[tl;dr sec] #185 - Artisanal to Industrial Security, Securing the EC2 Instance Metadata Service, 12 Threat Modeling Methods
How to deliver security at scale, the security properties of IMDSv2, a summary of many threat modeling approaches.
I hope you’ve been doing well!
🚨 Changing Platforms 🚨
Over the next few weeks I’m going to be changing two important things about how I send tl;dr sec:
This might make it harder for tl;dr sec to end up in your inbox.
I’d really appreciate if you took some small steps to smooth the transition, like:
This change will allow me to create even more and better content for you in the future, and the site and emails will look awesome on web and mobile.
Thanks so much for your help and patience! Here’s a productivity tip as a thank you.
This week Semgrep launched some pretty cool stuff:
Semgrep Supply Chain is now free to use up to a 10-contributor limit.
Semgrep is even faster; set up scanning on GitHub.com in a minute, scan on every keystroke in the Semgrep Playground and VS Code.
If you want to hear more about these updates we’re having a webinar next Wednesday.
📢 5 tips to help CISOs (and aspiring security leaders) survive and thrive in the boardroom
Want to know the secret to nailing a cybersecurity board presentation? Learn from a seasoned former CISO and current Field CISO at Lacework, Andy Schneider (and a current member on several advisory boards), who’s already learned what not to do— so you don’t have to find out the hard way.
Board level conversations about cybersecurity are taking more importance everyday as companies prioritize the protection of their infrastructure, data, and ultimately their business. As security leaders, we tend to talk about security and assume everyone understands (and cares), but in reality, that’s not always the case.
Check out this blog article to learn 5 key tips on how to shine in your next board meeting and how to best approach cybersecurity conversations in the boardroom.
This post is excellent and full of practical, actionable advice for any security leader, or just anyone wanting to be effective at influencing in their org. Solid metrics and presentation tips.
Highly recommend giving it a read ☝️
📜 In this newsletter…
AppSec: 12 threat modeling methods, Reversing Pickle
OSINT / Recon: Nuclei Templates Directory, Efficient Active Subdomain Enumeration with Patterns
Cloud Security: AWS IMDS Packet Analyzer, distribute CLI commands to Lambdas, Securing the EC2 Instance Metadata Service, How to get rid of AWS access keys
Container Security: Debugging Kubernetes with Automated Runbooks & Ephemeral Containers
Fuzzing: Coverage-guided greybox distributed fuzzer, Random Fuzzy Thoughts, Unearthing Vulnerabilities in the Apple Ecosystem
Machine Learning + Security: Threat Modeling with ChatGPT, Model-Assisted Threat Hunting
Machine Learning: Why AI Will Save The World, How I Use OpenAI’s GPT-4 To Stay In Touch With My Mum, ChatGPT Plugin for Kubernetes YAML, Hacker and AI-themed phone backgrounds
Misc: Kenny Loggins, The Collective Noun Catalog, Ranking the Pain of Stinging Insects
Delivering Security at Scale: From Artisanal to Industrial: How to effectively scale security
Threat Modeling: 12 Available Methods
CMU’s Nataliya Shevchenko walks through 12 threat-modeling methods, including STRIDE, PASTA, LINDDUN, CVSS, Attack Trees, Persona non Grata, Security Cards, hTMM, Quantitative Threat Modeling Method, Trike, VAST Modeling, and OCTAVE.
Reversing Pickles with r2pickledec
Doyensec’s Dennis Goodlett introduces r2pickledec, a pickle decompiler that support all instructions up to protocol 5 and works with Radare2. Additionally, Dennis provides an introduction to Python Pickles and their functionality, along with a practical case demonstrating how to reverse engineer a pickle using Radare2 and r2pickledec.
OSINT / Recon
Introducing Alterx: Efficient Active Subdomain Enumeration with Patterns
Project Discovery’s Tarun Koyalwar introduces Alterx, a powerful tool for active subdomain enumeration that allows customizable patterns and delivers substantial advantages over traditional brute-force techniques
📢 Ockam: Securely connect applications across private networks, without opening any ports
With Ockam, add end-to-end encrypted and mutually authenticated secure channels to any application in any transport topology. Connect to services in remote private networks using end-to-end encrypted portals. Scale cryptographic identities, bootstrap mutual trust, manage short-lived credentials, and enforce attribute-based access control everywhere.
Use Ockam's open source tools to build secure-by-design applications that can Trust all Data-in-Motion.
A tool that traces TCP interactions with the EC2 Instance Metadata Service (IMDS). This can assist in identifying the processes making IMDSv1 calls on a host, so you can gradually make sure everything is using the more secure IMDSv2.
By Nelson Elhage: A tool designed for running UNIX commands within AWS Lambda. It offers a convenient drop-in replacement for gcc or clang to execute compilation tasks in the cloud, resulting in significant speed improvements when building extensive C or C++ software projects.
Misconfiguration Spotlight: Securing the EC2 Instance Metadata Service
Datadog’s Nick Frichette sheds light on common misconfigurations found in cloud environments, focusing specifically on EC2 and IMDSv2. Nick explores how IMDSv2 helps mitigate the risks associated with SSRF vulnerabilities by implementing a session token requirement in subsequent requests via a header.
He also explains how it prevents misconfigured reverse proxies from requesting these tokens by blocking requests containing the X-Forwarded-For header.
How to get rid of AWS access keys- Part 1: The easy wins
Wiz’s Scott Piper delves into the most straightforward methods for eliminating AWS access keys and IAM users. Scott expands on the guidance provided by AWS when generating new keys and offers additional advice on handling existing access keys, including:
Removing unused access keys
Deleting IAM users without credentials
Getting rid of root access keys
Using a Service Control Policy (SCP) to deny the creation of new access keys and IAM users
Debugging Kubernetes with Automated Runbooks & Ephemeral Containers
PagerDuty’s Jake Cohen introduces PagerDuty Process Automation, a pre-built, templatized runbook that eliminates the need for users to execute commands directly in running pods. See also the open source RunDeck.
Random Fuzzy Thoughts
Alex Kladov shares his insights and observations about randomized testing while delving into three interconnected questions:
How can we ensure robust reproducibility of generative fuzzing failures?
How can the existing randomized testing infrastructure be employed for manual test specification?
How to verify that generative fuzzing adequately covers interesting scenarios?
Unearthing Vulnerabilities in the Apple Ecosystem: The Art of KidFuzzerV2.0
STAR LABS SG’ Zhenpeng Pan shares his research presented at OffensiveCon 2023 (video) on how to use the backward fuzzing to discover additional security vulnerabilities in Apple drivers and the XNU kernel, leveraging different public and non-public Apple N-day bugs. The talk also provides a quick review of the attack surfaces and mitigations implemented in Apple’s kernel space.
Machine Learning + Security
Threat Modeling Example with ChatGPT
Rusty Newton walks through using ChatGPT to describe an example system architecture, the data flow between components, generate a list of threats using STRIDE, and then make recommendations on mitigating those threats.
Model-Assisted Threat Hunting (M-ATH) with the PEAK Framework
Splunk’s Ryan Fetterman continues his series on the PEAK Threat Hunting Framework. In this article, he explores the Model-Assisted Threat Hunting (M-ATH) technique, which leverages an algorithmic-driven approach to uncover potential leads for threat hunting. By streamlining or consolidating data, this method paves the way for more traditional hunting techniques.
Why AI Will Save The World
a16z’s Marc Andreessen’s argues that AI will not destroy the world, and in fact may save it, by augmenting human intelligence to speed up the rate at which we create new medicines, solve climate change, reach the stars, drive down the cost of many goods and services, and more.
How I Use OpenAI’s GPT-4 To Stay In Touch With My Mum More Consistently
Anna Geller describes how using GPT-4, AWS SNS, and more.
By Robusta.dev: A ChatGPT plugin that gives ChatGPT up-to-date knowledge of every Kubernetes resource and their complete specs, lets ChatGPT query the Kubernetes OpenAPI schema to fetch resource definitions, and provides ChatGPT with schema validation capabilities.
Hacker and AI-themed phone backgrounds by rez0
Wow, so cool! 😍
OpenAI is heavily GPU limited at present
OpenAI’s near-term roadmap: cheaper and faster GPT-4, longer context windows, finetuning API, a stateful API, multimodality in 2024
Plugins “don’t have PMF” and are probably not coming to the API anytime soon
OpenAI will avoid competing with their customers — other than with ChatGPT
Regulation is needed but so is open source
The scaling laws still hold
Delivering Security at Scale: From Artisanal to Industrial
Another excellent post by Phil Venables, in which he examines the difference between artisanal and industrial security programs, the metrics that measure the evolution, the forces to harness, the need for continuous controls monitoring and taking the perspective of end to end business service (or mission) assurance.
Generate a secure password from the lyrics of America’s greatest singer songwriter.
The Collective Noun Catalog
Impress your friends by knowing that a group of scorpions can be called a “bed” or “nest,” a group of ducklings are a “fleet,” a group of jack-o-lanterns is a “leer,” and other such collective nouns.
Ranking the Pain of Stinging Insects, From ‘Spicy’ to ‘Shockingly Electric’
One passionate entomologist poetically described and classified more than 70 species’ painful stings. Schmidt, “The King of Sting,” had been stung more than 1,000 times during his research career. Choice descriptions like:
✉️ Wrapping Up
Have questions, comments, or feedback? Just reply directly, I’d love to hear from you.
If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏
Thanks for reading!