feat(SAFE-T1506): added [Infrastructure Token Theft]#182
feat(SAFE-T1506): added [Infrastructure Token Theft]#182blaycoder wants to merge 4 commits intosafe-agentic-framework:mainfrom
Conversation
|
@bishnubista can you review this? |
|
@blaycoder Please add version history |
Noted |
blaycoder
force-pushed
the
feat/infrastructure-token-theft
branch
from
fe75774 to
9c964aa
Compare
Signed-off-by: blaycoder <onatola4real@gmail.com>
Signed-off-by: blaycoder <onatola4real@gmail.com>
Signed-off-by: blaycoder <onatola4real@gmail.com>
Signed-off-by: blaycoder <onatola4real@gmail.com>
blaycoder
force-pushed
the
feat/infrastructure-token-theft
branch
from
c0212e4 to
14046cc
Compare
|
@bishnubista Done |
| - [MITRE ATT&CK – Credential Access (T1552)](https://attack.mitre.org/techniques/T1552/) | ||
| - [Token tactics: How to prevent, detect, and respond to cloud token theft](https://www.microsoft.com/en-us/security/blog/2022/11/16/token-tactics-how-to-prevent-detect-and-respond-to-cloud-token-theft/#:~:text=When%20Azure%20AD%20issues%20a,prevented%20from%20accessing%20organizational%20resources) | ||
| - [Token Theft in the Cloud: What It Is and How to Prevent It](https://www.csicorp.net/token-theft-in-the-cloud-what-it-is-and-how-to-prevent-it/#:~:text=How%20Does%20Token%20Theft%20Happen,%2C%20logs%2C%20or%20error%20messages) | ||
| - [Defending Against Prompt Injection With a Few DefensiveTokens](https://arxiv.org/html/2507.07974v1) |
There was a problem hiding this comment.
CRITICAL - Irrelevant arXiv Citation
The paper cited here (arxiv.org/html/2507.07974v1) is titled "Defending Against Prompt Injection With a Few DefensiveTokens" and is about a prompt injection defense mechanism, not about infrastructure token theft. This citation does not support the surrounding content about token exfiltration and should be removed or replaced with a relevant source on credential exfiltration from CI/CD systems.
|
|
||
| ## Overview | ||
| **Tactic**: Credential Access (ATK-TA0006) | ||
| **Technique ID**: SAFE-T1506 |
There was a problem hiding this comment.
CRITICAL - Technique Scope Mismatch with Registry
The README registry defines SAFE-T1506 as: "Steal OAuth/session tokens from logs, TLS termination proxies, or other infrastructure components where tokens may be inadvertently stored or exposed, then replay at intended service."
This PR describes a substantially broader attack (CI/CD secrets, cloud API keys, IAM, lateral movement across cloud environments). The content either needs to be scoped to match the registered description, or the registry entry needs to be updated as part of this PR.
| @@ -0,0 +1,141 @@ | |||
| # SAFE-T1506: INFRASTRUCTURE TOKEN THEFT | |||
There was a problem hiding this comment.
CRITICAL - MITRE T1506 Does Not Exist
The SAFE technique is named SAFE-T1506 (a SAFE framework ID) but the document uses T1506 in the MITRE ATT&CK context within the example scenario (line 58: T1552, T1528). More importantly, T1506 is not a valid MITRE ATT&CK technique ID. The MITRE IDs actually referenced in the attack flow are T1552 (Unsecured Credentials) and T1528 (Steal Application Access Token). The SAFE-T1506 ID is fine as a SAFE-framework identifier, but authors should be careful not to imply it maps to a MITRE technique of the same number.
| # SAFE-T1506: INFRASTRUCTURE TOKEN THEFT | ||
|
|
||
| ## Overview | ||
| **Tactic**: Credential Access (ATK-TA0006) |
There was a problem hiding this comment.
WARNING - Missing Required Overview Fields
The Overview section is missing two required fields from the template:
**First Observed**: [Date/Not observed in production/Discovered by X]**Last Updated**: [Date]
Please add these fields to comply with the technique template.
| - Sudden access to pipeline secrets by unfamiliar users | ||
| - Tokens accessed without a matching code change or deployment | ||
| - New API keys or tokens created shortly after token usage | ||
| - Token usage followed by credential creation events |
There was a problem hiding this comment.
WARNING - Detection Section Uses Wrong Heading
The template requires a ## Detection Methods heading (not ## Detection). Under it, the template requires two subsections:
### Indicators of Compromise (IoCs)- currently missing; your log patterns and behavioral indicators should be organized under this heading### Detection Rules- with a Sigma rule embedded in a YAML code block
The ## Detection section in this PR lacks a Sigma detection rule entirely. All technique PRs require a detection-rule.yml file in the technique directory and an embedded Sigma rule in the README. Please add both.
|
|
||
| ## Mitigation | ||
| - Audit all cloud and container accounts to verify their necessity and to ensure that the permissions assigned are appropriate. | ||
| - Implement RBAC to ensure that users account have only the minimum necessary privileges. This reduces the risk of excessive permissions that could be exploited. |
There was a problem hiding this comment.
WARNING - Mitigation Section Does Not Link to SAFE-M Controls
The template requires ## Mitigation Strategies (not ## Mitigation) with three subsections: ### Preventive Controls, ### Detective Controls, and ### Response Procedures. Each control should be linked to a specific SAFE-M mitigation, e.g.:
1. **[SAFE-M-3: Least Privilege](../../mitigations/SAFE-M-3/README.md)**: Implement RBAC...
The current free-form bullet list does not reference any SAFE mitigations. Please restructure and add cross-references to applicable mitigations.
| - [CircleCI incident report for January 4, 2023 security incident](https://circleci.com/blog/jan-4-2023-incident-report/) | ||
| - [Playbook of the Week: Cloud Token Theft Response](https://www.paloaltonetworks.com/blog/security-operations/playbook-of-the-week-cloud-token-theft-response/) | ||
| - [GitHub Secret Scanning](https://docs.github.com/en/code-security/secret-scanning/about-secret-scanning) | ||
|
|
There was a problem hiding this comment.
WARNING - Missing Required Section: Related Techniques
The template requires a ## Related Techniques section that cross-references other SAFE techniques. For a token theft technique, relevant techniques might include credential access or reconnaissance techniques in the SAFE framework. Please add this section with links to at least 1-2 related SAFE techniques.
SAFE-MCP Automated Review SummaryPR: #182 - feat(SAFE-T1506): added [Infrastructure Token Theft] Comment Routing Stats
Critical Issues (Must Fix Before Merge)1. Irrelevant arXiv citation (line 123) 2. Technique scope mismatch with registry (line 5) 3. MITRE T1506 does not exist (line 1) Warnings (Should Fix)4. Missing required Overview fields (line 4) 5. Missing detection-rule.yml file 6. Detection section structure does not match template (line 87) 7. Mitigation section does not link to SAFE-M controls (line 113) 8. Missing Related Techniques section (line 130) Template ComplianceOverall: 53.3% (8/15 required sections found) Sections present: Overview, Description, Attack Vectors, Technical Details, Prerequisites, Attack Flow, Example Scenario, Impact, Detection (partial), Mitigation (partial), References, MITRE ATT&CK Mapping, Version History Sections missing:
Info Notes
RecommendationREQUEST CHANGES - There are 3 critical issues (irrelevant citation, scope mismatch with registry, non-existent MITRE ID reference) and 5 structural warnings. The most urgent fix is removing the arXiv reference to the prompt injection defense paper. The technique also requires a detection-rule.yml file and restructuring of the Detection and Mitigation sections to match the template. See inline comments for line-specific guidance. Automated review by SAFE-MCP pr-reviewer agent |
3 participants
Summary
Contributed to a technique: SAFE-T1506: INFRASTRUCTURE TOKEN THEFT
Type of Contribution
Checklist
git commit -s)Related Issues
Closes #[issue-number] (if applicable)