🤖 AI + Cybersecurity Survey

I’m thrilled to announce that I’ve been accepted by BSidesSF to give a talk synthesizing countless tools, posts, and more on applying AI to cybersecurity!

So that I can make the talk, and future content, as useful as possible to you, I created a quick ~10 multiple choice question survey that’ll take you <4 minutes to complete.

People who complete the survey will get early previews about cool new tl;dr sec projects and content in the works before they’re shared publicly 🤫 

🗺️ A Threat-informed Kubernetes Security Roadmap

I’m also excited to announce that Datadog security researchers Christophe Tafani-Dereeper and Fred Baguelin will be sharing the blog version of their KubeCon EU talk “Keep Hackers Out of Your Cluster with These 5 Simple Tricks” on tl;dr sec!

If you’re at KubeCon EU, definitely check out their talk live.

I’ve read the post and it is 🔥 . You’ll see it in your inbox on Friday!

Sponsor

📣 [WEBINAR] From Cost Center to Competitive Edge: Operationalizing GRC

Join our experts Cheri Hotman, Partner, vCISO at Hotman Group and Kayne McGladrey, Field CISO from Hyperproof on Wednesday, April 3rd at 1 PM ET to learn more about:

• The drivers for changing GRC from a compliance obligation to a strategic solution

• Practical strategies for transforming GRC operations, with a focus on breaking down silos

• Best practices for unifying risk and compliance data

• How to best prioritize GRC initiatives

AppSec

Vulnerability Reward Program: 2023 Year in Review
In total, Google awarded $10M to 600+ researchers based in 68 countries. The post discusses program changes (Mobile, Chrome, GenAI), and more. See also the Bug Hunters blog for some really good write-ups and scaling security / secure by default posts.

The Family of Safe Golang Libraries is Growing!
Google's Imre Rad discusses three new safe-by-default Golang libraries:

• SafeText (replaces text/template) for YAML and shell command templating.

• SafeOpen (os.Open etc.) for opening files in a base directory.

• SafeArchive (archive/tar and archive/zip) for processing archive files.

Read code like a pro with our weAudit VSCode extension
Trail of Bits's Filipe Casal shares their new collaborative code-reviewing tool. Features: bookmark code regions for findings and notes, mark files as reviewed, share findings across multiple users, create preformatted GitHub issues.

Introducing PoIEx - Points Of Intersection Explorer
DoyenSec's Francesco Lacerenza & Michele Lizzit share their VSCode extension for real-time collaboration during manual code analysis, with a focus on Infrastructure as Code. It uses Semgrep and custom rulesets to find code sections that are IaC-relevant, and generate an infrastructure diagram. It also offers features like real-time collaboration, note-taking, and integration with Semgrep.

Sponsor

📣 Understand the controls that matter ✅

Call it service onboarding, service security assessment, or service allowlisting—these are all processes that enterprises perform to use cloud services for critical and/or compliance-bound workloads. When done properly, this process can take upwards of two months, with 2-4 weeks of it essentially dedicated to conducting a threat model of the service (e.g., EC2, Compute, OpenAI, etc.). At TrustOnCloud, we handle this undifferentiated part for you and also provide weekly updates.

If this is a problem for you we are happy to share one of our ThreatModels for free to show you how things can be easier.

TrustOnCloud knows their threat models 🤓 Their threat models on S3 and Azure Storage are some of the most detailed I’ve seen, and were widely shared when I included them in tl;dr sec.

Cloud Security

Introducing TrailDiscover: Simplifying Access to Security Insights about CloudTrail Events
By Adan Álvarez: Traildiscover.cloud is an open source mapping of CloudTrail events to specific known incidents and MITRE ATT&CK tactics. 51.5% of included events have been used in the wild. At launch it supports 256 events across 36 services and 50 known incidents. It’d be great to see this data integrated with https://aws.permissions.cloud 🤝!

Tales from the cloud trenches: Using malicious AWS activity to spot phishing campaigns
Datadog's Martin McCloskey walks through an attack campaign against AWS accounts. It started with attackers checking for customer SMS access (unsuccessfully). Pivoting based on the attacker IP revealed a set of phishing sites impersonating French government sites. An open directory on the web server disclosed the use of Telegram to exfiltrate phished credentials, and a total of five victims were found. Nice to see Datadog follow through and get the infrastructure taken down!

Container Security

loft-sh/devpod
By Loft Labs: Codespaces (reproducible dev environment) but open-source, client-only and unopinionated: Works with any IDE and lets you use any cloud, Kubernetes or just localhost Docker.

NamespaceHound: protecting multi-tenant K8s clusters
Wiz's Shay Berkovich describes NamespaceHound, a new open source Python tool for detecting the risk of potential namespace crossing violations and anonymous access opportunities in multi-tenant clusters. Supports 22 issues, like: RBAC_SECRETS_STEALING, CONTAINER_BPF_CAPABILITY, POD_ACCESS_TO_HOST. Requires read permissions on all resource types to run.

Supply Chain

chainguard-dev/bincapz
Chainguard's Thomas Strömberg has released a binary analyzer. It's pretty cool: bincapz runs strings on the binary then applies a library of over 12,000 YARA rules, producing a list of the binary's Capabilities. There is also a diff mode that can reveal unexpected changes. Given it's CI/CD friendly, it seems like it could be handy for detecting supply-chain attacks.

How to stay safe from repo-jacking
GitHub's Kevin Backhouse discusses defenses against "repo-jacking," where an attacker takes over a repository when the owner changes their username. For popular repos, Github "tombstones" the name, preventing takeover. When downloading directly from GitHub, lock down to a specific commit ID. You can also use GitHub's API to check a repo’s ID, which is unique and doesn’t change.

Opening Pandora’s box - Supply Chain Insider Threats in Open Source projects
Boost Security uses a responsible disclosure in the AWS Karpenter project to explore the insider threat risks of supply chain attacks. The vulnerability required the payload be set as a git tag to exploit- which brought tag length and character restrictions. The code execution could then allow them to write to the linked AWS ECR registry.

Because the attack only requires pushing a malicious tag, it would be a particularly stealthy way for anyone to exploit Write access to the repository. They recommend robust safeguards such as strict branch and tag protection, tight controls on release artifacts, and secure workflows. Check out the post for more defensive guidance, as well as JS and Bash POCs.

Blue Team

Products on your perimeter considered harmful (until proven otherwise)
The National Cyber Security Centre's David C breaks down their recommendations to protect against the rise in attacker use of zero-days against the network perimeter: push vendors for evidence they're secure by design, be "cloud-first, ‘SaaS by preference," disable unused ports/services/features, and hold yourself to the same standard. Compromised by a network perimeter product? Forti-not on my watch! ✊ 

SVG Files Abused in Emerging Campaigns
Cofense's Max Gannon shares the history of SVG files for malware delivery, since 2015. Two recent campaigns have made extensive usage of AutoSmuggle, and the post compares the delivered files to the "raw" version generated by AutoSmuggle.

Trust but test: Vendor security testing at Canva
Canva's Kane Narraway & CJ Fairhead break down their program ("Priority Zero"), in which they offer a free security assessment to Canva’s vendors that are critical to data security, and then partner with the vendors to improve their overall security program. The focus is on vendors that are critical, but smaller than a cloud service provider and therefore manageable to assess and remediate.

I've seen similar programs before, but mostly from companies a lot larger than Canva. Love to see security teams doing the work to unlock innovation, while also upleveling vendors and helping improve security across the market!

👉️ Read Online if Clipped 👈️

Red Team

surajpkhetani/AutoSmuggle
By Suraj Khetani: An easy way to sneak malicious files past content filters, by taking a binary file, converting it to base64, and smuggling it into an HTML or SVG file.

HackingLZ/IndicatorOfCanary
By Justin Elze: A collection of PoCs from research on identifying canaries in various file formats. It focuses on identifying known indicators of canaries and unknown callback URLs in places they shouldn't be. Currently supports AWS, DOCX, MySQL, PDF, PPTX, and more.

Misconfiguration Manager: Overlooked and Overprivileged
SpecterOps' Duane Michael, Garrett Foster and Chris Thompson have released a comprehensive knowledge base for all known Microsoft Configuration Manager (SCCM) tradecraft. SCCM is designed for the real-time management of servers, but has been the target of lots of security research in the past decade. I appreciate how they included not just attack vectors, but also defensive and hardening guidance, as well as real-world examples.

AI + Security

mrphrazer/reverser_ai
By Tim Blazytko: A Binary Ninja plugin that leverages local LLMs to reverse engineer semantically meaningful function names derived from decompiler output.

Decompiling Binary Code with Large Language Models
The first open-source LLM dedicated to decompilation. Trained on 1 million C samples, with a total of 4 billion tokens of assembly-source pairs. The 6b model outperforms the 33b model, and beats ChatGPT by 50% on re-executabillity - with 21%. Also introduces the Decompile-Eval benchmark for re-compilability and re-executability (whether the decompiled code can recompile successfully and if it passes all assertions in the test cases), based on HumanEval.

10x your AppSec program with Semgrep Assistant
Semgrep Assistant (Semgrep’s AI-related features) is now in GA, featuring:

• Auto-triage: Is this finding a true or false positive?

• Auto-fix: Auto-recommended fixes for findings

• Custom rule-writing: Given 1 example of “good code” and “bad code” and a prompt describing what you want the rule to do → auto-generate a Semgrep rule specific to your code.

• A priority inbox of surfacing the findings you should prioritize

Fixing security vulnerabilities with AI
Excellent post by GitHub’s Tiferet Gazit walking through GitHub’s code scanning autofix feature, with tons of details on how to take an LLM-based feature from “cool demo” to production-ready. Covering: how to gather all of the right code context and what to include in the prompt, pre- and post-processing to ensure robustness, overcoming model errors, ensuring autofixes actually work/don’t break the code, evaluating performance, and more.

If you’re writing about some new LLM-based tool, experiment, or product, aim for making it like this post. Also, shout-out to the GitHub autofix docs that also contain some good details.

GitHub’s auto-fix is now in public beta, supports JS, Typescript, Java, and Python, and “delivers code suggestions shown to remediate more than two-thirds of found vulnerabilities with little or no editing.”

Misc

Tools

• jnv - An interactive JSON filter using jq

• openapi-tui - A terminal UI to list, browse and run APIs defined with the OpenAPI spec

• Shittier - A code formatting tool that aims to make your code look as terrible as possible

SpyGuard/SpyGuard
Félix Aimé has released a fork of his TinyCheck project, originally developed at Kaspersky. It can detect signs of compromise by monitoring network flows transmitted by a device, with a Suricata detection engine. Interesting to see a partnership with a non-profit (ECHAP), who manage the IOCs linked to stalkerware!

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I’d love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,
Clint
@clintgibler