- tl;dr sec
- Posts
- [tl;dr sec] #123 - AWS Security Reference Architecture, DevSecOps Playbook, Analyzing Malicious Documents
[tl;dr sec] #123 - AWS Security Reference Architecture, DevSecOps Playbook, Analyzing Malicious Documents
60 page PDF on using AWS security services in multi-account environment, how to introduce DevSecOps in your company, tools to examine malicious Office docs.
Clint Gibler
March 09, 2022
Hey there,
I hope you’ve been doing well!
Destiny
Our lives are like brilliant strands of thread in the rich tapestry of life.
We weave in and out of each other’s lives, building connections and sections of the big picture.
Sometimes there are seemingly insignificant strands that somehow wind their way into our lives.
For me, one strand began years ago, in a discount bargain bin in a Walmart in Cincinnati, Ohio.
There, my sister found the following #PeakBayArea game, which she bought for me for Christmas, and then promptly forgot about it until we rediscovered the game this year, years later, while cleaning out a closet.
The game is this: you draw cards for a company name, a target user demographic, and an industry you’re disrupting, and then you make up a product and pitch your start-up to the “VC” player.
As you’d expect, the cards are both ridiculous and something you might overhear discussed earnestly at a Blue Bottle Coffee in SF.
I played it with my family and with some work colleagues- everyone loved it. The latter was admittedly a bit dangerous, as there was a non-zero chance of causing the world to explode due to too much irony, with real-life Silicon Valley start-up founders playing… Silicon Valley founders pitching start-ups to VCs.
Life imitates art imitates… card games. -Sam Altman, a16z
Sponsor
📢 Bring speed and scale to your security environment
Datadog’s Cloud Security platform provides real-time threat detection and continuous configuration audits across applications, hosts, containers and cloud infrastructures.
Drag-and-drop dashboards and machine learning-based alerts help dev, ops, and security teams troubleshoot and collaborate more effectively to identify the root cause of a malicious attack before it affects customers.
Get set up in minutes with 350+ default detection rules mapped to the MITRE ATT&CK® framework and other compliance frameworks.
Start your free 2-week trial today and get a free Datadog t-shirt!
📜 In this newsletter...
AppSec: How GitLab automatically fixed thousands of deprecation warnings, on writing custom security checks, DevSecOps Playbook
Mobile Security: WebView Android security checklist, getting started with iOS pen testing
Cloud Security: AWS Security Reference Architecture, hands-on S3 security game, higher level infra as code language
Supply Chain: Extensible framework to detect and prevent dependency confusion
Blue Team: How to analyze malicious Office docs, ATT&CK for insider threats, tool to aid in understanding ATT&CK chain flows
Politics / Privacy: Charts and data to understand the context of the war in Ukraine
Program Analysis: Tool to generate call graphs for dynamic languages, symbolic execution for bug hunting in binaries survey
Misc: Generator of polyglots and weird files, tech salary comparison tool, stay in a nuclear shelter, Heardle, TIME 100 best inventions of 2021, March Meme Madness
AppSec
Broke: manually updating your code.
Woke: using your test suite to gather all warnings using the Deprecation Toolkit gem, then writing a custom RuboCop check to find and autofix them.
6mile/DevSecOps-Playbook
Detailed guide by SecureStack’s Paul McCarty to help you introduce effective DevSecOps practices in your company, regardless of size. It provides explicit guidance and actionable steps to introduce security controls, measure their effectiveness, and demonstrate value for money to your business leaders.
Mobile Security
Android security checklist: WebView
Several ways to exploit WebViews, ways to increase the impact of the attack if an attacker is able to load an arbitrary URL, and recommendations for preventing these vulnerabilities or reducing their impact, by Oversecured.
Getting Started with iOS Penetration Testing (Part 1)
iOS architecture overview, some sample vulnerable apps, testing methodology, setting up your proxy, jailbreaking, bypassing jailbreak detection and SSL pinning, checking for sensitive data exposure, by YesWeHack
Cloud Security
AWS Security Reference Architecture
60pg PDF by AWS Professional services containing a holistic set of guidelines for deploying the full complement of AWS security services in a multi-account environment. GitHub repo with example solutions.
S3 Game
An interactive game with 15 levels of challenges to teach you about S3 features and common security issues, by Vasily Pantyukhin. Similar to Scott Piper’s flaws.cloud and flaws2.cloud.
run-x/opta
By RunX: “Infrastructure-as-code where you work with high-level constructs instead of getting lost in low level cloud configuration.” Uses Terraform under the hood so you’re not locked in. Blog post.
In Opta, modules are a first class citizen. There are modules for all the common resources that one might need — like EKS, RDS, DynamoDB, GKE, Cloud SQL, etc and even third party services like Datadog. All these modules are designed by Infrastructure experts — so they follow all the best security practices and are production grade. Plus they are designed to work really well with each other.
Supply Chain
apiiro/combobulator
By Apiiro’s Moshe Zioni: A modular and extensible framework to detect and prevent dependency confusion leakage and potential attacks. Facilitates an approach for ensuring secure application releases that can be evaluated against different sources (e.g., GitHub Packages, JFrog Artifactory) and many package management schemes (e.g., npm, maven).
Blue Team
How to analyze malicious documents – Case study of an attack targeting Ukrainian Organizations
Nice walkthrough of analyzing potentially malicious files by Cyber Geeks, with examples of some useful tools by Philippe Lagadec et al.
oleid can be used to analyze OLE files such as MS Office documents (e.g. Word, Excel) to detect potentially malicious characteristics like VBA macros, embedded Flash objects, and fragmentation.
olevba can detect VBA Macros and extract their source code in clear text, detect security-related patterns such as auto-executable macros, suspicious VBA keywords used by malware, anti-sandboxing and anti-virtualization techniques, and potential IOCs (IP addresses, URLs, executable filenames, etc). It also detects and decodes several common obfuscation methods.
ViperMonkey is a VBA Emulation engine that can be used to analyze and deobfuscate malicious VBA macros.
Launching a community-driven insider threat knowledge base
MITRE Engenuity’s Jon Baker et al, in conjunction with several industry partners, have released the Insider Threat TTP Knowledge Base, a collection of tactics, techniques, and procedures (TTPs) used by known insiders in IT environment. This initial publication is based on analysis of insider threat case data contributed by participants and 54 identified techniques that have been used by insiders. See this PDF for more info and the TTPs in detail. GitHub repo.
center-for-threat-informed-defense/attack-flow
MITRE Engenuity’s ATT&CK Flow helps executives, SOC managers, and defenders easily understand how attackers compose ATT&CK techniques into attacks by developing a representation of attack flows, modeling attack flows for a small corpus of incidents, and creating visualization tools to display attack flows.
At a high level, ATT&CK Flow is a machine-readable representation of a sequence of actions and assets along with knowledge properties about those actions and assets. Home page.
Politics / Privacy
On this page we provide a list of charts, data and resources that you may find useful to understand the context of the ongoing war in Ukraine.
We do not publish any data on the ongoing war in Ukraine, but instead we provide longer-term and global context on military resources, conflicts, energy production and trade, political regimes and other relevant topics.
Sponsor
📢 Communication Skills for Security Teams
If there was ever a time for security teams to upgrade their communication skills and increase their influence, this is it! Discernible is specialized in the unique needs of internal security teams, from board-level engagement to incident response communications and de-escalating bug bounty drama.
Program Analysis
scottrogowski/code2flow
A tool to generate call graphs for dynamic languages by Scott Rogowski. Code2flow currently supports Python, Javascript, Ruby, and PHP. You can listen to Scott talk about it on the Podcast.init podcast here. Code2flow is useful for:
Untangling spaghetti code.
Identifying orphaned functions.
Getting new developers up to speed.
Symbolic Execution for Bug Hunting in Binaries
~180 slides on the state of the art regarding symbolic execution techniques used in system research, by UCSB’s Fabio Gritti. Work that ties together many resources like this is 👌🔥.
Misc
corkami/mitra
A generator of weird files (binary polyglots, near polyglots…) by Ange Albertini. Slides.
Compare Tech Salaries Instantly: Introducing the VanHack Tech Salary Calculator
Free tool by VanHack to compare tech salaries across locations, roles, skills, and experience.
10-Z
If you’re looking for an interesting place to stay in Europe, check out this nuclear shelter, only a 2 hour drive from Prague. H/T Bence Nagy.
Heardle
Try to guess a song after just a few seconds.
TIME - The 100 Best Inventions of 2021
Across a bunch of categories, including: accessibility, AI, apps and software, AR/VR, connectivity, consumer electronics, design, education, and much more.
Bugcrowd’s March Meme MadnessTwitter thread with some good hacking memes. Like these shared by @johnjhacking, Subhadip Nag, and Lakshy.
✉️ Wrapping Up
Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.
If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏
Thanks for reading!
Cheers,
Clint