[tl;dr sec] #146 - CI/CD Security, Lightweight Approach to Secure SDLC, End-to-End Threat Detection Rule Testing
Lessons learned compromising real world CI/CD pipelines, how to implement a lightweight SSDLC, new framework to ensure your threat detection rules work, from logging to processing pipeline to alerting.
I hope you’ve been doing well!
A Sport We Can Excel At
Many kids, when they’re growing up, want to be an astronaut, firefighter, or pro athlete.
When people asked me what I wanted to be when I grew up, I said, “Engineer.”
True story. I was probably 5 or so. I knew my dad was an engineer, and I thought that must be pretty cool.
So while I was never destined to be on ESPN for ball sports, I just came across something wonderful:
This thread includes some great clips, and links to a 2.5 hour video of the competition.
Did I watch it for 15+ minutes instead of finishing this newsletter? I’ll quote an announcer:
OK, so it starts out with a few minutes of highlight reel snippets to get you pumped. Then, it goes into a “get to know the players” montage with some bumping beats and rad geometic shapes in the background. And they ask the classic question:
If there’s one thing we can learn from all this, I think it’s: never give up on your dreams.
(I also enjoyed this Microsoft Excel Stream Highlights video by KRAZAM, who does some pretty funny tech-related comedy videos.)
📢 Benchmark your cloud configuration in minutes with JupiterOne
See how your configuration compares against CIS Foundations benchmarks in just a few clicks. Once your cloud provider is integrated with JupiterOne, this framework is automatically imported based on which cloud provider you use, giving you greater understanding of how to improve your configuration and security posture.
📜 In this newsletter...
CI/CD: Should you pay for CI/CD, lessons learned from 5 years of real-world CI/CD pipeline compromise, abusing source code management systems
AppSec: Makefile linter, sandboxing Make, a lightweight approach to secure SDLC
Web Security: Hacking APIs workshop, browser-powered desync
Cloud Security: Enable logging for AWS resources that aren't, AWS serverless snippets collection, an open source permission management framework, codify your best practices using SCPs, service-level fault injection testing
Blue Team: Open Cybersecurity Schema Framework, how to stand up a major cyber incident investigations board, framework for end-to-end testing of threat detection rules
Machine Learning + Art: An artist's thread on AI image generators, replacing a blog's thumbnails using DALL-E 2, the AI art apocalypse, DALL-E, the Metaverse, and Zero Marginal Content
RCE-as-a-Service: Lessons Learned from 5 Years of Real-World CI/CD Pipeline Compromiseabstract
Black Hat talk by NCC Group’s Iain Smart and Viktor Gazdag (slides) in which they walk though a number of interesting attack scenarios. As previously called out in tl;dr sec, see also: 10 real-world stories of how we’ve compromised CI/CD pipelines.
Controlling the Source: Abusing Source Code Management Systems
IBM X-Force Red’s Brett Hawkins on material he presented at Black Hat USA 2022 (whitepaper). He discusses attack scenarios for GitHub Enterprise, GitLab Enterprise, and Bitbucket, including reconnaissance, manipulation of user roles, repository takeover, pivoting to other DevOps systems, user impersonation, and maintaining persistent access. Brett also released a tool: SCMKit.
A Lightweight Approach To Implement Secure Software Development LifeCycle (Secure SDLC)
Thirty Madison’s Anshuman Bhartiya walks through rolling out a secure SDLC, discussing Rapid Risk Assessments, architecture reviews, threat modeling, and more.
I agree with his approach to rolling out SAST, and have seen that approach effectively used at a number of companies. That is: roll out new checks carefully, test them, tune them, and use the following progression for checks as you gain confidence:
First notify the security team privately
Then surface as PR comments to developers (non blocking)
Finally, PR comment + blocking (only when you’re very confident):
Hacking APIs: Workshop
Presentation notes from Corey Ball’s DEF CON workshop. Also check out Corey’s recently published No Starch book: Hacking APIs: Breaking Web Application Programming Interfaces.
Browser-powered desync: New class of HTTP request smuggling attacks
More 🔥🤯 work from Portswigger’s James Kettle. Whitepaper, slides,
Find AWS resources that are not logging, and turn them on.
Introducing the new AWS Serverless Snippets Collection
A new page hosted on Serverless Land that makes it easier to discover, copy, and share common code that can help with serverless application development.
Codify your best practices using service control policies: Part 2
AWS’s Som Chatterjee discusses how you can think of creating SCPs using constructs from AWS Well-Architected, covering observability, security, and cost management. Som presents a number of SCPs, including:
Denying changes to CloudWatch monitors/logs or Config
Denying accounts from leaving the organization
Limiting permissions to accounts in your Sandbox org
Denying actions outside approved regions
Denying the ability to pass IAM roles
They’ve open sourced Filibuster, the prototype implementation of Service-level Fault Injection Testing, written in Python.
📢 Think Like a Hacker - Inside the Minds & Methods of Modern Adversaries
Organizations typically look at the latest TTPs from a defense perspective – “how to mitigate this or prevent it from happening again.” But adversaries are smart and can quickly adapt to changes made in enterprise security defenses. So, SANS and Bishop Fox endeavored to see TTPs through the eyes of an adversary by polling hundreds of ethical hackers to discover their favorite vectors, top vulnerabilities encountered, what stops them in their tracks, and more. Check out key findings & sign up for a webcast with SANS instructor Matt Bromily & Bishop Fox’s Tom Eston on Sept 27.
Open Cybersecurity Schema Framework
A proposed standard (whitepaper) for sharing security information. By standardizing alerts and logs from various tools, data scientists and analysts can work with a common language for threat detection and investigation. Companies involved include: Amazon, Splunk, IBM, Crowdstrike, Rapid7, Palo Alto, and Cloudflare.
How to Stand Up a Major Cyber Incident Investigations Board
Victoria Ontiveros and Tarah Wheeler gave a Black Hat talk (abstract, The Register) on how the aviation industry draws lessons learned from aviation incidents, and how a process could be applied to cyber incident investigations. In collaboration with Adam Shostack, they’ve released the Major Cyber Incident Investigations Playbook.
Introducing Threatest, A Go Framework For End-to-end Testing Of Threat Detection Rules
Datadog’s Christophe Tafani-Dereeper introduces threatest, which allows you to define scenarios where you detonate an attack technique (over SSH or using Stratus Red Team), then assert that an alert was produced on a third-party platform.
Reference: Bill Hader’s Stefon character on SNL.
Machine Learning + Art
Prompt engineering is hard, and requires creativity.
You get better at writing prompts with practice.
Stylistic modifiers are critical to getting interesting images.
It’s worth browsing r/dalle2 to get ideas for what goes into a good prompt.
You may need to photoshop out gibberish text.
You can edit your images after.
Getting a specific thing, a specific color, a specific number of things, or a thing in a specific place is hard.
I wouldn’t go long on $GETY (Getty Images).
The AI Art Apocalypse
On the economics of it, will people still make art, why people make art, having cheap and available art, AI as a tool, cultural implications, and more.
✉️ Wrapping Up
Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.
If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏
Thanks for reading!