• tl;dr sec
  • Posts
  • [tl;dr sec] #185 - Artisanal to Industrial Security, Securing the EC2 Instance Metadata Service, 12 Threat Modeling Methods

[tl;dr sec] #185 - Artisanal to Industrial Security, Securing the EC2 Instance Metadata Service, 12 Threat Modeling Methods

How to deliver security at scale, the security properties of IMDSv2, a summary of many threat modeling approaches.

Hey there,

I hope you’ve been doing well!

🚨 Changing Platforms 🚨

Over the next few weeks I’m going to be changing two important things about how I send tl;dr sec:

  1. I’m switching from MailChimp to Beehiiv.

  2. I’ll be sending from [email protected] instead of this current email.

This might make it harder for tl;dr sec to end up in your inbox.

I’d really appreciate if you took some small steps to smooth the transition, like:

  • Sending me an email at [email protected] just to say hi.

  • Add the above email to your list of contacts or otherwise tell your email client that we’re cool (here’s how).

This change will allow me to create even more and better content for you in the future, and the site and emails will look awesome on web and mobile.

Thanks so much for your help and patience! Here’s a productivity tip as a thank you.

Semgrep Launch

This week Semgrep launched some pretty cool stuff:

  1. Semgrep Supply Chain is now free to use up to a 10-contributor limit.

  2. Semgrep is even faster; set up scanning on GitHub.com in a minute, scan on every keystroke in the Semgrep Playground and VS Code.

If you want to hear more about these updates we’re having a webinar next Wednesday.

Sponsor

📢 5 tips to help CISOs (and aspiring security leaders) survive and thrive in the boardroom

Want to know the secret to nailing a cybersecurity board presentation? Learn from a seasoned former CISO and current Field CISO at Lacework, Andy Schneider (and a current member on several advisory boards), who’s already learned what not to do— so you don’t have to find out the hard way.

Board level conversations about cybersecurity are taking more importance everyday as companies prioritize the protection of their infrastructure, data, and ultimately their business. As security leaders, we tend to talk about security and assume everyone understands (and cares), but in reality, that’s not always the case.

Check out this blog article to learn 5 key tips on how to shine in your next board meeting and how to best approach cybersecurity conversations in the boardroom.

This post is excellent and full of practical, actionable advice for any security leader, or just anyone wanting to be effective at influencing in their org. Solid metrics and presentation tips.

Highly recommend giving it a read ☝️

📜 In this newsletter…

  • AppSec: 12 threat modeling methods, Reversing Pickle

  • OSINT / Recon: Nuclei Templates Directory, Efficient Active Subdomain Enumeration with Patterns

  • Cloud Security: AWS IMDS Packet Analyzer, distribute CLI commands to Lambdas, Securing the EC2 Instance Metadata Service, How to get rid of AWS access keys

  • Container Security: Debugging Kubernetes with Automated Runbooks & Ephemeral Containers

  • Fuzzing: Coverage-guided greybox distributed fuzzer, Random Fuzzy Thoughts, Unearthing Vulnerabilities in the Apple Ecosystem

  • Machine Learning + Security: Threat Modeling with ChatGPT, Model-Assisted Threat Hunting

  • Machine Learning: Why AI Will Save The World, How I Use OpenAI’s GPT-4 To Stay In Touch With My Mum, ChatGPT Plugin for Kubernetes YAML, Hacker and AI-themed phone backgrounds

  • Misc: Kenny Loggins, The Collective Noun Catalog, Ranking the Pain of Stinging Insects

  • Delivering Security at Scale: From Artisanal to Industrial: How to effectively scale security

AppSec

Threat Modeling: 12 Available Methods
CMU’s Nataliya Shevchenko walks through 12 threat-modeling methods, including STRIDE, PASTA, LINDDUN, CVSS, Attack Trees, Persona non Grata, Security Cards, hTMM, Quantitative Threat Modeling Method, Trike, VAST Modeling, and OCTAVE.

Reversing Pickles with r2pickledec
Doyensec’s Dennis Goodlett introduces r2pickledec, a pickle decompiler that support all instructions up to protocol 5 and works with Radare2. Additionally, Dennis provides an introduction to Python Pickles and their functionality, along with a practical case demonstrating how to reverse engineer a pickle using Radare2 and r2pickledec.

OSINT / Recon

Nuclei Templates Directory
By @dwisiswant0: Tool to search for Nuclei templates on GitHub based on different terms like template ID, name, tags or author.

Introducing Alterx: Efficient Active Subdomain Enumeration with Patterns
Project Discovery’s Tarun Koyalwar introduces Alterx, a powerful tool for active subdomain enumeration that allows customizable patterns and delivers substantial advantages over traditional brute-force techniques

Sponsor

📢 Ockam: Securely connect applications across private networks, without opening any ports

With Ockam, add end-to-end encrypted and mutually authenticated secure channels to any application in any transport topology. Connect to services in remote private networks using end-to-end encrypted portals. Scale cryptographic identities, bootstrap mutual trust, manage short-lived credentials, and enforce attribute-based access control everywhere.

Use Ockam's open source tools to build secure-by-design applications that can Trust all Data-in-Motion.

Cloud Security

aws/aws-imds-packet-analyzer
A tool that traces TCP interactions with the EC2 Instance Metadata Service (IMDS). This can assist in identifying the processes making IMDSv1 calls on a host, so you can gradually make sure everything is using the more secure IMDSv2.

nelhage/llama
By Nelson Elhage: A tool designed for running UNIX commands within AWS Lambda. It offers a convenient drop-in replacement for gcc or clang to execute compilation tasks in the cloud, resulting in significant speed improvements when building extensive C or C++ software projects.

Misconfiguration Spotlight: Securing the EC2 Instance Metadata Service
Datadog’s Nick Frichette sheds light on common misconfigurations found in cloud environments, focusing specifically on EC2 and IMDSv2. Nick explores how IMDSv2 helps mitigate the risks associated with SSRF vulnerabilities by implementing a session token requirement in subsequent requests via a header.

He also explains how it prevents misconfigured reverse proxies from requesting these tokens by blocking requests containing the X-Forwarded-For header.

How to get rid of AWS access keys- Part 1: The easy wins
Wiz’s Scott Piper delves into the most straightforward methods for eliminating AWS access keys and IAM users. Scott expands on the guidance provided by AWS when generating new keys and offers additional advice on handling existing access keys, including:

  • Removing unused access keys

  • Deleting IAM users without credentials

  • Getting rid of root access keys

  • Using a Service Control Policy (SCP) to deny the creation of new access keys and IAM users

Container Security

Debugging Kubernetes with Automated Runbooks & Ephemeral Containers
PagerDuty’s Jake Cohen introduces PagerDuty Process Automation, a pre-built, templatized runbook that eliminates the need for users to execute commands directly in running pods. See also the open source RunDeck.

Kubernetes Ephemeral Containers can be used when debugging capabilities are not shipped as part of the container image. Ivan Velichko has a nice blog post with more details.

Fuzzing

Cybergenik/hopper
By Luciano Remes: A coverage-guided greybox distributed fuzzer that aims to improve performance of fuzzing in large-scale distributed environments.

Random Fuzzy Thoughts
Alex Kladov shares his insights and observations about randomized testing while delving into three interconnected questions:

  • How can we ensure robust reproducibility of generative fuzzing failures?

  • How can the existing randomized testing infrastructure be employed for manual test specification?

  • How to verify that generative fuzzing adequately covers interesting scenarios?

Unearthing Vulnerabilities in the Apple Ecosystem: The Art of KidFuzzerV2.0
STAR LABS SG’ Zhenpeng Pan shares his research presented at OffensiveCon 2023 (video) on how to use the backward fuzzing to discover additional security vulnerabilities in Apple drivers and the XNU kernel, leveraging different public and non-public Apple N-day bugs. The talk also provides a quick review of the attack surfaces and mitigations implemented in Apple’s kernel space.

Machine Learning + Security

Threat Modeling Example with ChatGPT
Rusty Newton walks through using ChatGPT to describe an example system architecture, the data flow between components, generate a list of threats using STRIDE, and then make recommendations on mitigating those threats.

Model-Assisted Threat Hunting (M-ATH) with the PEAK Framework
Splunk’s Ryan Fetterman continues his series on the PEAK Threat Hunting Framework. In this article, he explores the Model-Assisted Threat Hunting (M-ATH) technique, which leverages an algorithmic-driven approach to uncover potential leads for threat hunting. By streamlining or consolidating data, this method paves the way for more traditional hunting techniques.

Machine Learning

Quicklinks:

  • Podcast Embeddings - 1000s of hours of podcast transcript indexed, including Tim Ferris, My First Million, etc.

  • ToastWiz - An AI wedding speech writer.

Why AI Will Save The World
a16z’s Marc Andreessen’s argues that AI will not destroy the world, and in fact may save it, by augmenting human intelligence to speed up the rate at which we create new medicines, solve climate change, reach the stars, drive down the cost of many goods and services, and more.

robusta-dev/chatgpt-yaml-generator/
By Robusta.dev: A ChatGPT plugin that gives ChatGPT up-to-date knowledge of every Kubernetes resource and their complete specs, lets ChatGPT query the Kubernetes OpenAPI schema to fetch resource definitions, and provides ChatGPT with schema validation capabilities.

  1. OpenAI is heavily GPU limited at present

  2. OpenAI’s near-term roadmap: cheaper and faster GPT-4, longer context windows, finetuning API, a stateful API, multimodality in 2024

  3. Plugins “don’t have PMF” and are probably not coming to the API anytime soon

  4. OpenAI will avoid competing with their customers — other than with ChatGPT

  5. Regulation is needed but so is open source

  6. The scaling laws still hold

OpenAI’s internal data suggests the scaling laws for model performance continue to hold and making models larger will continue to yield performance. The rate of scaling can’t be maintained because OpenAI had made models millions of times bigger in just a few years and doing that going forward won’t be sustainable. That doesn’t mean that OpenAI won’t continue to try to make the models bigger, it just means they will likely double or triple in size each year rather than increasing by many orders of magnitude.

Delivering Security at Scale: From Artisanal to Industrial
Another excellent post by Phil Venables, in which he examines the difference between artisanal and industrial security programs, the metrics that measure the evolution, the forces to harness, the need for continuous controls monitoring and taking the perspective of end to end business service (or mission) assurance.

Maturing a security program in any type of organization is not just to increase specific control effectiveness but also to increase its scale, predictability and reliability - otherwise that effectiveness cannot be sustained… move beyond individual team member craftsmanship toward relentlessly consistent organization-wide outcomes.

The majority of attacks have a common pattern - that they are not the result of some awesome attacker capability to exploit some hitherto unknown vulnerability or to realize a risk from some combination of controls weakness not contemplated. Rather, a remarkably common pattern is that the control or controls that would have stopped the attack (or otherwise detected/contained it) were thought to be present and operational but for some reason were actually not - just when they were most needed.

You want your industrialization to amplify individuals to a highest common factor and make their actions scale rather than commoditize performance to a lowest common denominator.

Misc

Kenny Loggins
Generate a secure password from the lyrics of America’s greatest singer songwriter.

The Collective Noun Catalog
Impress your friends by knowing that a group of scorpions can be called a “bed” or “nest,” a group of ducklings are a “fleet,” a group of jack-o-lanterns is a “leer,” and other such collective nouns.

Ranking the Pain of Stinging Insects, From ‘Spicy’ to ‘Shockingly Electric’
One passionate entomologist poetically described and classified more than 70 species’ painful stings. Schmidt, “The King of Sting,” had been stung more than 1,000 times during his research career. Choice descriptions like:

Pure, then messy, then corrosive. Love and marriage followed by divorce.

Torture. You are chained in the flow of an active volcano. Why did I start this list?

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I’d love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,
Clint
@clintgibler