• tl;dr sec
  • Posts
  • [tl;dr sec] #219 - IR in AWS, SOC Interview Questions, LLM Hackbots

[tl;dr sec] #219 - IR in AWS, SOC Interview Questions, LLM Hackbots

Playbooks and being incident response ready in AWS, practice questions for SOC analysts, autonomously hacking LLM agents

Hey there,

I hope you’ve been doing well!

🎷 A Tribute

In addition to the latest and greatest security research, I try to have tl;dr sec keep you in the loop of relevant trends.

For example, like “bardcore” in issue 50, which is a genre of medievalised remakes of hit pop songs.

Recently I stumbled across a whole album of… saxophone tributes of Christina Aguilera songs 😂 

In case it similarly brings a smile to your face, I leave you with Come on Over and Genie In A Bottle.

📺️ Upcoming Talks

Final mentions because these will happen before the newsletter next week:

Hope to see you there! 👋 


📣2024 Predictions for Identity and Access

Given the emerging concerns about AI's impact on security, escalating nation-state cyber aggression, and identity continuing to be a primary target for cyber breaches, 2024 could be a defining year in the identity and access space. Here’s what Teleport’s CEO Ev Kontsevoy thinks it has in store for the industry.

Identity is an absolutely key fundamental in good security!


A collection of cheat sheets useful for pentesting, covering discovery, exploitation, privilege escalation, tools, payloads, write-ups, learning platforms, and more.

A Burp Suite extension for editing, signing, verifying, and attacking signed tokens (e.g. from Django, Express, OAuth2 Proxy, Ruby on Rails).

Hidden GitHub Commits and How to Reveal Them
Neodyme shares a tool, github-secrets, that allows finding dangling or hidden commits not listed in a GitHub project’s history or shown in the UI, including commits that have been removed using a forced push, which could leak secrets or other accidentally committed info. How? GitHub does not delete force-pushed commits, they are accessible via the GitHub API if you know the commit’s hash. Clever!


📣 Scan Your Active Directory for Breached Passwords 24/7

More than 80% of confirmed breaches are related to stolen, weak, or reused passwords. With Specops Password Policy, you can continuously monitor and block over 4 billion known breached passwords from our proprietary list, which includes daily refreshed live attack data.

Plus, Specops enforces compliance requirements and helps users create stronger passwords in Active Directory with customizable rules and real-time client feedback.

It seems like not a week goes by without a breach due to a reused password, great to see people working on this problem 👌 

Cloud Security


How to be IR Prepared in AWS
Cado Security outlines the logs that should be enabled to aid in incident investigations, covering what does it log, where does it log to, how to enable it, and how to access the logs for CloudTrail, EC2, Amazon VPC, Lambda, CloudFront, RDS, and CloudWatch.

Security Playbook for Compromised AWS Account Credentials
Playbook by AWS covering detection (GuardDuty, IAM credential report, review IAM roles), analysis (GuardDuty, Security Hub, Amazon Detective), containment (disabling users, rotating keys, revoking roles or sessions), eradication, and recovery.

By CloudDefense: A FastAPI application that helps you generate AWS IAM policies based on AWS CloudTrail logs. Auto-generate least-privilege policies based on user activity.

Cloud cryptography demystified: Amazon Web Services
Trail of Bits’ Scott Arciszewski provides an overview of the cloud cryptography services offered within AWS: when to use them, when not to use them, and important usage considerations. The post covers CloudHSM, KMS, AWS’ encryption SDK, Secrets Manager, and more.

Container Security

A fast Kubernetes manifests validator, with support for Custom Resources.

Docker Security – Step-by-Step Hardening (Docker Hardening)
ReynardSec shares probably one of the most detailed posts I’ve seen covering hardening steps for the Docker Host, Docker Daemon, images, and containers. Topics: using tools like Lynis and Docker Bench for Security, important configurations like protecting docker.sock and avoiding privileged mode, useful features like rootless mode, AppArmor, and seccomp, Docker Content Trust, image scanning, and more.

New EKS Access and Identity Features: A Security Analysis
Wiz’s Shay Berkovich provides an overview of two new AWS Kubernetes features, EKS Pod Identity and EKS access management, highlighting their impact on existing security controls and potential new security risks. Topics: additional complexity in auditing permissions, the importance of protecting the identity token, detection considerations, and where this may increase attack surface.

You can also see this follow-up post by Shay and Lior Sonntag that delves more deeply into the various tactics, techniques, and procedures (TTPs) that adversaries might exploit, capitalizing on these new features.


How to break into Silicon Valley
Andrew Chen argues that if you work in tech, you won’t regret spending 3-5 years in the Bay Area due to your rapid rate of learning and building useful connections. Create your own viral loop to meet people, why it’s helpful to “have a thing”, know what you bring to the table, and the power of writing.

A repo of SOC interview questions by LetsDefend, covering networking, malware analysis, event log analysis, threat intelligence, and more.

An Open Letter to Women in Tech
Okta’s’s Elizabeth de Moll shares her story, and some advice useful for anyone on connecting with your peers, making peace with imposter syndrome, finding a sponsor, and more.

Supply Chain

Living Off the Pipeline (LOTP)
A project by Boost Security to inventory how development tools (typically CLIs), commonly used in CI/CD pipelines, have lesser-known RCE-By-Design features ("foot guns"), or more generally, can be used to achieve arbitrary code execution by running on untrusted code changes or following a workflow injection.

OpenSSF Securing Software Repositories Working Group Releases Principles for Package Repository Security
Release v0.1 of Principles for Package Repository Security, a framework for package repositories to assess their current security capabilities and to help roadmap future improvements. The framework defines four levels of security maturity across four categories of capabilities: authentication, authorization, general capabilities, and CLI tooling.

Blue Team

inversecos’s thoughts on the Chinese APT contractor leak
Covering the leaked iOS spyware, physical implantable devices, and email surveillance system.

Repo by Josh Stroschein containing sample programs that mimic behavior found in real-world malware. The goal is to provide source code that can be compiled and used for learning purposes, without having to worry about handling live malware.

Engineering a SIEM part 1: Why did we need to build our own SIEM?
Piotr Szwajkowski describes why Rippling decided to build their own SIEM, outlining their functional requirements, challenges they faced, and how they navigated them. Some requirements: scalability as the data grows, efficient detections, change review and automatic deployment, longterm log retention, tamper-proof logs, and integrating an existing companywide data lakehouse.

I’d love to see a total cost of ownership analysis of this SIEM. Buying a SIEM you have the direct cost, but here you have the cost of planning it, building it, maintaining it (headcount salary * time for each), as well as operational costs.

Maybe the gangsta move here is building your own SIEM, open sourcing it, and getting development and maintenance help from the community. And then in a few years the primary creators build a company around it, like StreamAlert → Panther 😂 

Red Team

By MatheuZ: An anti-reversing tool that obfuscates ELF files by overwriting the section header with null bytes, which makes it appear to Ghidra/IDA like there are no functions to parse.

By Akas Wisnu Aji: An exploit search tool designed to identify and gather information about exploits from both open sources and local repositories. Uses Exploit DB, Packetstorm Security, Exploit Alert, NVD, and Metasploit modules.

Offensive Lab Environments (Without the Suck)
TrustedSec’s Travis Kaun on creating dynamic and cost-effective lab environments for testing evasive payloads and offensive techniques, using AutomatedLab, Hyper-V, and PowerShell scripts. The post walks through two scenarios: a payload development lab and an AD attack lab.

👉️ Read Online if Clipped 👈️ 

AI + Security

Companies are using AI to monitor employee communications in apps like Slack, Teams, and Zoom. So if you’re talking smack in DMs, watch yo back.

Analyzing Threat Reports with Fabric
Daniel Miessler shares a new Pattern (prompt) added to fabric called analyze_threat_report, which aimed at extracting useful info from cybersecurity threat reports like the DBIR, Crowdstrike, etc., including a one sentence summary, trends, stats, quotes, references, and recommendations.

AI for Security: Eight Areas of Opportunity
Menlo Ventures shares eight areas where they believe generative AI will have an outsized impact, and include vendor examples for each in a nice infographic. Areas:

  • Vendor risk management and compliance automation

  • Security training

  • Penetration testing

  • Anomalous detection and prevention

  • Synthetic content detection and verification

  • Code review

  • Dependency management

  • Defense automation and SOAR capabilities

All About Hackbots: AI Agents That Hack
Joseph Thacker gives an overview of what’s entailed in an AI system that can hack, shares his own proof of concept tool, and shares a few companies currently building them (Ethiack, Sybil, Aiko, Staris).

LLM Agents can Autonomously Hack Websites
Academic paper from UIUC folks in which they tested the effectiveness of several LLMs on autonomously testing web applications across a few vulnerability classes, using the OpenAI Assistants API, LangChain, and the Playwright browser testing library. They found GPT-4 did fairly well and the rest did quite poorly, largely due to not being good at function calling and long attack chains.

💡 I saw a number of people share this, and only a few seemed to have read or skimmed the paper (tsk tsk). So so many unanswered methodology questions: they provide the agents with six documents on general web hacking but don’t say which ones (if we tell people about OWASP cheatsheets eVeRy sITe w1Ll b3 h4cKed!1!), they’re don’t share which apps they actually tested on, and they monstly only one instance of each vulnerability class. They also didn’t seem to give the agent(s) access to call security tools like sqlmap, Burp, etc., nor do they compare the performance of their agent against existing tools (does it find more/less than Zap, Burp, other?).

A good start but lots more can be done here! See the web security, pentesting, and code review sections of my AI & Cybersecurity talk for more.


The Ultimate Personal Security Checklist
A guide to securing your digital life and protecting your privacy by Alicia Sykes, covering authentication, web browsing, email, social media, devices, personal finance, social engineering risks, physical security, and much more.

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I’d love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!