The rising supply chain threat
The supply chain has grown more intricate. While you can take every measure to safeguard your application and cloud security posture, the reality remains that there will never be zero risk. Attackers now aim for a weak spot in the defense and may get access to thousands or even millions of victims. The GitGuardian team has been closely monitoring this rise in supply chain attacks, especially those resulting from exploited secrets. An attacker discovers a weakness in order to break into a company. Then they strive to maintain their access by looking for additional resources, containing “secrets”, to increase their privileges and persist access to these businesses’ networks for a longer period of time. Many of these resources that hold secrets are available to developers, and as a result, they are now a prime target.
GitGuardian recognized a concerning trend where companies took a considerable amount of time, even months, to realize when their dev and build environments are breached. To address this issue, they embarked on a mission to develop a solution called “Honeytoken” that would provide early breach detection and help contain such attacks.
So, what exactly are honeytokens?
Think of them as digital honey traps meticulously scattered throughout the software delivery pipeline – in Source Control Management (SCM) systems, Continuous Integration & Continuous Deployment (CI/CD) pipelines, software artifact registries, developer laptops, messaging systems and more. These seemingly enticing AWS secrets appear as legitimate targets, tempting malicious actors to take the bait.
However, honeytokens bear no actual customer data or access rights. Their sole purpose is to trigger an alert when interacted with. The alert reports provide a wealth of insightful information, including the intruder’s IP address (users can distinguish internal from external origins). The alert also provides details such as the honeytoken name, timestamp, user-agent, action performed, source, contextual tags, etc. and instantly notifies Security and SOC teams of a potential breach attempt.
This extraordinary concept of Honeytoken is unique and tailored to detect intrusions in DevOps environments. GitGuardian understood that existing deception technologies, while prevalent, did not cater specifically to application security, leaving a void in the market waiting to be filled. They addressed the limitations of traditional deception technologies such as honeypots. While setting up and monitoring infrastructure for honeypots is time-consuming and costly, Honeytoken provides a much simpler and more cost-effective solution. Just copy and paste the honeytoken key, and it’s ready to go. Zero maintenance is required.
Honeytoken seamlessly fit into GitGuardian’s existing platform of code security solutions, particularly their Secrets Detection offering. It provides a delightful twist to the realm of secrets management—turning tables on hackers in a “smart” way for defenders while keeping organizations informed about potential breaches.
The solution breathes new life into the “shift left” security concept, enabling developers to create and embed decoy secrets directly into their code repositories and the software supply chain from the GitGuardian CLI, ggshield. This proactive approach ensures that more people can share the security responsibility and any unauthorized access or tampering is detected early, effectively cutting off attackers before they can unleash chaos.
Innovation evaluation and development
To assess this innovation’s potential interest and viability, GitGuardian conducted a comprehensive evaluation last year. They analyzed data, performed attack simulations, and hypothesized about the automated methods attackers use to exploit secrets. By examining past breaches like CircleCi and Uber, they realized that Honeytoken could have thwarted such attacks. Their confidence in the idea grew. Through market research, competitive analysis, and strategic considerations, they gained valuable insights that guided their discovery process.
Initially, GitGuardian created a free, open-source project called ggcanary, allowing organizations to deploy honeytokens in their codebase and configuration files. This served as a proof-of-concept (POC), enabling them to gauge interest and understand the effort and resources required for future developments of this technology. Building upon the success and feedback from the community, they introduced the premium version of this honeytoken technology within their renowned GitGuardian Platform.
This strategic move aimed to protect their intellectual property and offer users a seamless, scalable experience. This new offering provides Security teams with a centralized console for secrets and intrusion detection, offering a comprehensive view of their code security posture. Honeytoken also provides code leakage detection. GitGuardian monitors public GitHub for secrets in real-time and proactively alerts developers. So when users place honeytokens in their code, GitGuardian can determine if it has been leaked on the public GitHub.
In the future, GitGuardian plans to offer a wide selection of honeytoken types, allowing users to choose the most suitable options based on their unique security needs. Additionally, the implementation of automation will streamline the dissemination of honeytokens, making the process more efficient and effortless.
An innovative startup strategy
GitGuardian had assembled a dedicated team to focus on developing Honeytoken’s Minimum Viable Product (MVP). This endeavor demanded perseverance and a whole quarter’s worth of effort. They involved third parties as well to refine the offering. They conducted customer interviews, sought insights from analysts, and collaborated with industry giant Amazon, ensuring the effectiveness and adaptability of this new capability.
With their vision primed for success, GitGuardian carefully devised their marketing strategy. They actively engaged with industry leaders attending the renowned RSA conference and undertook extensive communication efforts to raise awareness about this new offering.
Their strategy includes active participation in cyber conferences, engaging decision-makers at enterprises, and conducting analyst briefings. Simultaneously, they embraced a bottom-up motion, focusing on product-led growth. By building solid relationships with existing customers, GitGuardian aims to expand its user base organically. They plan community events, live webinars, informative tech guides, and engaging content to drive adoption, bolstered by other PR efforts, ads, and targeted email campaigns.
GitGuardian devised a sales strategy based on two approaches. They leverage their existing customer base, cross-selling Honeytoken as a valuable addition to their current Secrets Detection offering. Additionally, they offer bundled sales, providing Honeytoken at a discounted rate when purchased alongside their popular Secrets Detection offering. Any GitGuardian user can get 5 free honeytokens to try out this new offering.
In the quest for fortified application security, the emergence of Honeytoken represents a pivotal milestone. The days of relying solely on reactive measures are fading away. With Honeytoken, you can proactively deceive and dissuade attackers to detect and limit the impact of data breaches. Embrace this new era, and let Honeytoken lead the charge towards a safer software supply chain.
GitGuardian is a code security platform building security products that fill the gap between development and security teams. The company has recently developed Honeytoken, a new innovation that aims to make intrusion detection more accessible for better protection of the software supply chain. Honeytokens are decoy systems that appear as legitimate credentials or secrets, triggering an alert when an attacker uses them. They are highly effective in detecting attacks and require minimal resources, making them an ideal solution for securing the software delivery pipeline against potential intrusions. GitGuardian has integrated this technology to help organizations create, deploy, and manage honeytokens on a larger enterprise scale, significantly reducing the impact of potential data breaches. The future of honeytokens is set to transform the field of intrusion detection in the DevOps world, making it easier to detect and prevent attacks.