Threat detection

listen.dev is powered by a best-in-class detection engine that uses dynamic behavioural analysis (powered by eBPF) to detect adversarial activity at the earliest stages and block it inside the kernel-space. This provides depth of visibility and control allows you to safeguard your sensitive data and assets, ensure compliance and prevent supply chain attacks like Solarwinds, CodeCov and PyTorch inside your build systems. How does the CI detection work?

Our GitHub action comes with a CI agent which observes runtime behavior (such as network connections) and blocks egress traffic (using an allowlist) during the build process. How do dependency insights work? We maintain an index of packages published on open source package registries (such as npm) and constantly monitor them through our analysis pipelines and threat research team.

• For every new package version that gets published upstream, we analyzes its behaviour inside sandboxed environments on our infrastructure. We use kernel-level monitoring to profile network, process, and filesystem activities, as well as other behavioural signals.

• We also keep a track of any behavioral changes between subsequent releases of a package, and flag any tampering or suspicious updates in newly published versions.

• Provide that context in lieu of the CI detection events–to facilitate triage and remediation.

What kind of harmful behaviours are detected?

There are two main threats from compromised workflows, dependencies, and build tools in a CI/CD environment:

1. Exfiltration of CI/CD credentials and source code

2. Tampering of source code, dependencies, or artifacts during the build to inject a backdoor

See complete list here

Why traditional approaches aren't sufficient against supply chain attacks?

The supply chain threat landscape is evolving rapidly, with today's adversaries using increasingly sophisticated and novel methods to craft attacks. Conversely, the security tooling industry hasn't kept up.

• Traditional dependency scanners and SCA tools work by referencing databases of known and publicly disclosed vulnerabilities (CVEs) and your security depends on how updated these databases are.

• If a package contains unknown vulnerabilities (e.g. a recent backdoor, malware or zero-day) it is in most cases already too late to contain the harm as some of these databases are updated after the information is publicly available.

Finding and patching only known vulnerabilities in your dependencies is a reactive approach and does not provide sufficient defense against modern supply chain attacks. Read more about the difference between known vulnerabilities and supply chain attacks in this blog post.