• tl;dr sec
  • Posts
  • [tl;dr sec] #240 - Red Team Interview Questions, Security Platform Engineering, AI Secure Code Reviewer Bot

[tl;dr sec] #240 - Red Team Interview Questions, Security Platform Engineering, AI Secure Code Reviewer Bot

Big list of q's, how to build a team of security builders, reviewing all PRs with an LLM

Author

Clint Gibler
July 25, 2024

Hey there,

I hope you’ve been doing well!

🔨 Wielding Your Analytical Hammer

Let me share an anecdote, in case it resonates with you.

From when I was a young kid, my parents encouraged me and celebrated when I did well in school.

My self identity was very much tied to getting good grades, and being “smart” in subjects like math.

To be honest, and I feel bad saying this, I didn’t place a lot of value on emotional intelligence (EQ)… most of my life 😅 

But what’s very frustratingly smacked me in the face the past few years is that there are a number of domains where being analytical is fundamentally not the right tool (e.g. relationships, building closeness with friends). I stumbled across the following and I was like… yup:

So what we see is that kids who are smart and quite logical will use logic to solve their problems.

What that means though is that we tend to have underdeveloped faculty when it comes to emotional awareness and emotional processing.

So if you look at kids who are very logical, they will use their logic to overcome their emotions. They will set their emotions aside, they will sort of suppress their emotions, and they'll approach things in a very cold and logical manner.

If I’ve got an S-Class IQ, I’m going to just be owning things right and left with that, I’m not going to use my B level emotional circuitry, so over time I don’t even level it up.

If I could go back in time five or ten years and tell myself only one thing that would overall improve my happiness/life in general, it would be to invest more in developing EQ. (and buy NVIDIA)

Anywho, I share this in case it sounds familiar to you, so you can hopefully avoid some of my mistakes, dear reader.

Sponsor

📣 Accelerate your phishing remediation while reducing on-call burden

It’s a never-ending battle to secure mailboxes. Phishing reports from users fly in continuously and security teams race against the clock to respond and remediate.

Material Security acts as a force multiplier for user report response, applying instant protection across the entire workforce when a single case comes in. You get faster report resolution and less duplication efforts.

The security engineering manager at Compass shared:

“With Material’s API, we can take a big problem like phishing and break it into bite size chunks to do things in a more advanced way.”

Phishing continues to be one of the most common ways attackers get a foothold. I was chatting with one of Material’s co-founders (Abhishek Agrawal) recently, and they’ve built some cool stuff 👍️ 

Secure Guardrails

Secure Guardrails Course
A new free course in Semgrep Academy by Pieter De Cremer on changing your AppSec program from reactive to proactive using secure guardrails (making the secure way the easy way), with a number of hands-on examples. 45 lessons, 3.5 hours of video content, do at your own pace!

Enabling Security Guardrails: Infra as Code with CDK for Terraform
Zip's Ashish Patel and Victor Chen describe how they used Terraform CDK to enforce security guardrails, achieving a 95% reduction in AWS admin roles and eliminating click-ops for critical resources. They accomplished this by minimizing admin permissions for sensitive resources like IAM and RDS, implementing secure-by-default resource creation, and removing high-level roles and policies for manual changes, significantly reducing the attack surface.

See also Resourcely (congrats on the GA launch!), a startup aiming to productionize “secure by default” configuration, founded by senior Netflix folks.

Building A Security Platform Engineering Team
Kane Narraway explains the role and importance of a Security Platform Engineering team in creating secure tools and services to enhance security across organizations. He discusses the optimal time for a company to develop this function (~30 security team members), focusing on unique security needs that can't be addressed by off-the-shelf tools and when the team can dedicate efforts without immediate value. Kane also provides insights into the challenges and strategies for scaling security effectively.

💡 This is a great post on security platform engineering, which I see as a (currently) “early adopter” idea that I predict will become more common over the next few years. Some great nuance and questions to ask yourself in the post.

Sponsor

📣 Webinar - How to keep an Identity Attack from Compromising your Infrastructure

Identity Platforms (IdP) provide organizations with incredible convenience with Single Sign-On (SSO). However, if IdPs are compromised, the ‘keys to the castle’ can be left vulnerable, making the rest of the organization’s infrastructure vulnerable as well.

In this webinar, learn how Teleport and Yubico together help you implement passwordless authentication paired with an Infrastructure Defense-in-Depth (IDiD) approach to security while positively impacting productivity and preventing further compromise in your downstream systems in a case of an IdP breach.

👉 Register Today 👈

Passwordless authentication + infrastructure defense-in-depth?! Let’s go! 🤘 

AppSec

ManuelBerrueta/FlowAnalyzer
By Manuel Berrueta: A tool designed for in-depth understanding and testing of OAuth 2.0 flows, including OpenID Connect (OIDC).

Why Good Security Fails: The Asymmetry of InfoSec Investment
Google Cloud CISO Phil Venables examines the paradox where effective security measures reduce incidents, prompting organizations to cut resources, which then degrades security controls and increases risks. To avoid this cycle, Phil suggests strategies such as organization health monitoring, zero-based budgeting, delivering incremental benefits, building support, and making resource constraints visible to maintain security effectiveness.

💡 If you haven’t already read Phil’s blog, allow me to make your life better. Every post is insightful and useful 👌 

A Race to the Bottom
Doyensec’s Viktor Chuchurski explores how inadequate concurrency control in databases can lead to race condition vulnerabilities, causing issues like dirty reads, non-repeatable reads, phantom reads, and lost updates. The article details the four ANSI SQL-92 isolation levels—Read Uncommitted, Read Committed, Repeatable Read, and Serializable—and their effects on data consistency. This research was presented at 2024 Global AppSec Lisbon presentation (slides, video).

Viktor provides a vulnerable Go application for hands-on experimentation with database transactions and concurrency control, and Semgrep rules to detect instances of unspecified isolation levels.

Cloud Security

Scaling the IAM mountain: An in-depth guide to identity in Google Cloud
Google’s Sita Lakshmi and Michele Chubirka demystify two foundational IAM access control principles: least privilege and separation of duties. The authors introduce the persona mapping technique, which simplifies permission management and ensures consistent access control by mapping job functions to groups.

Moving AWS Accounts and OUs Within An Organization
Matthew Fuller explores the implications of moving an AWS account or Organizational Unit (OU) to another OU within the same Organization. He discusses impacts on SCP policy inheritance, CloudFormation StackSet deployments, IAM policy conditions, RAM shares, and Control Tower enrollments.

Journey to the Center of the VPC: Getting Started with Cloud Networks
Rich Mogull explains the basics of traditional packet-switched networks and introduces AWS Virtual Private Clouds (VPCs), which use software-defined networking (SDN) to secure and isolate customer traffic, preventing spoofing and sniffing. He also provides a hands-on lab to explore VPC code primitives.

A hard look at GuardDuty shortcomings
Rami McCarthy examines GuardDuty's performance and its threat detection capabilities, focusing on coverage, cost, and efficacy. Using adversarial simulation tools like stratus-red-teamamazon-guardduty-tester, and s5cmd, Rami identifies limitations like: 6 Stratus Red Team techniques that triggered zero GuardDuty findings, median detection latency was 15 minutes, and attackers could exfiltrate 100-2500GB of data from S3 before the first GuardDuty alert might fire.

💡 As always, you should think critically about any article whose focus is, “Here are reasons Approach or Product <X> that is competitive to our Product <Y> is bad,” but I think this post is a nice example of actually testing the effectiveness of a security product and thinking about if it meets your needs / how it affects your security posture.

Container Security

digitalis-io/vals-operator
By digitalis.io: A Kubernetes operator to synchronizes secrets from any secrets store supported by vals into Kubernetes.

Container Breakouts: Escape Techniques in Cloud Environments
Palo Alto’s Yosef Yaakov and Bar Ben-Michael provide an explanation of capabilities and namespaces and their roles in container architecture before exploring different container escape techniques, such as user-mode helpers, runtime sockets, and log mounts, among others. They assess the potential impact of these techniques and discuss how to detect such escapes from the perspective of an EDR.

Blue Team

activecm/rita
RITA (Real Intelligence Threat Analytics) is an open-source framework for detecting command and control communications through network traffic analysis. It ingests Zeek logs and supports features such as beaconing detection, long connection detection, DNS tunneling detection, and threat intel feed checking. Sponsored by Active Countermeasures.

Inside the ransomware playbook: Analyzing attack chains and mapping common TTPs
James Nutland shares the results from an analysis of 14 ransomware groups between 2023 and 2024, identifying common TTPs like credential phishing, exploiting vulnerabilities in Netlogon and Fortinet's FortiOS SSL VPN, and leveraging legitimate tools like AnyDesk and ScreenConnect for command & control.

Building a Detection Engine
Nathan Burns explores the mechanics of detection engines, comparing heuristic-based and rule-based approaches. He highlights challenges such as false positives and maintenance for on-host engines, and latency and lack of prevention for off-host engines. Nathan also discusses the advantages of off-host engines, including reduced resource utilization, advanced correlation, and historical analysis, offering a balanced view of both methods


Red Team

HadessCS/Red-team-Interview-Questions
By Mohammadreza Rashidi: A comprehensive list of questions for red team interview preparation, covering topics such as initial access, Windows internals, Active Directory, PowerShell, malware development, and different attack techniques.

efeali/fragtunnel
By Ali Efe: A proof-of-concept TCP tunnel tool that you can use to tunnel traffic and bypass IDS/IPS engines and Next Generation Firewalls, exploiting a design flaw that allows initial packets to pass through while the engine makes a verdict on whether they should allow or block the traffic.

The tool fragments data into smaller packets, optionally encodes/decodes them, and sends each fragment over a new TCP session to evade detection.

Like Shooting Phish in a Barrel. Bypassing Link Crawlers
SpecterOps’ Forrest Kasler discusses the shortcomings of link crawlers used by Secure Email Gateways and details various evasion techniques. These include CAPTCHAs, content swapping to trick automated scripts, and multiple redirects, but also more advanced methods such as browser fingerprinting, ASN filtering and GeoIP filtering. Example browser fingerprinting tools: detect-headless, fingerprintjs, and Cloudflare Turnstile.

EDRPrison: Borrow a Legitimate Driver to Mute EDR Agent
Ziyi Shen details EDRPrison, a tool that uses an external legitimate WFP (Windows Filtering Platform) callout driver to prevent EDR agents from sending telemetry by dynamically adding runtime filters without directly interacting with EDR processes or executables. The article also discusses possible detections and ways to subvert them as a red teamer. More details and the tool's source code can be found on GitHub.

AI + Security

aydinnyunus/gpt4-captcha-bypass
By Yunus Aydin: A proof of concept CLI tool for testing puzzle, text, complicated text, and reCAPTCHA using Python, Selenium, and GPT-4o.

Secure Code Reviewer — Copilot
Razorpay’s Ashwath Kumar and Hariprasad Pujari walk through how they created a security engineer co-pilot that analyzes new Pull Requests for vulnerabilities. They vetted the idea by testing Gemini 1.0 and 1.5, GPT-4, and CodeBison on four files in JuiceShop, measuring True Positives, False Positives, and cost. They describe customizing the prompt to add business context or for “crown jewel” apps, scanning PRs with multiple files changed, rolling the process out to an org, and more.

Defending AI Model Files from Unauthorized Access with Canaries
NVIDIA’s Joseph Lucas, John Irwin, Rich Harang, and Medicus Riddick describe how one can embed canary tokens in Python pickle-serialized model files that silently beacon to Thinkst Canary's DNS-based alert system when accessed. This can either track usage or identify if someone is using a model that should never be used (a true canary).

Misc

  • Defguard - An open-source solution with real WireGuard MFA/2FA & integrated OpenID Connect SSO.

  • Recently I saw Idina Menzel (Rent, Wicked, Elsa in Frozen) perform live, and her rendition of You Learn to Live Without was stunning. Consider it NSFW, if you don’t feel safe crying at work 😭 

  • If you’re thinking about watching Deadpool and Wolverine this weekend, here’s a 30min recap of all of Marvel cinema history, and a one hour history of Deadpool.

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I’d love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,
Clint
@clintgibler