- tl;dr sec
- Posts
- [tl;dr sec] #242 - Engineering a SIEM, Automating Detections with LLMs, Reversing AWS Session Tokens
[tl;dr sec] #242 - Engineering a SIEM, Automating Detections with LLMs, Reversing AWS Session Tokens
How to build a cost-effective, scalable detection engine, have LLMs write detections for you, understanding AWS session token internals
Hey there,
I hope you’ve been doing well!
🏜️ Hacker Summer Camp: Part 1
Phew, I’m now about halfway through my 6 day Vegas trip.
I’m trying to really lean into the multi-conference montage being a marathon, not a sprint.
By: ~8 hours of sleep a night, daily exercise, eating healthy, minimal alcohol, extra vitamin C 2x/day, and of course, continuing a multi-step face skincare routine (gotta keep the money maker in good condition 🤌 ).
I brought a high protein mix thing to eat for breakfast. I realized I didn’t bring a bowl or spoon, so yesterday I put some mix in a cup with water and stirred it with my finger, and then drank it.
As you can see, newsletter writers live a pretty high roller life 😂
Also, I wanted to say a HUGE thank you to everyone I’ve met who’ve said they enjoy tl;dr sec— that’s been fuel that’s kept me going, as I spend hours in my hotel room writing this very email.
Hope you’re surviving the heat, or more sanely, staying home!
P.S. I’m going to be at the LevelUp party tonight (Thursday) at 7pm at MGM Grand, come say hi (and get stickers)! See other Semgrep stuff here. I’ll also probably be around the DEF CON AI village.
P.P.S. If you were wondering if all the security newsletters folks know each other, of course the answer is yes. Shout-out also to my friends Ross Haleliuk, Ashish, and Shilpi who came later.
Sponsor
📣 2024 Gartner® Market Guide for CNAPP
Find recommendations for evaluating and adopting a CNAPP in the 2024 Gartner Market Guide for CNAPP.
Read the report to learn:
The benefits of a CNAPP solution in your cloud security strategy
Key capabilities and characteristics to look for in a CNAPP, including deep relationship graph analytics expertise
Recommendations for how you should approach a CNAPP evaluation and deployment
👉 Get the Report 👈
Ohhh CNAPP! 🫰 CNAPP seems on the up and up, nice to learn more about it.
Cloud Security
dubrowin/AWS-Reasonable-Account-Defaults
By Shlomo Dubrowin: A CloudFormation template to create reasonable account defaults around Cost Surprise Alerting.
aws-samples/content-repository-with-dynamic-access-control
Example code and walk through of how to to build an end-to-end content repository for unstructured data with dynamic access control.
Revealing the Inner Structure of AWS Session Tokens
Tal Be'ery describes reverse engineering AWS session tokens, revealing their internal structure and fields, and released an AWS token decoder web app and STS-token-decoder tool, enabling programmatic analysis and modification. They found at least 5 variants of session tokens in the wild and that the tokens were quite resilient to forging attacks.
💡 Great example of taking an opaque ID, poking at it, and figuring out how it’s structured.
Poisoning the SSM Command Document Well
Gentleman, scholar, and cloud agitator Rami McCarthy describes how he created malicious copies of Datadog's public AWS SSM Command Documents used for agent installation, adding code to exfiltrate non-sensitive instance metadata. Rami exploited the fact that Datadog docs only show an AWS Account ID as the owner, making it difficult for users to distinguish official from malicious versions.
Result: one AWS account ran the poisoned document on 3 EC2 instances over 15 days.
Sponsor
📣 Discover, secure, and govern genAI use
Nudge Security has discovered over 500 unique genAI apps in customer environments to date, without the need for agents, browser plug-ins, network proxies, or any prior knowledge of an app’s existence.
Within minutes of starting a free trial, you’ll have a full inventory of all genAI apps in use (along with every other SaaS app) and security profiles for each provider to quickly vet new or unfamiliar tools.
Get your free genAI inventory today.
👉 Free Trial 👈
Nice! Getting visibility into how your colleagues are #yolo using AI is quite useful. I’ve heard good things about Nudge Security from a few friends 👍️
Container Security
Kubernetes Security Fundamentals
Great video series by Datadog's Rory McCune on Kubernetes and container security fundamentals, covering Kubernetes API security, AppArmor, Linux capabilities and namespaces, and more. Rory has also done a blog series on the same topics, see below.
Kubernetes security fundamentals: Authorization
Datadog's Rory McCune dives into Kubernetes authorization, describing various authorization modules like RBAC (role-based access control), ABAC (attribute-based access control), Node Authorizer, and Webhook Authorization, and their roles in managing permissions within a cluster. Also, be aware of the system:masters group, which bypasses all authorization checks.
Supply Chain
GitHub Actions exploitation: untrusted input
Synacktiv's Hugo Vincent explores three common misconfigurations (expression injection, dangerous artifacts and dangerous checkouts) that can be exploited to gain write access to a GitHub repository or extract sensitive secrets. The author provides vulnerable examples for each misconfiguration, affecting repositories from companies like Microsoft, Apache or Excalidraw.
They also released octoscan, a static vulnerability scanner for GitHub Action workflows.
Compromising ByteDance's Rspack using GitHub Actions Vulnerabilities
Praetorian's Adam Crosser and John Stawinski discovered critical Pwn Request vulnerabilities in the GitHub Actions for the Rspack repository. These vulnerabilities allowed them to retrieve the NPM deployment key used to push new Rspack packages and a GitHub Personal Access Token with administrative privileges on the Rspack repository.
Configure GitHub Artifact Attestations for secure cloud-native delivery
GitHub Artifact Attestations is now generally available, which allows you to create provenance and integrity guarantees to verify what you have built within GitHub Actions can be traced back to its source code, meeting SLSA v1.0 Build Level 2 requirements.
You can create attestations for any type of artifact (executable, package, container registry, or even a .zip file), and the post walks through setting up a Kubernetes admission controller to validate deployments against attested images.
Blue Team
Engineering a SIEM part 3: Creating Cost-Effective, Scalable Detections
Rippling’s Piotr Szwajkowski outlines requirements of a cost-effective, scalable detection engine, AWS Lambda, Snowflake, and DynamoDB to manage alert deduplication, customizable alert routing, and CI/CD pipelines for automated testing and deployment.
💡 This meaty post (and part 1 & 2), are such great examples of really thinking through detection engineering tooling and workflows. It’s not often I see this level of detail in “how and why I build this security tooling this way.” Great read!
DuneGroup/ice-axe
A Snowflake Native Application to threat hunt in your Snowflake environment (efficiently audit and monitor login history, user activities, and system usage), from some former senior Snowflake security leaders (Jacob Salassi, Michele Freschi, as well as Jacolon Walker).
💡 Pro-tip: If you want inbound reach outs from VCs, work at a few reputable companies, then have “Co-founder at Stealth” in your LinkedIn bio. Apparently there’s also an X account that does this.
Guide your SOC Leaders to More Engineering Wisdom for Detection (Part 9)
Anton Chuvakin and Amine Besson discuss key strategic components for SOC leaders to implement effective detection engineering practices, including: defining a detection lifecycle management process, adopting version control and CI/CD for detections, and some nuances around getting vendor/community detections under control.
They emphasize the importance of moving beyond naive ATT&CK coverage metrics to focus on more nuanced aspects like log source coverage, detection upkeep, asset management updates, periodic threat coverage review, and detection decay.
Red Team
wikiZ/RedGuard
RedGuard is a Go-based C2 front flow control tool designed to evade detection by blue teams, AVs, and EDRs, with features including IP allowlisting, domain fronting, and identifying requests from cloud sandboxes based on JA3 fingerprints (so they can be ignored).
EDR Telemetry Blocking via Person-in-the-Middle Attacks
Tier Zero Security’s Eito Tamura describes how EDR telemetry can be blocked using a person-in-the-middle attack via ARP spoofing, using Server Name Indication (SNI) in TLS handshakes to selectively filter traffic (e.g. to Microsoft Defender, Crowdstrike), and has released edr_blocker to do it.
Phishing the anti-phishers: Exploiting anti-phishing tools for internal access
Ophion Security’s Rojan and Tanner describe how anti-phishing tools (e.g. Proofpoint, Barracuda Networks, Palo Alto Networks Cortex XSOAR) can be used to gain unauthorized access to internal SaaS services by abusing email verification processes that do not require authentication.
Basically: you register for a SaaS app like Atlassian with an email like [email protected]
→ the anti-phishing tool automatically scans the email verification email and clicks the “confirm” link → boom, now you can log in and view internal workspaces. See also Exploiting Application Logic to Phish Internal Mailing Lists.
AI + Security
Apple Intelligence’s system prompts
Broke: prompt engineer Apple Intelligence to reveal its system prompt
Woke: just search for a .txt file containing the prompts lol.
H/T Max Woolf.
Llama 3.1 and CyberSecEval 3
Nice overview by Joshua Saxe on what Meta’s team did (extensive cybersecurity testing, capabilities evaluation, and risk mitigation) before Llama 3.1’s release, and reflections on the current state of things. He links to the CyberSecEval 3 paper and updated security tooling: offensive cybersecurity content moderation capabilities in Llama Guard 3, and improved prompt injection detection with PromptGuard.
Utilizing Generative AI and LLMs to Automate Detection Writing
Dylan Williams shares an excellently detailed post about using LLMs to write detections. I like how he shares a number of useful prompt engineering resources, different prompting strategies, discusses Retrieval Augmented Generation (RAG), gives an example prompt, and shares general tips. He also recently open sourced DIANA, see below.
dwillowtree/diana
DIANA (Detection and Intelligence Analysis for New Alerts) is a tool by Dylan Williams that a) automates the creation of detections from threat intelligence (given example detections, logs, and your detection writing process), and b) can spin up a crew of autonomous AI agents that perform threat detection research on your topic of choice.
Misc
Tech Analysis: Addressing Claims About Falcon Sensor Vulnerability
CrowdStrike’s write-up on how the out-of-bounds memory read bug provides no mechanism to write to arbitrary memory addresses or control program execution, even under ideal circumstances, and the steps they take to protect the Falcon Sensor from malicious tampering (certificate pinning, checksum validation, access control list(s) on directories and files, anti-tampering detections).
Brutally Honest Advice for Men To Win In Their 20s - A shot of motivation from Alex Hormozi straight into your heart. I’m not in my 20s, but I still found it useful.
My First Million podcast: 10 AI Business Ideas From The Queen of AI ft. Sarah Guo
Leaked Documents Show Nvidia Scraping ‘A Human Lifetime’ of Videos Per Day to Train AI
Parody site ClownStrike refused to bow to CrowdStrike’s DMCA takedown
Study: Partisan bot accounts on X amplify divisive content, getting >4B views. I thought Elon was going to fix the bot problem? 🤔
Wiz CEO’s letter to employees after turning down Google’s $23B acquisition offer - “As we always say: LFG.”
✉️ Wrapping Up
Have questions, comments, or feedback? Just reply directly, I’d love to hear from you.
If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏
Thanks for reading!
Cheers,
Clint
@clintgibler