- tl;dr sec
- Posts
- [tl;dr sec] #157 - Transforming Security Champions, Production-ready osquery, Compromising Self-hosted GitHub Runners
[tl;dr sec] #157 - Transforming Security Champions, Production-ready osquery, Compromising Self-hosted GitHub Runners
Tanya Janca on building a security champions program, highly turned osquery detections, gaining GitHub Runner persistence and how to detect compromises.
Clint Gibler
November 02, 2022
Hey there,
I hope you’ve been doing well!
Halloween
I hope you had a great Halloween weekend, and that you’re mostly recovered from your sugar coma!
I didn’t have much time to prepare a costume, so I ended up getting Spirit Halloween’s “sexy police officer.”
But I didn’t want to be basic, so I thought of a punny take on it and made some modifications (which I will not share here, as I might use it next year).
Despite the modifications, I did still get asked multiple times at parties, and at work on Monday, when the “show” would start 😂
If I need a costume next year, I could also go with:
Call for Jobs!
Due to the economy, there’s recently been a number of awesome security folks laid off.
If your company is hiring, send me a link to the job description (you can just reply directly to this email) and I’ll include it in the newsletter next week.
r2c: CVE Analyst
Speaking of, my company is hiring!
This role is remote friendly and a great entry level role for someone wanting to break into the security industry.
We’re looking for a CVE Analyst (contract-to-hire). You will be joining the team that builds Semgrep Supply Chain, a high-signal dependency scanner that cuts through the noise of false positives by leveraging Semgrep’s first party code analysis. In this role, you will research open source vulnerabilities and write Semgrep rules to help secure our customers against the latest threats.
You can apply directly here, and feel free to mention I sent you!
Sponsor
📢 Adopting Real-Time Threat Detection Workflows
Real-time threat detection is empowering security teams to flip the script on potential intruders. Real-time threat detection is the evolution of traditional threat detection that utilizes best-in-class modern security tools to analyze potential threats instantly. In the case of modern SIEM tools, teams can automate analysis to occur directly as event logs are ingested. Learn how to adopt a real-time threat detection strategy with modern SIEM in under an hour.
📜 In this newsletter...
Conferences: DEF CON 30 talk playlist, list of cybersecurity conferences, notes on 9 Strangeloop talks
AppSec: evil OIDC server that SSRFs, tool to detect misconfigurations and security risks across GitHub assets, make locally trusted dev certificates, transforming security champions, from self-hosted GitHub runner to self-hosted backdoor
Web Security: Attacker and defender's view of API vulnerabilities
Supply Chain: Sigstore GA and v1.0 releases, overview of OWASP Software Component Verification Standard, announcing GUAC, a great pairing with SLSA
Cloud Security: Terraform ClickOps notifier, grep for infra, best practices for network perimeter security in cloud-native environments, generating fine-grained permissions using IAM Access Analyzer
Blue Team: Production-ready osquery detections, malicious CVE PoCs on GitHub, massive cryptomining operation leveraging GitHub Actions
Politics / Privacy: TikTok is tracking US citizens, China's influence operations around the US elections, Chinese agents tried to interfere with Huawei criminal case in US
Misc: Olive oil brownies with sea salt, make delicious french toast, Dungeons & Dragons therapy, rom coms are back
Inspiration: The dangers of doubting yourself, being rejected is giving you rocket fuel
Conferences
DEF CON 30 Main Talks Playlist
Always worth checking out.
TalEliyahu/awesome-cybersecurity-conferences
A list of a number of security conferences around the world and a link to their videos and slides, by Tal Eliyahu.
Notes on Every Strangeloop 2022 Talk I Attended
Hillel Wayne provides some concise thoughts on ~9 talks.
AppSec
doyensec/oidc-ssrf
An Evil OIDC Server: the OpenID Configuration URL returns a 307 to cause SSRF, by Doyensec’s Luca Carettoni.
Legit-Labs/legitify
By Legit Security: Detect and remediate misconfigurations and security risks across all your GitHub assets: organizations, actions, members, and repositories.
FiloSottile/mkcert
A simple zero-config tool to make locally trusted development certificates with any names you’d like, by Filippo Valsorda.
Transforming Security Champions
Tanya Janca’s RSAC talk on how security champions programs work, how to select security champions, and a recipe for success: recruit, engage, teach, recognize, reward, and don’t stop. Also, this talk was recently selected for the RSA Conference 2022 Top-Rated Session program, congrats Tanya! 🙌
From Self-Hosted GitHub Runner to Self-Hosted Backdoor
Praetorian’s Adnan Khan, Mason Davis, and Matt Jackoski describe how they gained persistent access to a target GitHub environment via an obtained personal access token and compromising self-hosted runners. They describe ways in which PATs can be disclosed and how there are significant logging gaps when not on GitHub’s most expensive tier. Boo.
The more affordable Teams plan lacks certain audit logging features that would enable an organization’s SoC to learn of an attacker’s actions before it is too late. In particular, any clone, fetch, or push actions do not generate audit log events for customers that use Teams’ price tier. This means that if an attacker obtained a GitHub PAT that allowed access to a private organization on the Teams plan, they could clone every single repository within that organization without the generation of audit log events.
Web Security
Black and Blue APIs: Attacker’s and Defender’s View of API Vulnerabilities
Matt Tesauro walks through the OWASP API Security Top 10 from both an attacker and defender point of view.
Supply Chain
Sigstore project announces general availability and v1.0 releases
By Google’s Dave Lester and Bob Callaway. The Sigstore community has announced the general availability of their free, community-operated certificate authority and transparency log services. Two of Sigstore’s foundational projects, Fulcio and Rekor, published v1.0 releases as well, denoting a commitment to API stability.
See also GitHub’s Zach Steindler post: Why we’re excited about the Sigstore general availability.
OWASP Software Component Verification Standard (SCVS)
Chris Hughes provides an overview of OWASP SCVS, a community-driven software supply chain security guide. It focuses on reducing risk in the software supply chain by identifying relevant activities, controls and best-practices that can be implemented throughout the software supply chain lifecycle.
Chris describes what’s involved in the 3 levels of maturity across 6 control categories: Inventory, SBOM, Build Environment, Package Management, Component Analysis, and Pedigree and Provenance.
Graph for Understanding Artifact Composition (GUAC) aggregates software security metadata into a high fidelity graph database—normalizing entity identities and mapping standard relationships between them. Querying this graph can drive higher-level organizational outcomes such as audit, policy, risk management, and even developer assistance.
Conceptually, GUAC occupies the “aggregation and synthesis” layer of the software supply chain transparency logical model.
Sponsor
📢 Secure and private cloud data classification
When it comes to protecting cloud data, the solution can't create more risk than the product aims to reduce. Backhauling data beyond the confines of your environment to a common hub or cloud service that provides a centralized home for classification and analytics creates significant security risks.
Read our blog to learn how Open Raven solves these issues and avoids data backhauling altogether by safely bringing computing power and analysis logic to the data instead of the other way around.
Cloud Security
cloudandthings/terraform-aws-clickops-notifier
Get notified when users are taking actions in the AWS Console.
Isan-Rivkin/surf
By Similarweb’s Isan Rivkin: CLI text search across your infrastructure platforms: it’s grep for infra. Currently supports: AWS Route53, ACM and S3, Hashicorp Vault and Consul KV, ElasticSearch, and Logz.io.
Best Practices for Network Perimeter Security in Cloud-Native Environments
Datadog’s Mallory Mooney looks at the evolution of network perimeters in modern cloud environments as well as some best practices for securing them:
Inventory all network entry points and secure existing boundaries
Use Zero Trust architecture to restrict access
Segment networks to control traffic from potentially vulnerable entry points
Get visibility into all network traffic
Use IAM Access Analyzer policy generation to grant fine-grained permissions for your AWS CloudFormation service roles
IAM Access Analyzer policy generation creates fine-grained policies based on your AWS CloudTrail access activity—for example, the actions you use with ECS, Lambda and S3. AWS has expanded policy generation capabilities to support the identification of actions used from over 140 services, including CloudFormation, DynamoDB, and SQS.
Blue Team
chainguard-dev/osquery-defense-kit
Production-ready detection & response queries for osquery, by Chainguard. The detection queries are formulated to return zero rows during normal expected behavior, so that they may be configured to generate alerts when rows are returned.
How security professionals are being attacked: A study of malicious CVE proof of concept exploits in GitHub
PoCs for exploits are often shared on platforms like GitHub. However, there’s no guarantee that the PoCs are trustworthy, and don’t contain additional functionality. This academic paper reviewed PoCs shared on GitHub for known vulnerabilities discovered in 2017-2021, and found 4893 malicious repositories out of 47313 repositories that have been downloaded and checked (i.e., 10.3% of the studied repositories have symptoms of malicious intent).
Sysdig TRT uncovers massive cryptomining operation leveraging GitHub Actions
Sysdig’s Crystal Morin describes an extensive and sophisticated active cryptomining operation in which a threat actor is abusing the free tier of some of the largest cloud and continuous integration (CI/CD) service providers; including GitHub, Heroku, Buddy.works, and others.
They estimate the threat actor would need to use several thousand free accounts to earn $137, which would cost ~$103,000 of GitHub’s resources.
Politics / Privacy
TikTok accused of plotting to track specific US citizens
Why bother hacking people’s devices when you can get them to install your app that gives you GPS and other phone info?
Leaked documents apparently detail these plans and efforts by TikTok’s audit staff to use the mobile app to record the location of selected users so that their activities could be surveilled.
Mandiant has recently observed DRAGONBRIDGE, an influence campaign we assess with high confidence to be operating in support of the political interests of the People’s Republic of China (PRC), aggressively targeting the United States by seeking to sow division both between the U.S. and its allies and within the U.S. political system itself. Recent narratives include:
• Claims that the China-nexus threat group APT41 is instead a U.S. government-backed actor.
• Aggressive attempts to discredit the U.S. democratic process, including attempts to discourage Americans from voting in the 2022 U.S. midterm elections.
• Allegations that the U.S. was responsible for the Nord Stream gas pipeline explosions.
Uncle Sam says Chinese agents tried to interfere with Huawei criminal case in US
13 people charged with committing espionage-linked crimes in the US on behalf of the Chinese government, including: attempting to force a Chinese national in America to return to China; attempting to interfere with the federal criminal prosecution of a Chinese company, said to be Huawei; and attempting to recruit US academics and government officials in the US to spy for China.
FBI Director Christopher Wray said while these three cases appear to be unrelated, “each of these cases lays bare the Chinese government’s flagrant violation of international laws as they work to project their authoritarian view around the world, including within our own borders.”
“In all three of these cases, and frankly, in thousands of others, we found the Chinese government threatening established democratic norms and the rule of law as they work to undermine US economic security and fundamental human rights, including those of Americans,” he said. “We also see a coordinated effort across the Chinese government to lie, cheat and steal their way into unfairly dominating entire technology sectors, putting competing US companies out of business.”
“When I last looked, we were opening a new China counterintelligence investigation about every 12 hours. And it’s about a 1,300 percent increase from several years ago.”
It’s almost like there’s a consistent, intentional, widespread effort to undermine the U.S. 🤔
Misc
How To Make French Toast Even Better than the Diner
Some pretty solid tips.
Dungeons & Dragons and… therapy?
Apparently there’s been a rise of therapeutic tabletop role-playing games (TTRPGs) to help some clients open up.
“Human beings love love,” Kenny explains. “We love connection, we love intimacy, we love our family and friends. So at times of mass discontent and disharmony in our world, we return to the one thing that truly makes us who we are: love, family, connection, humour, and a conviction that above everything else, this is what matters.
Inspiration
H/T @securibee’s newsletter for these and other good links.
✉️ Wrapping Up
Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.
If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏
Thanks for reading!
Cheers,
Clint