Plaintext credentials, aka secrets, are one of the most dangerous things in your environments. Each year, GitGuardian releases our State of Secrets Sprawl report and the news is not good. We found 23.8 million hardcoded secrets added to public repos on GitHub in 2024 alone. 

The problem of our API keys, passwords, and other credentials making it into our code and other places like our logs, Jira, and Slack is getting worse, not better. 
‍
To make the matter even more serious, a full 27% of IT leaders we surveyed said they are relying on manual code reviews to address this issue. 

If you have never tried to identify all the keys and passwords in a codebase or message system, here is your chance to see what that feels like and get the chance to see what a difference the right tool makes to the process. 

‍What you will need

• 1 deck of 20 Spot the Secrets cards: 8 commits, 4 log files, 4 Jira tickets, 4 Slack messages\1 UV flashlight
• 1 UV flashlight
• These instructions
• A stopwatch (like the one on your phone)

‍The Scenario: A leak on Pastebin

While on call, you get a message that a small number of code snippets, Jira tickets, log files, and Slack messages have been exposed in a Pastebin dump. You are now in a race with bad actors who are monitoring Pastebin as well, waiting for secrets to be exposed so they can be exploited. 

Your mission is to manually find any secrets that would grant access to another system or decrypt data so your team knows what secrets need to be rotated before the attackers gain access. You will be timing yourself as you go.

Be careful; each false positive means you have wasted valuable time and will add a 10-second penalty. A single false negative means the attacker wins. You really need to balance speed with accuracy.

‍

The Spot the Secrets exercise is divided into two rounds:

Round 1: Manually review all the cards to find the secrets in logs, Jira, Slack, and the code base.

Round 2: Identify the false positives and false negatives.

‍

Beginning layout

‍All cards should be placed face-down in front of the player, and the stopwatch should be reset.

Round 1: Find those secrets‍

Your mission is to find all the secrets in these code samples, Jira tickets, Slack messages, and log files.

When ready, start the timer. 

‍

The player examines each card. 

‍

If the card contains a secret, place it face-up above the unexamined commits. 

Any cards without a secret should be placed face-up below the unexamined commits. 

‍

When each card has been evaluated, stop the timer and note the elapsed time.

‍

Round 2: Identify the false positives and false negatives by leveraging the right tool

‍
You might be thinking, "There must be an easier way to do this." Good news: There is! 

‍

For this exercise, you will use your UV flashlight to expose hidden markings on some of the cards. There is no need to time yourself on this round; we just want to see how many you got right.

Using the UV flashlight, illuminate the face-up cards, starting with the ones you believe contain a secret. 

‍

If a secret is present, the card will reveal "S" markings and some will reveal "V" markings as well, which are invisible in regular light. 

‍

If a card in your 'secrets' piles contains an S marking, congratulations, you correctly identified a secret! As you might have guessed, S stands for "Secret." 

‍

V stands for "Valid Secret," meaning if an attacker would have found this plaintext credential, they could have used it! 

‍

While you are examining each secret, we encourage you to think about how you would have validated it without the tool.

False negatives means the attacker wins

If there are any cards with a S or V in your 'no secrets' pile of examined cards, that means the attacker will eventually find and leverage the secret to access the system. Without identifying the secret to rotate or remove, there is no way to prevent their access.

False positives waste valuable time

‍
If a card in your 'contans secrets' pile contains no markings, that is a false positive.
For each card that was misidentified as having a secret when none was present, add 10 seconds to your initial time from the timer. 

 
Scoring against the attacker

‍
Based on data we have gathered on the time an attacker takes to find and start trying to exploit, here are the time ranges to beat or compare your score to in this scenario:

1:30 - at 1 minute and 30 seconds, we can assume that an adversary will have also found this leak on Pastebin. If your total time is less than 45 seconds, you will be one step ahead of any attackers.

3:00 - at 3 minutes, we can assume the attacker has gained access to at least one of the systems associated with the secrets. You had better hope your rotation plan can be triggered quickly

4:15 - at 4 minutes and 15 seconds, exfiltration has begun, and data is being copied as quickly as possible to external systems. Rotation right now might stop some of this, but other security measures around data loss need to be invoked. The incident just escalated.

5:45 - at 5 minutes and 45 seconds, the attacker has started the ransomware encryption process. Unfortunately, even if you rotate the credentials now, you are still at the mercy of this particular attacker.

While these are very short windows of time developed for this particular exercise, the reality is attackers move at the speed of scripts and automation. Manual review is no match for code that can attempt to exploit and automatically start the exfiltration, privilege escalation, or lateral movement process for some attacks. ‍

‍
‍Ask yourself

‍
How long did it take to identify the false positives and negatives?

How would you have manually determined if a secret was valid?

Wouldn't this be easier if you had used the flashlight from the start? ## Yes, you can use a tool in the real world.
In the real world, the GitGuardian Secrets Detection Platform can help you find plaintext credentials even faster and easier than the flashlight! Get started today at gitguardian.com