• tl;dr sec
  • Posts
  • [tl;dr sec] #187 - AWS Pentest Methodology, Destroyed by Breach, Awesome LLM Cybersecurity Tools

[tl;dr sec] #187 - AWS Pentest Methodology, Destroyed by Breach, Awesome LLM Cybersecurity Tools

An offense-focused approach to AWS pentests, companies ended by cybersecurity breaches, OSS security tools leveraging LLMs

Hey there,

I hope you’ve been doing well!

💪 Bro-ing Out

This week I’m visiting by brother, who has kindly offered to host me in his 1 bedroom.

I knew it was going to be an auspicious visit, as when I was leaving the airport I saw a family carrying a sign that said “Congrats on getting out of prison early.” (True story)

We’re fairly different people, but we’re going to bond over getting swole at the gym.

He likes South Park and I like musicals, so I had him listen to some of the Book of Mormon soundtrack (same creators), which he liked. Check out You and Me (But Mostly Me) if you haven’t seen it.

I figure after spending a week largely in the same room, if we’re both still alive, we’ll have grown closer 😂 

🤖 Daniel Miessler: The future of AI and Security

Next Wednesday (June 28) I’m joining my bud Daniel Miessler to chat live about uses of AI in cybersecurity.

We’ll discuss topics like:

  • What areas of security are likely to be disrupted? Which aren’t?

  • How might this affect your day-to-day work?

  • What should you do to future-proof your career?

We’re going to leave a ton of time for Q&A, so show up with questions, we’d love to hear your thoughts 😎 

P.S. Daniel and I also recorded an ~hour long discussion on AI + security that we’ll share after the session.

Sponsor

📣 The Cloud Security Model Cheat Sheet

How leading security orgs stay ahead!

As more processes move to the cloud, security teams are stuck playing catch-up. But leading security orgs are staying ahead. And the numbers prove them right. In this cheat sheet you’ll learn:

  • The 4-step process to adapt your cloud security strategy

  • How to prioritize the right pillars in your team

  • Data-backed research that proves why this is a winning approach

It’s all in the Cloud Security Model Cheat Sheet.

Hang it on the walls of your open space (or share it with your team on Slack).

📜 In this newsletter…

  • AppSec: Building Blocks, Building Security Tools is the Wrong Approach, AppSec Through the Lens of Developer Experience

  • Cloud Security: AWS Pentest Methodology, How Cloud Providers Do Business, Risks in Managed Kubernetes Cluster Middleware, PrivEsc via AWS Batch

  • Container Security: Bypassing vulnerability scanners

  • Supply Chain: Update deps in GitHub Actions, Good Practices for Supply Chain Cybersecurity, Generation of SLSA3+ provenance for artifacts created in a Docker container, Argo Supply Chain Security, Finding Pwnable Terraform Modules

  • Red Team: CVExploits Search

  • Machine Learning + Security: AI Canaries, awesome LLM security tools, tool to find AWS IAM config issues, GPT Burp extension, exfiltrating data from Bing Chat

  • Machine Learning: Massive list of resources from a16z

  • Misc: Destroyed by Breach, InfoSecMap, Expectations Debt, Gratitude practice reframe

AppSec

Building Blocks
PentesterLab’s Louis Nyffenegger does a great, concise (3min) overview of the idea and benefits of “secure building blocks” / “secure defaults” / “paved road” concept, where security teams partner with engineering teams to build safe by construction ways for devs to do common tasks securely (e.g. authorization, parsing XML, JWT stuff, etc.).

Building Security Tools is the Wrong Approach
Mark Curphey argues that making dev-centric security tools is a step in the right direction, but-

…if we are to get true mass adoption of tools that can significantly improve security, they will have to be tools that first and foremost solve a ‘gunshot to the chest’ problem for software developers, and then solve a ‘gunshot to the chest’ problem for security teams as a side effect as well. Just reducing friction is not enough.

Application Security Through the Lens of Developer Experience
Excellent post by Jason Chan on how modern AppSec teams should embrace a Developer Experience (DevEx)-focused approach, giving examples in 3 core DevEx dimensions: optimize feedback loops, minimize cognitive load, and maximize flow state.

Jason includes a number of great resources at the bottom, including this DevEx paper.

Sponsor

📣 Tailscale, a frustratingly simple VPN

Tailscale is the simple and secure way to build and manage your team’s network.

We handle network configurations on your behalf to navigate firewalls and routers, so you don’t need to hassle with manual configuration or port forwarding. Authenticating is effortless with SSO, and Tailscale enables roaming so teammates stay connected wherever they go, even if they switch between Wi-Fi and cell networks.

Plus, you can get started in minutes. Just install and authenticate Tailscale on two or more devices, and you’re ready to roll.

Cloud Security

My AWS Pentest Methodology
Lizzie Moratti shares recommendations for offensive-focused practitioners on how to approach pentesting AWS environments, including useful tools, mapping account usage, reviewing account configurations, and conducting dynamic tests from an attacker's perspective.

FTC Request, Answered: How Cloud Providers Do Business
The Federal Trade Commission has asked the public to weigh in on cloud computing providers’ business practices, and Corey Quinn shares interesting perspective across a few areas.

Cloud providers once focused on customer retention via innovation and customer satisfaction. Today, they have enough deterrent business practices in place to make switching providers an expensive Herculean undertaking.

Kubernetes Grey Zone: Risks in Managed Cluster Middleware
Wiz's Shay Berkovich explores the risks associated with managed cluster middleware (MCM) (services ran by the cloud provider) and the additional security vulnerabilities and attacks that can arise from them. Shay presents two attack scenarios to highlight the potential impact of a compromised MCM, privilege escalation via Node Problem Detector and privilege escalation via Fluent Bit ConfigMap, and offers mitigation guidelines.

Messing Around With AWS Batch For Privilege Escalations
Doyensec's Francesco Lacerenza and Mohamed Ouad explore AWS Batch, a self-managed and self-scaling scheduler for tasks. They outline a vulnerable scenario involving EC2 compute environments when the container operates in bridged network mode, and offer mitigation suggestions. TIL that containers running in ECS and EKS have the Container Metadata Service (CMDS), which is basically IMDS but for containers and pods in AWS. Associated Terraform lab here.

Container Security

Bypassing vulnerability scanners
Rory McCune along with Ian Coldwater, Brad Geesaman, and Duffie Cooley, presented recently at Kubecon EU 2023 on how a malicious container image could bypass container vulnerability scanners. In this article, Rory discusses the concept of building a container filesystem at runtime to deceive container vulnerability scanners.

Supply Chain

JamesWoolfenden/ghat
By James Woolfenden: A tool for updating dependencies in your GitHub Actions to their latest versions, using immutable hashes instead of mutable tags.

Good Practices for Supply Chain Cybersecurity
Report by the European Union Agency for Cybersecurity (ENISA) providing an overview of the current supply chain cybersecurity practices followed by essential and important entities in the EU.

Generation of SLSA3+ provenance for artifacts created in a Docker container
How to generate SLSA provenance for artifacts created by running a command inside a user-supplied container, using a GitHub Actions reusable workflow.

Stronger Supply Chain Security Coming to Argo
Argo CD has adopted the OpenSSF Scorecard and refactored their release process in order to provide a SLSA Level 3 provenance for container images and CLI binaries.

Erosion of Trust: Unmasking Supply Chain Vulnerabilities in the Terraform Registry
Unlike providers, Terraform modules are not subject to the same protection granted by the Dependency Lock File. Modules are simply fetched using a version constraint requirement, which provides no cryptographic guarantee in the face of changes in the underlying artifact.

BoostSecurity’s François Proulx describes how they downloaded all Terraform providers and modules, ran various static code analysis tools like Semgrep on them, looking for GitHub Actions workflows vulnerable to “pwn request” attacks, and found several hundreds of vulnerable modules.

Red Team

CVExploits Search
A comprehensive database for CVE exploits, collected automatically from GitHub, GitLab, Packet Storm Security, Metasploit modules, and more.

Machine Learning + Security

AI Canaries
Daniel Miessler describes the idea of placing canary prompt injection payloads around your site (e.g. robots.txt) that alert you when an AI agent is interacting with your site.

tenable/awesome-llm-cybersecurity-tools
A curated list of cybersecurity tools that leverage LLMs, by Tenable’s Olivia Fraser and Blake Kizer, across reverse engineering, network analysis, cloud security, and PoCs.

tenable/EscalateGPT
An AI-powered tool for discovering privilege escalation opportunities in AWS IAM configurations, by Tenable. “In our testing against real-world AWS environments, we found that GPT4 managed to identify complex scenarios of privilege escalation based on non-trivial policies through multi-IAM accounts.”

tenable/Burp-extension-for-GPT
A Burp Suite extension that leverages OpenAI to analyze HTTP traffic and identify potential security concerns. “We tested some real-world scenarios and we found that GPT3.5 and GPT4 successfully identified XSS and misconfigured HTTP headers without requiring any additional fine-tuning.”

Can Generative AI Improve Your Cybersecurity Posture in 2023 and Beyond?
Mark Lynd provides an overview of some ways that AI can be applied to security, and lists a number of security vendors that have already integrated AI in some way into their products.

Bing Chat: Data Exfiltration Exploit Explained
Johann Rehberger describes how he found a Prompt Injection attack angle in Bing Chat that allowed malicious text on a webpage (like a user comment or an advertisement) to exfiltrate data.

Machine Learning

AI Canon
An impressive list of resources from a16z covering a gentle introduction, foundational learning, tech deep dive, practical guides to building with LLMs, market analysis, and landmark research results.

Misc

Quicklinks:

Destroyed by Breach
A list of businesses that have actually gone out of business due to a cybersecurity-related incident, by Adrian Sanabria.

InfoSecMap
An awesome resource to search for security events by date, location and topic, by Martín Villalba. They plan to add support for searching CFPs as well.

I once heard that 90% of culture is just “winning,” – when a company is winning, everyone’s happy, rich, being promoted, and they see their work as contributing to something bigger than themselves.

Expectations are like a debt that must be repaid before you get any joy out of what you’re doing.

An asset you don’t deserve can quickly become a liability.

Companies should want the valuation they deserve, and not a penny more.

Workers should want a salary that matches their skill, and nothing more.

None of those are about settling or giving up. It’s about avoiding a certain kind of psychological debt that comes due when reality catches up.

There’s a stoic saying: “Misfortune weighs most heavily on those who expect nothing but good fortune.”

Morgan Housel

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I’d love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,
Clint
@clintgibler