How to stop secret exposure in your collaboration platforms

Cyber attack tactics have evolved. In the past, threat actors were focused on exploiting vulnerabilities in applications and their architectures. But now they are becoming more reliant on lateral movements from application to application to gain access to sensitive data. This means that attackers may not be targeting your CRM application to gain access to your customer list. Instead, they are increasingly targeting systems like collaboration platforms to discover useful information like user credentials, which can make the breach appear to be a legitimate user accessing data.

Day-to-day activities of developer and security teams require them to collaborate through a variety of systems. These systems include:

• Project management tools
• Chat platforms
• Helpdesk ticketing systems
• Architecture documentation
• and more

Common sense dictates that secrets or credentials should not be shared in these systems. However, sometimes users may post passwords or other secrets in these systems for expediency, even though they are not designed to securely store sensitive information.

How do organizations set up guardrails and scanning for these systems to make sure that all secret exposure instances are caught? This post takes a deeper look into that question and offers a solution.

»Collaboration tool breaches in the news

Have you ever shared credentials in a Slack message? What about a bearer token in a JIRA user story for implementing a third-party feature on your e-commerce storefront? To be honest, I have. The perceived privacy of these tools can make it easy to forget that not only are they within reach of cyber attackers, they’re sought-after targets.

In June 2024, for example, a major data solutions provider experienced a major data breach that exposed the banking and financial details of millions of customers. The attackers didn’t launch a DDoS attack or code injection. Rather, they achieved initial access through a spear-phishing attack that gave them access to an employee's laptop. Once on the laptop, the attackers were able to access an instance of JIRA that included user credentials to the provider's accounts.

Unfortunately, Snowflake isn’t alone. Recently, a major entertainment enterprise became a victim of Slack-hackers that gained access to approximately 1.1TB of Slack discussions dating back to 2019. While the initial data dump was unpublished from the web, the data continues to be shared online, giving attackers a tool to discover sensitive information that could lead to subsequent breaches.

»Mitigating secret exposure in collaboration tools

Many organizations have adopted shift-left practices like automated scanning of pull requests to reduce the likelihood of secrets being leaked into code repositories. As adoption of secrets scanning tools increases, organizations are likely to discover more unmanaged secrets in collaboration tools. But because collaboration platforms sit outside of the developer workflow, that will make it even more complex to discover and remediate unmanaged secrets.

The first step organizations need to take is getting secret scans into the developer workflow with the help of a platform engineering approach, and the right tooling. JIRA and Confluence are two of the most common collaboration platforms. They’re used by more than 300,000 organizations to manage and document their technical solutions. Slack is one of the most popular company chat applications. Therefore, a secret scanning solution needs to support scans and comprehensive metadata gathering for those platforms. It’s also important to see if secret scanners can support any other collaboration systems your organization might use and potentially share secrets within.

Let's look at mitigation needs through the lens of an example solution: HCP Vault Radar. Vault Radar is a secrets scanning and remediation product that is closely tied to the industry standard secrets manager: HashiCorp Vault.

HCP Vault Radar supports automated scans that can be regularly scheduled to detect unmanaged secrets in near real-time. It also can handle remediation workflows, but its most valuable feature — the most valuable feature in any secret scanner — is the ability to take important findings and prioritize them effectively for developer and operations teams to quickly diagnose the severity of the issue and take immediate remediation actions if needed. Here is a sample of what security teams and developers need to see at a glance:

»Reducing false positives in secret scans

Developer and security teams can’t solve security issues effectively if they get too much noise from their scanning and monitoring tools. Alert fatigue is a serious issue in the world of secret scanners as well, and you need solutions that take combating it seriously. Using Vault Radar as an example again, there are several algorithms it uses to filter out non-secrets and deprioritize low-severity secrets.

To rank the severity of an exposed secret, HCP Vault Radar combines multiple data sets:

»Version history

When it discovers a finding in the latest version of a file, HCP Vault Radar assigns a higher priority because it is likely that this finding has not been previously evaluated and is therefore more likely to be a secret.

»String randomness

HCP Vault Radar evaluates the entropy (randomness) of content using entropy algorithms. These algorithms are highly effective at identifying random or complex strings that indicate the content may be an exposed secret. Vault radar also evaluates string literals in code for entropy, which helps identify potentially suspicious strings in any format.

»Activeness checks

Credentials actively being used by applications represent the most significant threat. When HCP Vault Radar finds a credential, it will call out to the associated application to check if the secret is still active. Active credentials are marked as high risk within the prioritization portal. Currently, HCP Vault Radar can test for:

• Google Cloud API keys
• Amazon Web Services (AWS) credentials
• Personal access tokens for GitHub
• JSON web tokens (JWT)

»Vault correlation

To further support prioritization, HCP Vault Radar can correlate if a leaked secret is stored in a Vault secrets manager. Most credentials in Vault are used in critical production environments, so HCP Vault Radar gives exposed secrets a higher severity score when they are also found in Vault’s key-value stores.

»Remediating unmanaged secrets in collaboration tools

In addition to secret scanning, HCP Vault Radar supports a robust set of remediation workflows. Its native integration with HashiCorp Vault makes it ideal for delivering secret remediation by revoking exposed secrets and generating new ones with a proven solution for secrets management.

For exposed secrets that need manual remediation and regeneration, Vault Radar also integrates with industry-standard ticketing and alerting solutions to automatically create tickets for newly detected secrets. Below are workflows for each solution’s Vault Radar integration:

• Slack (integration demo)
• PagerDuty
• Splunk
• JIRA
• ServiceNow

For a deeper look at secret remediation best practices, read our blog on the topic.

»Next steps

Given recent breaches and cyber threat trends, exposed secrets on collaboration platforms represent a clear opportunity for threat actors.HashiCorp can help protect your organization by providing a full set of Security Lifecycle Management (SLM) products, including Vault and HCP Vault Radar to manage your secrets. To learn more, visit our SLM page or talk to our sales and solution engineering teams about your specific challenges.

»Additional resources

• What is Vault Radar?
• HCP Vault Radar video demo
• How secret scanning works
• Solutions to secret sprawl
• Secret remediation best practices
• HCP Vault Radar tutorials
• How to prevent lateral movement within your systems