Monitor Github for Code leaks with External Threat Intelligence

GitHub is home to millions of software developers who share coding projects, download other users’ repositories, and generally collaborate with like minded developers. In fact, IntSights developers also use GitHub to collaborate on projects. But GitHub’s open nature also attracts hackers who team up to iterate on malicious code they can use to breach corporate networks and launch cyberattacks.

IntSights continuously monitors code and filing sharing sites like GitHub to identify exploits, sensitive data, and leaked credentials affecting our users and initiate immediate takedowns. We recently expanded our capabilities for monitoring organization-specific mentions on GitHub that could be indicators of an imminent attack. Armed with this newfound visibility, teams can actively and proactively monitor potential code leakages, unauthorized integration with company internal servers, or unauthorized use of company resources and immediately act, as needed.

The goal of our GitHub monitoring feature is to detect company mentions on GitHub that can indicate a potential code leakage or unauthorized use of a company asset. There are two high-level scenarios that fall under this umbrella: leaked secrets and asset mentions. Let’s break down how it works.

Monitoring Leaked Secrets

Leaked secrets are any type of sensitive data connected to the company – credentials, tokens, API keys, etc. – that are detected in public repositories. Our platform scans for mentions on specific domains (including subdomains), GitHub Query, and Git Public Repositories to identify potentially leaked or exposed services and data. Since subdomains are less familiar to company outsiders, using subdomains in the code can indicate potential code leakage or unauthorized use of company resources. In some cases, the data itself may contain no mention of the targeted company, but the repository itself has a connection, so the user is alerted.

Monitoring Asset Mentions

Asset mentions include any mention of relevant company digital assets in code hosted on GitHub. This scenario provides potential results that can indicate a code leakage or an unauthorized use of a company resource (such as an integration). To identify asset mentions, we search for mentioned domains (including subdomains) and code mentions. Code mentions include any unique phrase or pattern that, when mentioned on a public repository, triggers an alert for an IntSights user. The asset could be a name of an internal server, a unique component in the code, or any general phrase that the user feels is important enough to be alerted on.

How to Take Down Threats at the Source

IntSights provides remediation and takedown services by contacting the website owner or domain registrar – in this case, GitHub – to have the malicious item removed or suspended. Our team provides the characteristics of the suspicious content to the website manager. In addition to the automated process, the IntSights Remediation Team monitors the process and intervenes as needed when there is not a direct confirmation of the takedown or when additional information is required.

To learn more about how our expert cyber threat researchers and analysts identify, validate, and take down threats at the source, read our ebook, Dark Web 201: How to Leverage External Threat Hunting to Prevent Cyberattacks.