tl;dr sec
Posts
[tl;dr sec] #32 - Security + Empathy, Chrome Extension Security, Attacking Azure AD

[tl;dr sec] #32 - Security + Empathy, Chrome Extension Security, Attacking Azure AD

Gusto CISO Flee on building a positive security culture, protecting from/attacking with Chrome extensions, pivot through Azure AD.

Clint Gibler
April 30, 2020

Hey,

I hope you’re doing well!

This week I had a number of nice things happen: several people reached out directly to say they enjoyed tl;dr sec, others shared awesome links, Gusto CISO and all around great dude Fredrick Lee recommended tl;dr sec in his Secret CSO interview, and Scott Piper, one of my favorite people to watch for cloud security, said some kind words too 😊

It may not seem like much, but I do really appreciate hearing from people, and it always feels great to know the hours I (healthily) spend scouring the Internet provides value to people. Thank you everyone for your feedback, I really appreciate it 🙏

Also, I’ve been playing around a bit with OCaml, which is pretty cool. You can check out the Real World OCaml book v2 online for free.

📜 In this newsletter...

🔗 Links:

Cloud Security: Extended AWS security ramp-up guide, identify whose responsible for actions performed using IAM roles, tracking changes to secrets stored in AWS Secrets Manager, 31 automated AWS Security Hub controls, establishing your best practice AWS environment
Browser Extension Security: Tool to generate Chrome enterprise policies to lock down Chrome extensions, Chrome extension that turns victims into HTTP proxies
Container Security: Free Docker and Kubernetes training course
Red Team: Lateral movement graph for Azure Active Directory, use Binary Ninja in your browser, walkthrough of building a reliable exploit for a Windows kernel bug
Blue Team: Hashicorp 👨‍❤️‍👨 GitHub whitepaper, a collection of DFIR forms and resources, Blackberry report on Chinese APT activity
Misc: Attackers who are fans of the Bard 💀

📚 Mini Summary: Secret CSO: Fredrick “Flee” Lee, Gusto

The importance of security engineers who can code, building a positive security culture in your company, career advice, and more.

Cloud Security

The Extended AWS Security Ramp-Up Guide
An excellent compendium by NCC Group’s Rami McCarthy on useful resources for getting up to speed on AWS Security. Includes many resources that have been referenced in prior tl;dr sec issues 🤗

Easily identify the identity responsible for the actions performed using IAM roles
“IAM now makes it easier to identify who is responsible for an AWS action performed by an IAM role when viewing AWS CloudTrail logs. Adding the new service-specific condition, sts:RoleSessionName, in an IAM policy, enables you to define the role session name that must be set when an IAM principal (user or role) or application assumes the IAM role. AWS adds the role session name to the AWS CloudTrail log when the IAM role performs an action, making it easy to determine who performed the action.”

How to track changes to secrets stored in AWS Secrets Manager using AWS Config and AWS Config Rules
“You can now use AWS Config to track changes to secrets’ metadata — such as secret description and rotation configuration, relationship to other AWS sources such as the KMS Key used for secret encryption, Lambda function used for secret rotation, and attributes such as tags associated with the secrets.

You can also leverage two new AWS Managed Config Rules to evaluate if your secrets’ configuration is in compliance with your organization’s security and compliance requirements, identify secrets that don’t conform to these standards, and receive notifications about them via Amazon Simple Notification Service (SNS).”

AWS Security Hub launches the Foundational Security Best Practices standard
“The initial release of this standard consists of 31 fully automated security controls. These security controls detect when AWS accounts and deployed resources do not align with security best practices defined by AWS security experts. When a deviation from an AWS security best practice is identified, AWS Security Hub issues a detailed and actionable finding to customers.”

Establishing your best practice AWS environment
Best practice advice from Amazon on how to structure your AWS environment, largely around use of Organizational Units (OU). The article recommends creating two foundational OUs (and a number of other common ones):

Infrastructure, for shared services such as networking an IT, with separate accounts for each type of infra service you require
Security, for log archives, security read-only access, security tooling, and break-glass.

Browser Extension Security

Two cool tools by Matthew Bryant.

Chrome Galvanizer released on GitHub to boost Chrome extension security
A tool to generate Chrome enterprise policies to help users harden their browser security. Once installed – and also available as a hosted preview – Chrome Galvanizer allows users to set enterprise policies and rules for either blocking or allowing access to URLs for sets of Chrome extensions. Polices can be generated to restrict active extensions from accessing websites users deem sensitive, such as online banking services, email account providers, or cryptocurrency exchanges. source code

mandatoryprogrammer/CursedChrome
“Chrome-extension implant that turns victim Chrome browsers into fully-functional HTTP proxies, allowing you to browse sites as your victims.”

Container Security

Attacking and Auditing Docker Containers and Kubernetes Clusters
Another free training course by Appsecco (see #31 for their cloud security course) that covers testing for common security vulnerabilities and configuration weaknesses across containerised environments and distributed systems, and assessing a Kubernetes environment’s security posture.

Red Team

Lateral Movement Graph for Azure Active Directory
“In an Azure AD environment, the relevant data regarding Azure AD devices, users, logon sessions and even some types of local administrators can be retrieved through the Microsoft Graph API. Once the relevant data is gathered, the tool builds a lateral movement graph, revealing the classic connection between users, groups and Windows machines registered in the Azure Active Directory.” tl;dr: Bloodhound, but for Azure AD. source code

cloud.binary.ninja
Use Binary Ninja for free in your browser for reversing binaries. Limitations: no API access and no plugins. Thanks Caleb Sima for the tip.

CVE-2018-8611 Exploiting Windows KTM Part 1/5 – Introduction
In-depth blog series by NCC Group’s Aaron Adams and Cedric Halbronn on building a reliable exploit for a bug in the Windows kernel component Kernel Transaction Manager. POC2019 slides

Blue Team

Increasing Developer Velocity in the Cloud Operating Model
“This joint whitepaper, co-authored with GitHub, discusses how HashiCorp tools and the GitHub platform work together to enable organizations to adopt a strong CI/CD workflow and increase developer velocity.”

When you have one of the ever-present infinity DevOps figures together, that’s when you know things are serious. Get a room you two!

dfir.training
Template DFIR forms, real policies in use by government agencies re: digital forensics and electronic evidence, search warrants, infographics and cheat sheets, reports, guides, white papers, Windows registry cheat sheet, CTF links, forensic images, malware, registry and windows event samples.

Decade of the RATs: Cross-Platform APT Esionage Attacks Targeting Linux, Windows, and Android
46 page PDF from Blackberry.

As China forges its role as one of the great world powers, it continues to rely upon a blast furnace of cyber espionage operations in order to acquire foreign technologies and intellectual property.

In this report, BlackBerry researchers examine the activities of five related adversarial groups who have spent the better part of the last decade successfully targeting organizations in cross-platform attacks while operating relatively, if not entirely undetected in multiple strategic and economic espionage operations.

Misc

What fools these mortals be: ‘Shakespearean’ hackers hit Azerbaijani government and energy sectors
“The attackers are using a new hacking tool, whose code is littered with references to English playwright William Shakespeare, to try to gain remote access to target computers and exfiltrate data automatically.” They must be readers of tl;dr sec, and got jealous when Dev and I said we were going to give a Shakespeare-themed security talk at some point.

📚 Secret CSO: Fredrick "Flee" Lee, Gusto

I enjoyed this interview, I thought it was a nice combination of Flee’s origin story, how he got into security, and some practical advice on building and running a security program.

I see security teams as the ultimate builders who create features and tools that people want to engage with, so that doing the right thing is also the easiest thing for them to do.

What do you feel is the most important aspect of your job?

Enablement and education. We can’t win unless the whole business buys into security. So, shifting the way security is perceived within organisations is mission critical. And that starts with changing the way security views itself.

Security perpetuates this myth that we’re this isolated, exclusive team of stealth insiders who build walls and barriers to block threats. We’re seen as enforcers, when really, we should be seen as enablers who accelerate innovation by removing obstacles that stand in the way of shipping safe, scalable solutions. It’s our job to be approachable and create an environment where it’s easy for folks to ask questions and use security features. That way, people want to actively engage with and utilise security solutions, which builds buy-in across the organisation, and creates “security evangelists” who recognise the value and importance of an investment into a strong security practice.

What metrics or KPIs do you use to measure security effectiveness?

I’m always interested in gauging how security is perceived within an organisation — almost like a net promoter score for security. I think security should be curious about how happy their organisation is with security, and ask for candid feedback on whether folks in other departments consider security to be a good partner.

On the security skills shortage:

What we really have is a security job posting creativity problem. Security wins when it’s multi-disciplinary, and when we hire people from varied backgrounds. Hiring a security team that thinks the same, is educated the same, and looks and talks the same leads to blind spots. Yet we, as an industry, over-index on pedigree and certifications all the time.

We need more security people who are developers. We also need good communicators who can lead without authority.

How do you keep up with the latest in security?

Hacker News, Twitter, r/netsec, r/securityengineering, tl;dr sec, Netflix security blog

Best trend in security:

Cybersecurity teams realising the onus is on them to bridge the gap with developers by understanding, leveraging, and adopting the same practices as other engineers. I’m encouraged when I see security teams leverage and adopt engineering practices to write code and create secure infrastructure for developers can build on. The more that security teams view themselves as engineers first, the better.

Worst trend:

The lingering “cloak and dagger” mentality that exists within the industry. People still want to make security some kind of exclusive, “secret handshake” society, when really, it doesn’t need to be like that at all. In fact, all that accomplishes is isolating the security team—which winds up making us less secure in the long run.

Career advice:

Never to let someone else say “no” on your behalf. There are so many ways to fail. Don’t let your first rejection convince you that you can’t do something. Put yourself out there, don’t say “no” to yourself, and don’t shy away from opportunities because of what someone else’s reaction might be.

Advice for aspiring security leaders:

Try not to come into any given situation with a “cybersecurity-first, business-second” framework in mind. Be open to understanding a company’s actual needs, risk tolerance, and culture, and how cybersecurity can support each. Your ability to understand business risk and then to right-size security accordingly is incredibly powerful.

Security shouldn’t be indecipherable to people outside the profession. You lose credibility when you tell people things that don’t make sense to them. Meet people where they are, and treat cybersecurity like a bridge to bring factions and facets of an organisation together.

What has been your greatest career achievement?

I measure success in my ability to be a force-multiplier for others within security, not just by opening doors or hiring people for their first jobs, but by mentoring them throughout their careers. To me, if the only thing I do is help build people into security pros, that’s game won.

Favorite quote:

Embrace the grind.

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them

🙏

Thanks for reading!

Cheers,

Clint