GitHub anomalous number of repositories cloned by user

github-telemetry

Classification:

attack

Tactic:

TA0009-collection

Technique:

T1213-data-from-information-repositories

이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Goal

Detect when a GitHub member has cloned an anomalous number of repositories.

Strategy

This rule monitors GitHub audit logs for when a GitHub member has cloned an anomalous number of repositories. An attacker with unauthorized access or insider threat may try to clone repositories to their system in an effort to collect data for exfiltration or gaining contextual awareness of the environment.

Note: During the onboarding of new staff it is likely that there will be a spike in cloning activity.

Triage and response

  1. Determine if the behavior is unusual for the user:
    • Is the @actor_location.country_code or @http.useragent different?
    • If IP addresses are available, is the @network.client.ip or @network.client.geoip.as.domain different than usual?
  2. If the activity is suspicious:
    • Block the user in GitHub to prevent further access.
    • Begin your organization’s incident response process and investigate.
PREVIEWING: dgreen15/github-error-fix