• tl;dr sec
  • Posts
  • [tl;dr sec] #200 - LLM → Tailored IR Scenario, How to Secure Your GitHub/GitLab, Cloud Storage Threat Matrix

[tl;dr sec] #200 - LLM → Tailored IR Scenario, How to Secure Your GitHub/GitLab, Cloud Storage Threat Matrix

LLMs + ATT&CK → tailored incident response scenarios, OpenSSF's source code management platform best practices, new TTPs for the cloud storage threat matrix

Author

Clint Gibler
September 21, 2023

Hey there,

I hope you’ve been doing well!

📺️ Almost…. there!

Forgive me my friend, normally I try to write something funny and relevant here, but I’ve been heads down working on my AI applied to Cybersecurity talk that’s actually going to occur live but a few hours after you receive this email.

It’s been a big undertaking, but I’m happy with how it’s turned out- I touch on ~14 areas of security and 60+ resources in under 40min 😅 Phew.

I hope you’ve been doing so well that if they made an album about your life, it would look like:

Hope to see you soon!

Sponsor

📣 Who knows what data lurks in the depths of your emails?

Material knows.

Constantly protecting Google Workspace and Microsoft 365 environments is a daunting task for even the most savvy detectives. The inbox is an open door to your all-time historical data, internal file repositories, and SaaS account identities.

Material Security is purpose-built to provide enhanced visibility and advanced controls that address the entire risk profile of your cloud office suite over time, not just incoming email attacks as they happen.

AppSec

godaddy/tartufo
By Godaddy: A tool that searches through git repositories for secrets by going through the entire commit history of each branch and checking each diff from each commit using regular expressions and entropy.

How to Rotate: Key Rotation Tutorials
I love this open source key rotation tutorial collection by Truffle Security, covering a number of SaaS providers, describing step-by-step instructions on how to remediate leaked API keys.

Kelly Shortridge also argues that most things should be solved by design/architecture.

Web Security

$0 → $100K in bug bounty in 1 year
Thread by Justin Gardner on how he would regain his bug bounty knowledge in one year. First, focus on web fundamentals, access control bugs/IDOR, then CSRF, XSS, SSRF, then hacking and code review, and more.

Sponsor

📣 Smart device virtualization with Corellium

iOS and Android operating systems don’t natively run on the laptops of developer and security teams. Emulators are inadequate for keeping up with the new era of cybersecurity threats. And using physical devices with your CI/CD system is too costly. It’s time for innovation.

Corellium is reinventing how mobile applications are being developed and tested in a new cybersecurity and cost-efficiency landscape. From developer teams to security teams, the Corellium Virtual Hardware platform accelerates R&D, reduces DevOps costs, and helps shift security left in the software development lifecycle.

Cloud Security

Cloudgoat: IAM Privilege Escalation by Key Rotation
New scenario in Rhino Security Labs’ vulnerable by design AWS deployment tool.

invictus-ir/Invictus-AWS
By Invictus Incident Response: A Python script to automatically enumerate and acquire relevant data from an AWS environment, providing insights into running services, their configurations, available logs, and potential threats identifiable via CloudTrail logs.

Resilient Cyber Podcast: Scott Piper
Scott Piper joins hosts Chris Hughes and Nikki Robinson to discuss where they've seen the largest improvements in cloud security and where the largest gaps remain, securing multi-cloud environments, IAM complexity, and more.

How Attackers Can Misuse AWS CloudFront Access to Make It ‘Rain’ Cookies
Adan Alvarez writes about AWS CloudFront post-exploitation attacks, exploring two attack scenarios: cookie theft via CloudFront function and data exfiltration via Lambda function modification. Basically, if you can modify services that user traffic passes through (CloudFront, Lambda@Edge), you can do bad stuff like stealing or setting cookies, stealing data, etc.

38TB of data accidentally exposed by Microsoft AI researchers
Wiz’s Hillai Ben-Sasson and Ronny Greenberg found that the Microsoft’s AI research team, while publishing a bucket of open-source training data on GitHub, accidentally exposed 38 terabytes of additional private data (via a SAS token), including a disk backup of two employees’ workstations. The backup includes secrets, private keys, passwords, and over 30,000 internal Microsoft Teams messages.

Cloud storage security: What's new in the threat matrix
Microsoft Threat Intelligence has published the second version of its threat matrix for cloud storage services. The article elaborates on emerging techniques, including object replication, operations involving geo-replicas, data exfiltration via static website features, and more.

Supply Chain

Using Open Source Software Composition Analysis Tool From Google
Krzysztof Pranczk walks through using Google’s osv-scanner tool on a Python and Java project.

Build your own SLSA 3+ provenance builder on GitHub Actions
Andres Almiray, Adam Korczynski, Philip Harrison and Laurent Simon released the Build Your Own Builders (BYOB) framework for GitHub Actions, which takes an existing GitHub Action and makes it produce SLSA Build Level 3 provenance. To validate the design of this new framework, the authors are releasing three new builders for the Java ecosystem, including JReleaser, Maven and Gradle.

Source Code Management Platform Configuration Best Practices
The OpenSSF has announced a guide for securing SCM platforms, including GitHub and GitLab, including: hardening CI/CD pipelines against supply chain attacks, recommended branch protection policies and access controls and permissions, and server-level policies for globally enforced best practices.

Blue Team

When MFA isn't actually MFA
Awesome candor in Retool's Snir Kodesh write-up of a successful SMS spear phishing attack they were hit by. Two things stuck out:

  1. Google Authenticator's synchronization feature syncs MFA codes to the cloud, so if your Google account is compromised, so now are your MFA codes. Also, admin's cannot centrally disable this feature.

  2. "The caller claimed to be one of the members of the IT team, and deepfaked our employee’s actual voice." 😱

Red Team

vulncheck-oss/go-exploit
By Jacob Baines et al: An exploit development framework for Go that helps exploit developers create small, self-contained, portable and consistent exploits.

Leveraging VSCode Extensions for Initial Access
MDSec's Matt Johnson shares details of a clever red team engagement targeting developers, in which they created a malicious VS Code extension, mimicked a trustworthy domain, published it to the marketplace, and then it could be installed by victims with a single click via the vscode:// URI handler. They leveraged Node Native-Addons to then run arbitrary code, and Apache mod_rewrite rules to only serve malicious code to the target domain.

Machine Learning + Security

A.I. and the Next Generation of Drone Warfare
The Pentagon’s Replicator initiative envisions swarms of low-cost autonomous machines that could remake the American arsenal.

OpenAI Red Teaming Network
OpenAI is looking for people to help red team new models before they’re published.

projectdiscovery/openrisk
Tool by Project Discovery that reads nuclei (an OSS vulnerability scanner) output and generates a risk score for the host using GPT-3.

Self-enhancing pattern detection with LLMs: Our answer to uncovering malicious packages at scale
Apiiro’s Eli Shalom and Gil David describe how they combine a representation of a target package’s logic, capability analysis (e.g. does the package write files, perform HTTP requests, …), comparison to known malicious packages, clustering, and more to detect malicious packages at scale. Examples of malicious PyPi packages found.

mrwadams/attackgen
By Santander’s Matthew Adams: A tool that leverages LLMs and MITRE ATT&CK to generate tailored incident response scenarios based on user-selected threat actor groups and your organization's details.

How to automate API Specifications for Continuous Security Testing
Escape’s Younes Haddou describes a project in automatically generating an OpenAPI specification from source code, using Semgrep to extract routes and parameters and an LLM to infer the types of parameters.

CI Spark: LLM-Powered AI-Assistant for Creating Tests 15x Faster
Code Intelligence’s Khaled Yakdan describes CI Spark, a new product feature that leverages LLMs (optionally augmented by existing test code) to auto-generate test cases so their fuzzer gets higher code coverage. It can automatically identify fuzzing candidates (public functions that can be entry points) and generate code in JS/TypeScript, Java, and C/C++.

Machine Learning

Quicklinks

k8sgpt-ai/k8sgpt
A tool for scanning your Kubernetes clusters, diagnosing, and triaging issues in simple English.

Misc

Quicklinks

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I’d love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,
Clint
@clintgibler