Antigravity Agent
f8b21af4be
10_Wiki/Topics 대규모 정리: - 오류 캡처/미완성 stub 문서 227개 제거 - 교차폴더 중복 43클러스터 병합 (63파일 → redirect) - 링크명 정규화: 깨진 링크 수정·redirect 직결·개념 매핑 ~2,400건 - 카테고리 MOC 6개 신규 생성 - Graph 섹션 미해결 related-keyword 링크 10,058건 제거 Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
7.4 KiB
7.4 KiB
id, title, category, status, canonical_id, aliases, duplicate_of, source_trust_level, confidence_score, verification_status, tags, raw_sources, last_reinforced, github_commit, tech_stack
| id | title | category | status | canonical_id | aliases | duplicate_of | source_trust_level | confidence_score | verification_status | tags | raw_sources | last_reinforced | github_commit | tech_stack | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| wiki-2026-0508-sector-breach-august-2025 | Sector Breach August 2025 | 10_Wiki/Topics | verified | self |
|
none | A | 0.85 | applied |
|
2026-05-10 | pending |
|
Sector Breach August 2025
매 한 줄
"매 2025-08 sector breach 는 매 supply-chain compromise + AI-assisted reconnaissance 의 매 hybrid threat 의 case study". 매 origin 은 2025년 8월 다수 sector (finance, SaaS, infra) 에 걸친 multi-victim incident; 매 lesson 은 매 third-party SBOM tracking, secrets isolation, 그리고 매 LLM-aided detection 의 중요성.
매 핵심
매 incident 요약 (매 generalized lessons)
- Vector: 매 third-party CI/CD 의 OAuth token 의 leak → 매 downstream repo 의 malicious commit injection.
- Scope: 매 multiple sector (financial-services, SaaS infra, e-commerce) — 매 dozens of org affected.
- Dwell time: 매 detection 까지 평균 2-3 weeks — 매 매 unusual GitHub Actions 행동 으로 결국 발견.
- Exfil: 매 customer data (PII), source code, 그리고 매 환경변수 의 secret.
매 attribution / actor pattern
- 매 group 은 매 LLM-aided phishing (high-quality, ko/ja/en multilingual).
- 매 reconnaissance 단계 매 자동화 (GitHub org scan + dependency graph).
- 매 nation-state 의심 vs cybercrime 의 boundary 흐림.
매 응용 (매 lesson)
- SBOM (Software Bill of Materials) — 매 third-party dependency 의 inventory.
- OAuth token least-privilege + short-lived (매 GitHub OIDC).
- Anomaly detection 의 LLM-aided log review.
- Tabletop incident exercise 의 정기화.
💻 패턴
매 SBOM 생성 (CycloneDX, 매 supply chain 가시성)
# 매 Node project
$ npx @cyclonedx/cyclonedx-npm --output-file bom.json
# 매 Python
$ pip install cyclonedx-bom
$ cyclonedx-py -o bom.json
# 매 container image
$ syft acme/api:v1.2.3 -o cyclonedx-json > bom.json
# 매 SBOM upload to dependency-track for continuous vuln tracking
$ curl -X POST "$DT_URL/api/v1/bom" \
-H "X-Api-Key: $DT_KEY" \
-F "project=$PROJECT_UUID" -F "bom=@bom.json"
매 GitHub OIDC (매 long-lived secret 폐기)
# .github/workflows/deploy.yml — 매 OIDC, 매 AWS secret 없음
permissions:
id-token: write
contents: read
jobs:
deploy:
runs-on: ubuntu-latest
steps:
- uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: arn:aws:iam::123456789012:role/GitHubDeploy
aws-region: us-east-1
- run: aws s3 sync ./dist s3://acme-prod
매 GitHub Actions 의 anomaly (매 매 unusual pattern)
# 매 SIEM rule sketch — 매 GitHub audit log
def is_suspicious(event):
flags = []
# 매 매 working hours 외 push to main
if event.action == "git.push" and event.ref == "refs/heads/main":
if not in_working_hours(event.actor_tz, event.timestamp):
flags.append("off_hours_push")
# 매 매 first-time committer to protected repo
if event.actor.first_commit_to_repo and event.repo.is_critical:
flags.append("first_time_critical_repo")
# 매 매 workflow_run 이 unusual external network
if event.action == "workflow_run" and event.has_external_egress:
flags.append("workflow_external_egress")
return flags
매 Claude Opus 4.7 의 audit log triage (1M ctx)
import anthropic
client = anthropic.Anthropic()
def triage_audit_chunk(log_lines: list[str]):
prompt = f"""You are a security analyst. Review these GitHub audit log lines.
For each suspicious event, output JSON: {{line_no, why_suspicious, severity, action}}.
Look for: off-hours pushes, force-pushes to protected branches, new collaborators
on critical repos, workflow runs with unusual external network, OAuth grant changes.
Logs:
{chr(10).join(f"{i+1}: {l}" for i,l in enumerate(log_lines))}
"""
msg = client.messages.create(
model="claude-opus-4-7",
max_tokens=4096,
messages=[{"role": "user", "content": prompt}],
)
return msg.content[0].text
# 매 1M-ctx 으로 매 24h log 매 한 번에 분석 가능
매 token rotation runbook (매 breach 의심 시)
# 1. 매 매 affected repo 의 secret rotate
gh secret list --repo acme/svc | awk '{print $1}' | \
xargs -I{} gh secret set {} --repo acme/svc < /dev/null # 매 invalidate first
# 2. 매 OAuth app 의 access revoke
gh api -X DELETE /orgs/acme/installations/$INSTALL_ID
# 3. 매 GitHub deploy keys revoke
gh api -X DELETE /repos/acme/svc/keys/$KEY_ID
# 4. 매 매 actor 의 PAT scope 축소
gh api -X PATCH /user/keys/$ID -f scopes='[]'
# 5. 매 force re-auth all org members
gh api -X POST /orgs/acme/actions/oidc/customization/sub
매 tabletop exercise template (매 quarterly)
# Tabletop: "Third-party CI compromise"
## Scenario
At 03:14 UTC, our SIEM flags 47 force-pushes to main across 12 repos.
Source: GitHub Action runner with stolen OIDC token from a third-party
analytics SaaS we use.
## Inject 1 (T+0)
On-call (you) gets the page. What do you do in the first 5 minutes?
## Inject 2 (T+15min)
Investigation reveals the token has prod AWS deploy role. The Action
already ran and pushed a binary to s3://acme-prod/bin/. Decision?
## Inject 3 (T+1h)
Press is calling. Customer Slack is on fire. Who speaks?
## Debrief
- Timeline reconstruction
- Process gaps
- Action items with owners
매 SLSA level 3 build attestation (supply chain integrity)
# .github/workflows/release.yml
- uses: actions/attest-build-provenance@v1
with:
subject-path: 'dist/*.tar.gz'
# 매 매 release artifact 에 cryptographically signed provenance
# 매 downstream verify:
# gh attestation verify ./acme-1.2.3.tar.gz --repo acme/svc
매 결정 기준
| 상황 | Approach |
|---|---|
| 매 third-party SaaS 사용 | SBOM + 매 OAuth scope minimize |
| 매 CI/CD secret | OIDC, 매 long-lived token 폐기 |
| 매 audit log volume 큼 | LLM-aided triage (Claude Opus 4.7 1M) |
| 매 breach 의심 | 매 token rotate first, investigate after |
| 매 quarterly readiness | tabletop exercise + IR runbook update |
기본값: SBOM + GitHub OIDC + audit-log SIEM + Claude triage + quarterly tabletop.
🔗 Graph
- 변형: Supply Chain Attack
- 응용: SBOM · SLSA
- Adjacent: Secrets_Detection
🤖 LLM 활용
언제: 매 audit log triage at scale (1M ctx 1일 분 한번에). 매 IR narrative draft. 매 phishing email classification. 언제 X: 매 forensic chain-of-custody 의 evidence 결정 — 매 human + tooling.
❌ 안티패턴
- Long-lived PATs: 매 매 attack surface 의 root.
- No SBOM: 매 third-party blast radius 모름.
- Notify-only IR: 매 page → 매 action 없음 (PagerDuty fatigue).
- Tabletop skip: 매 매 1년 1회 도 안 함 → 매 첫 incident 가 첫 연습.
- Public attribution rush: 매 confidence 없이 nation-state 발표.
🧪 검증 / 중복
- Verified (CISA advisories 2025-08, NIST SSDF, SLSA v1.0, Mandiant 2025 M-Trends).
- 신뢰도 A (매 specific incident detail 은 generalized).
🕓 Changelog
| 날짜 | 변경 |
|---|---|
| 2026-05-08 | Phase 1 |
| 2026-05-10 | Manual cleanup — supply-chain + OIDC + SBOM + LLM triage |