[tl;dr sec] #157 - Transforming Security Champions, Production-ready osquery, Compromising Self-hosted GitHub Runners
Tanya Janca on building a security champions program, highly turned osquery detections, gaining GitHub Runner persistence and how to detect compromises.
I hope you’ve been doing well!
I hope you had a great Halloween weekend, and that you’re mostly recovered from your sugar coma!
I didn’t have much time to prepare a costume, so I ended up getting Spirit Halloween’s “sexy police officer.”
But I didn’t want to be basic, so I thought of a punny take on it and made some modifications (which I will not share here, as I might use it next year).
Despite the modifications, I did still get asked multiple times at parties, and at work on Monday, when the “show” would start 😂
If I need a costume next year, I could also go with:
Call for Jobs!
Due to the economy, there’s recently been a number of awesome security folks laid off.
If your company is hiring, send me a link to the job description (you can just reply directly to this email) and I’ll include it in the newsletter next week.
r2c: CVE Analyst
Speaking of, my company is hiring!
This role is remote friendly and a great entry level role for someone wanting to break into the security industry.
You can apply directly here, and feel free to mention I sent you!
📢 Adopting Real-Time Threat Detection Workflows
Real-time threat detection is empowering security teams to flip the script on potential intruders. Real-time threat detection is the evolution of traditional threat detection that utilizes best-in-class modern security tools to analyze potential threats instantly. In the case of modern SIEM tools, teams can automate analysis to occur directly as event logs are ingested. Learn how to adopt a real-time threat detection strategy with modern SIEM in under an hour.
📜 In this newsletter...
Conferences: DEF CON 30 talk playlist, list of cybersecurity conferences, notes on 9 Strangeloop talks
AppSec: evil OIDC server that SSRFs, tool to detect misconfigurations and security risks across GitHub assets, make locally trusted dev certificates, transforming security champions, from self-hosted GitHub runner to self-hosted backdoor
Web Security: Attacker and defender's view of API vulnerabilities
Supply Chain: Sigstore GA and v1.0 releases, overview of OWASP Software Component Verification Standard, announcing GUAC, a great pairing with SLSA
Cloud Security: Terraform ClickOps notifier, grep for infra, best practices for network perimeter security in cloud-native environments, generating fine-grained permissions using IAM Access Analyzer
Blue Team: Production-ready osquery detections, malicious CVE PoCs on GitHub, massive cryptomining operation leveraging GitHub Actions
Politics / Privacy: TikTok is tracking US citizens, China's influence operations around the US elections, Chinese agents tried to interfere with Huawei criminal case in US
Misc: Olive oil brownies with sea salt, make delicious french toast, Dungeons & Dragons therapy, rom coms are back
Inspiration: The dangers of doubting yourself, being rejected is giving you rocket fuel
DEF CON 30 Main Talks Playlist
Always worth checking out.
Transforming Security Champions
Tanya Janca’s RSAC talk on how security champions programs work, how to select security champions, and a recipe for success: recruit, engage, teach, recognize, reward, and don’t stop. Also, this talk was recently selected for the RSA Conference 2022 Top-Rated Session program, congrats Tanya! 🙌
From Self-Hosted GitHub Runner to Self-Hosted Backdoor
Praetorian’s Adnan Khan, Mason Davis, and Matt Jackoski describe how they gained persistent access to a target GitHub environment via an obtained personal access token and compromising self-hosted runners. They describe ways in which PATs can be disclosed and how there are significant logging gaps when not on GitHub’s most expensive tier. Boo.
Black and Blue APIs: Attacker’s and Defender’s View of API Vulnerabilities
Matt Tesauro walks through the OWASP API Security Top 10 from both an attacker and defender point of view.
Sigstore project announces general availability and v1.0 releases
By Google’s Dave Lester and Bob Callaway. The Sigstore community has announced the general availability of their free, community-operated certificate authority and transparency log services. Two of Sigstore’s foundational projects, Fulcio and Rekor, published v1.0 releases as well, denoting a commitment to API stability.
See also GitHub’s Zach Steindler post: Why we’re excited about the Sigstore general availability.
OWASP Software Component Verification Standard (SCVS)
Chris Hughes provides an overview of OWASP SCVS, a community-driven software supply chain security guide. It focuses on reducing risk in the software supply chain by identifying relevant activities, controls and best-practices that can be implemented throughout the software supply chain lifecycle.
Chris describes what’s involved in the 3 levels of maturity across 6 control categories: Inventory, SBOM, Build Environment, Package Management, Component Analysis, and Pedigree and Provenance.
📢 Secure and private cloud data classification
When it comes to protecting cloud data, the solution can't create more risk than the product aims to reduce. Backhauling data beyond the confines of your environment to a common hub or cloud service that provides a centralized home for classification and analytics creates significant security risks.
Read our blog to learn how Open Raven solves these issues and avoids data backhauling altogether by safely bringing computing power and analysis logic to the data instead of the other way around.
Get notified when users are taking actions in the AWS Console.
By Similarweb’s Isan Rivkin: CLI text search across your infrastructure platforms: it’s grep for infra. Currently supports: AWS Route53, ACM and S3, Hashicorp Vault and Consul KV, ElasticSearch, and Logz.io.
Best Practices for Network Perimeter Security in Cloud-Native Environments
Datadog’s Mallory Mooney looks at the evolution of network perimeters in modern cloud environments as well as some best practices for securing them:
Inventory all network entry points and secure existing boundaries
Use Zero Trust architecture to restrict access
Segment networks to control traffic from potentially vulnerable entry points
Get visibility into all network traffic
Use IAM Access Analyzer policy generation to grant fine-grained permissions for your AWS CloudFormation service roles
IAM Access Analyzer policy generation creates fine-grained policies based on your AWS CloudTrail access activity—for example, the actions you use with ECS, Lambda and S3. AWS has expanded policy generation capabilities to support the identification of actions used from over 140 services, including CloudFormation, DynamoDB, and SQS.
Production-ready detection & response queries for osquery, by Chainguard. The detection queries are formulated to return zero rows during normal expected behavior, so that they may be configured to generate alerts when rows are returned.
How security professionals are being attacked: A study of malicious CVE proof of concept exploits in GitHub
PoCs for exploits are often shared on platforms like GitHub. However, there’s no guarantee that the PoCs are trustworthy, and don’t contain additional functionality. This academic paper reviewed PoCs shared on GitHub for known vulnerabilities discovered in 2017-2021, and found 4893 malicious repositories out of 47313 repositories that have been downloaded and checked (i.e., 10.3% of the studied repositories have symptoms of malicious intent).
Sysdig TRT uncovers massive cryptomining operation leveraging GitHub Actions
Sysdig’s Crystal Morin describes an extensive and sophisticated active cryptomining operation in which a threat actor is abusing the free tier of some of the largest cloud and continuous integration (CI/CD) service providers; including GitHub, Heroku, Buddy.works, and others.
They estimate the threat actor would need to use several thousand free accounts to earn $137, which would cost ~$103,000 of GitHub’s resources.
Politics / Privacy
TikTok accused of plotting to track specific US citizens
Why bother hacking people’s devices when you can get them to install your app that gives you GPS and other phone info?
Uncle Sam says Chinese agents tried to interfere with Huawei criminal case in US
13 people charged with committing espionage-linked crimes in the US on behalf of the Chinese government, including: attempting to force a Chinese national in America to return to China; attempting to interfere with the federal criminal prosecution of a Chinese company, said to be Huawei; and attempting to recruit US academics and government officials in the US to spy for China.
It’s almost like there’s a consistent, intentional, widespread effort to undermine the U.S. 🤔
How To Make French Toast Even Better than the Diner
Some pretty solid tips.
Dungeons & Dragons and… therapy?
Apparently there’s been a rise of therapeutic tabletop role-playing games (TTRPGs) to help some clients open up.
H/T @securibee’s newsletter for these and other good links.
✉️ Wrapping Up
Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.
If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏
Thanks for reading!