• tl;dr sec
  • Posts
  • [tl;dr sec] #186 - Enterprise Purple Teaming, Cloud CTFs, Code Review with LLMs

[tl;dr sec] #186 - Enterprise Purple Teaming, Cloud CTFs, Code Review with LLMs

Massive list of purple teaming resources, two new cloud CTFs to practice on, how effective are LLMs at doing secure code reviews?

Hey there,

I hope you’ve been doing well!

New Platform, Who Dis? 👋 

Hello and welcome to the first edition of tl;dr sec on Beehiiv!

If you reached out to me in an effort to try to ensure email filters let this issue reach you, I’m hugely thankful 🙏 

I will respond to your email, I’m just a bit behind.

Why Beehiiv?

I’ve included some brief points at the bottom because a few people asked why I switched.

In short: if you’re going to start a newsletter today, I think it’s almost definitely the best option, but happy to chat in more detail about it.

P.S. You might see email from [email protected] or @mail.beehiiv.com. Apparently this “warming up” a domain helps with deliverability 🤷 

Keep an eye out Thursday mornings (PST) in case you’re not receiving tl;dr sec like normal.

Lots of AI Content This Time

Hope that’s OK 😅 

Sponsor

📣 How to automate the detection and prioritization of complex behavioral threats with AWS CloudTrail and Kubernetes audit logs

Monitoring AWS CloudTrail and Kubernetes audit logs are a critical part of maintaining security in your AWS cloud because it provides visibility into your account activity across your infrastructure. Because this data contains all actions performed by all authenticated users, identification of the attackers becomes extremely hard.

Learn from Jeff Vogt, Field CTO at Lacework (and former Senior DevOps Engineer), on how to automate the detection and prioritization of threats from your CloudTrail data so that you can easily (and quickly!) identify attacks such as compromised credentials, potential AWS defense evasion, cloud ransomware, and cloud-based cryptomining.

📜 In this newsletter…

  • AppSec: Awesome Security Challenges, Semgrep Turbo Mode

  • macOS Security: Passkey improvements, a number of new privacy and security features announced 

  • Web Security: A web path fuzzing tool, GraphQLmap

  • Cloud Security: The Big IAM Challenge, tool to find exploitable attack paths in cloud infra, a gamified cloud hacking sandbox

  • Blue Team: Enterprise Purple Teaming, HTTP agnostic software honeypot framework

  • Red Team: A collection of PoC and offensive techniques, breaking down reverse shell commands

  • Machine Learning + Code Auditing: Using AI to find vulns in XNU, evaluating Codex for Solidity code auditing

  • Machine Learning + Security: LLM security Twitter account, Google’s Secure AI framework, typosquatting ChatGPT hallucinated packages

  • Machine Learning: ML for document extraction, OpenAI updates (function calling), JSONformer, Microsoft’s prompt engine library

  • Misc: Social media protocol on DNS, Tanya Janca on getting better sleep

  • Why Beehiiv?: A few thoughts on why I switched from MailChimp

AppSec

mikeprivette/awesome-sec-challenges
By Mike Privette: A curated list of Awesome Security Challenges aimed at helping beginners and experts alike upskill their ethical hacking, pentesting, and crypto skill through online challenges.

Cross-compiling OCaml to JS and Wasm: How we made the Semgrep Playground Fast
Semgrep’s Tom "mad lad" Petr shares some of the wildest hackery I’ve read recently- getting Semgrep (OCaml) to compile down to JavaScript and WebAssembly so it can run... in your browser 🤯 This makes it so fast you can remove the Run button, as Semgrep runs on every keystroke.

…But we were pressed for time, so we instead wrote a temporary hack that would make functional programmers sick to their stomach. We exploited the fact that JavaScript objects are mutable and…

macOS Security

I love to see privacy and security as selling points  

Passkeys
Passkeys allow you to authenticate with apps and services using Face ID or Touch ID instead of remembering a password.

Apple now enables the synchronization of Passkeys with external providers such as password managers, and lets you share your passwords and passkeys from iCloud Keychain with groups or family members.

  • Major updates to Safari Private Browsing (advanced tracking and fingerprinting protections), Communication Safety, and Lockdown Mode, as well as app privacy improvements.

  • Link Tracking Protection in Messages, Mail, and Safari Private Browsing removes extra information from links to protect users from tracking and more.

Web Security

RapidDNS/Afuzz
An automated web path fuzzing tool targeted at bug bounty use cases, by @rapiddns.


swisskyrepo/GraphQLmap
A scripting engine to interact with a GraphQL endpoint for pentesting purposes, by Swissky.

Sponsor

📣 We Hack Purple – Everything You Need to Learn Secure Coding, and More!

Learn how to create secure software, from industry experts! Our fun, live, virtual training teaches developers to code more securely, with checklists, free access to on-demand courses, and a supportive online community, all for one price. Hire us to train your AppSec team, as we build your custom application security program, together! With customized training available, we have something that fits every organization’s software security training needs.

Cloud Security

The Big IAM Challenge
A new AWS IAM CTF by Wiz’s Nir Ohfeld, Shir Tamari, et al.

CloudFox: Find exploitable attack paths in cloud infrastructure
A command line tool to help penetration testers and other offensive security professionals find exploitable attack paths in cloud infrastructure, by Bishop Fox’s Seth Art and Carlos Vendramini.


Introducing Cloudfoxable: A Gamified Cloud Hacking Sandbox
Bishop Fox’s Seth Art introduces Cloudfoxable, an intentionally vulnerable AWS environment created to teach AWS cloud penetration testing, with scenarios based on real cloud pen tests.

What sets CloudFoxable apart is its focus on creating as many distinct vulnerable resources and flags as possible – rewarding users for finding new entry points, lateral movement paths, and data access strategies.

Blue Team

Enterprise Purple Teaming: An Exploratory Qualitative Study
Xena Olsen has published her exploratory qualitative study examining the effectiveness of enterprise purple teaming in improving cybersecurity, as well as a big collection of purple team-related training materials, tools, frameworks and practitioner resources.

Introducing HASH: The HTTP Agnostic Software Honeypot framework
Datadog's Eslam Salem announces HASH, an open source unified framework for creating and launching low-interaction honeypots: mimic HTTP-based software with just a couple of YAML files.

Red Team

blackarrowsec/redteam-research
A collection of PoC and offensive techniques used by the BlackArrow Red Team.

Breaking down Reverse shell commands
Aditya Telange provides a visual overview of some of the most common reverse shell commands, including interactive shells, file descriptors, and read lines, offering a detailed explanation of the various parameters and options involved.

Machine Learning + Code Auditing

Editor's note: I’ve seen a number of blog posts where people use LLMs for auditing source code. Some of them have pretty poor methodologies. The Trail of Bits post below is probably the best one I've seen so far in teasing out nuances.

I think there's a lot of improvements and potential future work in this space, I just want to point out the challenges and nuances so next time you see a blog post or company like, "ZOMG LLMs can find every vulnerability evar!" you'll think critically about their approach and methodology.

Using AI to find software vulnerabilities in XNU
Tim Michaud shares his experience of using a codebert-c model (an open source model from HuggingFace) trained with the codeparrot/github-code-clean dataset to pinpoint a memory corruption vulnerability affecting XNU.

Also, TIL about Fill-Mask: mask some of the words in a sentence and predict which words should replace those masks.

In the current state of the AIs used (Which could VERY well be due to my misuse of them), I did not find this a compelling use case. Perhaps if I understood things better and had the time/patience/more effort to put into this it could've been better (And likely would be!).

Codex (and GPT-4) can’t beat humans on smart contract audits
Trail of Bits' Artem Dinaburg, Josselin Feist, and Riccardo Schirone discuss their initial investigations into using LLMs for security auditing Solidity code. In short, it's not great at it today and the tooling is nascent.

There is no particularly good way to determine if one prompt is better than another or if you’re on the right track. Similarly, when a prompt fails against an input, it is frustratingly difficult to figure out why and to determine, programmatically, which prompts are merely returning the wrong result versus completely hallucinating and misbehaving.

Unit tests are also problematic; the results are not guaranteed to be the same across runs, and newer models may not provide the same results as prior ones. There is certainly a solution here, but again, the tooling developers expect just wasn’t present.

And a 🌶️ take:

Machine Learning + Security

LLM Security
Twitter account that shares nice LLM + security resources.

Introducing Google’s Secure AI Framework
Google’s Royal Hansen and Phil Venables introduce the Secure AI Framework (SAIF), a conceptual framework for secure AI systems. SAIF is designed to help mitigate risks specific to AI systems like stealing the model, data poisoning of the training data, injecting malicious inputs through prompt injection, and extracting confidential information in the training data.

Can you trust ChatGPT’s package recommendations?
Vulcan’s Bar Lanyado describes how an attacker can typosquat library names that ChatGPT is likely to hallucinate so that when developers use code recommended by the LLM they install the attacker’s malicious package instead.

Machine Learning

deepdoctection/deepdoctection
A Python library that orchestrates document extraction and document layout analysis tasks using deep learning models.

OpenAI - Function calling and other API updates
More steerable versions of GPT-4 and gpt-3.5-turbo, 16k context version of gpt-3.5-turbo, some models are now cheaper, and function calling allows you to have the LLM take your prompt and output JSON containing well structured arguments to the functions you’ve defined for it (e.g. calling external APIs).

1rgs/jsonformer
A bulletproof way to generate structured JSON from Language Models Resources.

microsoft/prompt-engine
A library for helping developers craft prompts for Large Language Models.

Misc

jonny/DNSocial
A truly decentralized social media protocol that works by posting directly to DNS 😂 Any domain or subdomain is a feed. Posts for that feed are TXT records.

#WeHackHealth Getting Better Sleep
My friend Tanya Janca shares her tips on getting better sleep, discussing caffeine, lowering the lights and removing blue lights when the sun sets, amber/warm vs blue lightbulbs, TV and phone use, blackout curtains, sun lamps, magnesium, sleep rituals, journals/lists, jetlag, diets and eating window, meditation, snoring and sleep apnea, and more.

See also Andrew Huberman’s Toolkit for Sleep.

 

Why Beehiiv?

I’ll write a post about this at some point, but because a few people asked:

  • Modern, clean UI and nice writing experience.

  • Solid analytics for understanding how people find your newsletter and built-in growth mechanisms (referral program, recommendations, etc.).

  • Creator-friendly business model - they charge you a flat monthly fee and don’t take 10% of subscriptions like Substack does.

    • Much cheaper than MailChimp or ConvertKit by list size.

  • They ship features faster than potentially almost any company I’ve ever seen. Unbelievable.

I have a referral link here, but honestly I would recommend Beehiiv regardless.

 

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I’d love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,
Clint
@clintgibler