives
Boost your team's productivity by cutting down alert noise and false positives.
Automate Security Operations
Boost efficiency, reduce burnout, and better manage risk through automation.
Dark Web Monitoring
Online protection tuned to the need of your business.
Maximize Existing Security Investments
Improve efficiencies from existing investments in security tools.
Beyond MDR
Move your security operations beyond the limitations of MDR.
Secure with Microsoft 365 E5
Boost the power of Microsoft 365 E5 security.
Secure Multi-Cloud Environments
Improve cloud security and overcome complexity across multi-cloud environments.
Secure Mergers and Acquisitions
Control cyber risk for business acquisitions and dispersed business units.
Operational Technology
Solve security operations challenges affecting critical operational technology (OT) infrastructure.
Force-Multiply Your Security Operations
Whether you’re just starting your security journey, need to up your game, or you’re not happy with an existing service, we can help you to achieve your security goals.
Detection Investigation Response
Modernize Detection, Investigation, Response with a Security Operations Platform.
Threat Hunting
Locate and eliminate lurking threats with ReliaQuest GreyMatter
Threat Intelligence
Find cyber threats that have evaded your defenses.
Model Index
Security metrics to manage and improve security operations.
Breach and Attack Simulation
GreyMatter Verify is ReliaQuest’s automated breach and attack simulation capability.
Digital Risk Protection
Continuous monitoring of open, deep, and dark web sources to identify threats.
Phishing Analyzer
GreyMatter Phishing Analyzer removes the abuse mailbox management by automating the DIR process for you.
Integration Partners
The GreyMatter cloud-native Open XDR platform integrates with a fast-growing number of market-leading technologies.
Unify and Optimize Your Security Operations
ReliaQuest GreyMatter is a security operations platform built on an open XDR architecture and designed to help security teams increase visibility, reduce complexity, and manage risk across their security tools, including on-premises, clouds, networks, and endpoints.
Blog
Company Blog
Case Studies
Brands of the world trust ReliaQuest to achieve their security goals.
Data Sheets
Learn how to achieve your security outcomes faster with ReliaQuest GreyMatter.
eBooks
The latest security trends and perspectives to help inform your security operations.
Industry Guides and Reports
The latest security research and industry reports.
Podcasts
Catch up on the latest cybersecurity podcasts, and mindset moments from our very own mental performance coaches.
Solution Briefs
A deep dive on how ReliaQuest GreyMatter addresses security challenges.
White Papers
The latest white papers focused on security operations strategy, technology & insight.
Videos
Current and future SOC trends presented by our security experts.
Events & Webinars
Explore all upcoming company events, in-person and on-demand webinars
ReliaQuest ResourceCenter
From prevention techniques to emerging security trends, our comprehensive library can arm you with the tools you need to improve your security posture.
Threat Research
Get the latest threat analysis from the ReliaQuest Threat Research Team. ReliaQuest ShadowTalk Weekly podcast featuring discussions on the latest cybersecurity news and threat research.
Shadow Talk
ReliaQuest's ShadowTalk is a weekly podcast featuring discussions on the latest cybersecurity news and threat research. ShadowTalk's hosts come from threat intelligence, threat hunting, security research, and leadership backgrounds providing practical perspectives on the week's top cybersecurity stories.
March 15, 2024
About ReliaQuest
We bring our best attitude, energy and effort to everything we do, every day, to make security possible.
Leadership
Security is a team sport.
No Show Dogs Podcast
Mental Performance Coaches Derin McMains and Dr. Nicole Detling interview world-class performers across multiple industries.
Make It Possible
Make It Possible reflects our focus on bringing cybersecurity awareness to our communities and enabling the next generation of cybersecurity professionals.
Careers
Join our world-class team.
Press and Media Coverage
ReliaQuest newsroom covering the latest press release and media coverage.
Become a Channel Partner
When you partner with ReliaQuest, you help deliver world-class cybersecurity solutions.
Contact Us
How can we help you?
A Mindset Like No Other in the Industry
Many companies tout their cultures; at ReliaQuest, we share a mindset. We focus on four values every day to make security possible: being accountable, helpful, adaptable, and focused. These values drive development of our platform, relationships with our customers and partners, and further the ReliaQuest promise of security confidence across our customers and our own teams.
More results...
By now, we’ve all heard news about AWS keys leaked by a developer on GitHub. While this can cause damaging headlines for the company, fortunately GitHub responded and can now automatically invalidate these API keys when they wind up on public repositories.
This is great, but limited by two critical factors:
Over a 30-day period, we scanned more than 150 million entities from GitHub, GitLab, and Pastebin. During this time, our technology assessed and categorized almost 800,000 access keys and secrets. What did we find? More than 40% of these were for database stores – the majority not covered by GitHub.
Typically, when we think of credentials, the first thing that comes to mind is a username and password widely used by people and other systems to authenticate to systems. But in software, there’s an additional type of security credential – an access key. Access keys can be public or private and, depending on the type of services, provide system authentication to third party or internal systems. Access keys often have broader access than individuals and fewer checks/restrictions on their usage.
Unfortunately, these access keys can be exposed by internal software developers or contractors, who may have not noticed a repository’s settings have changed to public. Indeed, this was the case with recent headlines made by Starbucks and AWS. This is a relatively common occurrence; previous research from North Carolina State University discovered that over 100,000 GitHub repos have leaked API or cryptographic keys.
The misuse of these keys is not hypothetical. Last year, Imperva outlined how a breach resulted by stealing an AWS API key. More recently, in August, researchers discovered malware stealing AWS credentials for the purpose of crypto-mining.
Most analyses of exposed access keys have focused on GitHub, and for good reason. There’s an enormous amount of data and leaks we see. However, for this research, we also looked across GitLab and Pastebin to provide a more comprehensive idea of how often keys get exposed. Over a thirty-day period (9th August – 8th September 2020), we searched across approximately 150 million entities across GitHub, GitLab, and Pastebin.
Of the 800,000 access keys assessed in this time period (which included both our historical archive and new commits), we broke down the 20 key types into four categories: databases, online services, cloud providers, and SSH keys. The breakdown of the number of keys is provided in Figure 1.
The potential impact of exposed access keys is most obvious when we consider database stores. If exposed, these types of credentials could allow unauthorized access to company data (including PII) with the permission to expose, destroy or manipulate company data.
For many years we have witnessed the targeting of MongoDB as part of ransomware campaigns (most recently there were 22,900 MongoDB instances held to ransom).
But the impacts extend beyond this tactic. Depending on the nature of the data, such unauthorized access could have regulatory consequences, disrupt business critical systems, and damage the reputation of the organization.
We searched for 8 types of API credentials for the following databases: IBM DB2, Microsoft SQL Server, MongoDB, MySQL, Oracle DB, PostgreSQL, RabbitMQ, and Redis. In total, we discovered 129,550 credentials for these 8 database stores, with Redis (37.2%), MySQL (23.8%), and MongoDB (19.3%) the most common.
The second area outlined in this research focused an analysis of almost 300,000 keys across four types of cloud providers: AWS, Azure storage, Azure SAS, and Google Cloud.
Successful authentication into these types of environments could allow access to the associated cloud infrastructure, with permission to expose, destroy and/or manipulate sensitive data. The data accessible depends on the services used and could include company information or and internal systems information. Theft of this type of information can be highly valuable for cybercriminals. Furthermore, as we have seen with the recent targeting of AWS keys for crypto mining purposes, there are many ways to monetize this type of access.
The research focused on the following key types for online services: Google OAuth ID, Mailgun, Microsoft Nuget, Slack (Bot Token, User Token, and Webhook URL), and Stripe. Google OAuth was the clear majority, with 95% of the instances.This is somewhat concerning, given that this can be used to obtain permission from users to store files in their Google Drives.
Due to the high number of Google OAuth ID, these have been omitted from Figure 4 in order to better illustrate the other types of online services.
Of more than 4,000 secret or API keys for online services, the majority (56.9%) were for Slack. These may either be used to trick users into clicking links or disrupt business operations. They include:
It’s about more than Slack, of course. Access to a Microsoft Nuget API key, for example, could enable actors to upload malicious packages or delete existing packages from a code repository.
Even though a relatively small number of Stripe secrets were unearthed (274), it can have a high impact. In this case, access could result in the exposure of sensitive financial information, and allow an attacker to modify and delete information within the account.
Alternatively, a Mailgun secret key could allow use of the API to send, receive and track emails – an incredibly useful type of access for phishing campaigns.
For GitHub, there are a few options for gaining this visibility:
Of course, this is about more than just GitHub, and so it’s worth referring to help provided by the technologies themselves. Google, for example, provides helpful guidance on steps to take if you unearth an exposed access key.
Get in touch to learn more about how we help organizations to detect exposed access keys and other types of technical leakage! You can read more about our technical leakage capability here.