The US Cybersecurity and Infrastructure Security Agency (CISA) has detailed its response to internal CISA Amazon AWS GovCloud Keys and other information being made available in a public repository.
The reaction came after KrebsOnSecurity detailed in May how a security researcher with GitGuardian had identified a public GitHub repository that exposed credentials to several highly privileged AWS GovCloud accounts and a large number of internal CISA systems.
The GitHub repository was not part of CISA’s official GitHub but rather was a personal repository owned by a contractor.
In an update published on June 9, CISA said, “Within moments of receiving this information, CISA’s Office of the Chief Information Officer (OCIO) took swift and comprehensive action to mitigate any exposure to CISA’s cloud resources and code repositories.”
CISA’s internal incident response began on May 15.
The actions taken by the agency’s incidents responders included efforts to eliminate public exposure, prevent further harm, understand the scope of information shared, assess the impact and implement corrective actions.
It was highlighted that no customer or mission data was exposed and leaked credentials were not used outside of CISA’s environments.
The third-party individual uploaded copies of a CISA build and deployment repository to their personal GitHub account for the purpose of creating cloud infrastructure autonomously. This repository included CISA’s Infrastructure As Code and build code.
Take Security Tips Seriously
In its reflections on the incident the cybersecurity agency said it was vital to take cybersecurity tips and external reporting seriously. CISA thanked the security researcher and the reporter for their collaboration.
CISA also said the incident highlighted the need to adopt zero trust principles in order to protect systems and development environments.
It was also highlighted that strong logging capabilities are vital. CISA said its SOC has the necessary logs to successfully investigate the incident and continuous improvement of logging capabilities remains a key element of a strong security program.
CISA said the incident drew attention to several areas for improvement, including tighter controls over public code repository access, stronger monitoring for exposed secrets, and the development of comprehensive GitHub and cloud incident-response playbooks.
The agency also plans to simplify security researcher reporting channels. In this instance, these channels “were not well defined” which resulted in the security researcher attempting to communicate via multiple channels.
These included emailing the contractor, submitting through CISA’s vulnerability disclosure platform (which is intended for vulnerabilities impacting the broader cybersecurity community), and ultimately involving a reporter.
Finally, CISA plans to strengthen security guardrails in developer environments and improve cryptographic key management to enable faster credential rotation during future incidents.
“It is not a matter of “if”, but “when” a cybersecurity incident will happen to your organization. It is important to the broader cybersecurity community that we address these matters openly to strengthen trust and foster transparency. Such transparency unlocks opportunities for learning that will enhance not only CISA’s security posture but that of other organizations as well,” CISA wrote.
CISA also published the update on its LinkedIn channel with one commenter praising the agency for its willingness to document both the strengths and the gaps in its response to the indent.
