Threat detection

Concepts behind threat detection tech used by listen.dev

listen.dev is powered by a best-in-class detection engine that uses dynamic behavioural analysis (powered by eBPF) to detect adversarial activity at the earliest stages and block it inside the kernel-space. This provides depth of visibility and control allows you to safeguard your sensitive data and assets, ensure compliance and prevent supply chain attacks like Solarwinds, CodeCov and PyTorch inside your build systems. How does the CI detection work?

Our GitHub action comes with a CI agent which observes runtime behavior (such as network connections).

What kind of harmful behaviours are detected?

There are two main threats from open source modules; compromised workflows, dependencies, and build tools in a CI/CD environment:

  1. Exfiltration of credentials, source code and other sensitive data from the CI/CD system

  2. Tampering of dependencies, code or artifacts at build time infect the release with malicious code

Why traditional approaches aren't sufficient against supply chain attacks?

The supply chain threat landscape is evolving rapidly, with today's adversaries using increasingly sophisticated and novel methods to craft attacks. Conversely, the security tooling industry hasn't kept up.

  • Traditional dependency scanners and SCA tools work by referencing databases of known and publicly disclosed vulnerabilities (CVEs) and your security depends on how updated these databases are.

  • If a package contains unknown vulnerabilities (e.g. a recent backdoor, malware or zero-day) it is in most cases already too late to contain the harm as some of these databases are updated after the information is publicly available.

Finding and patching only known vulnerabilities in your dependencies is a reactive approach and does not provide sufficient defense against modern supply chain attacks. Read more about the difference between known vulnerabilities and supply chain attacks in this blog post.

Last updated

© 2024 Garnet Labs