• tl;dr sec
  • Posts
  • [tl;dr sec] #94 - 10X Your SOC, Learn Crypto, Enterprise-grade Attack-surface Monitoring with Open Source

[tl;dr sec] #94 - 10X Your SOC, Learn Crypto, Enterprise-grade Attack-surface Monitoring with Open Source

Google whitepaper on how to scale your SOC, 3 free platforms to learn cryptography, Luke Stephens' guide on rolling your own attack surface monitoring using Spiderfoot and small scripts.

Author

Clint Gibler
July 28, 2021

Hey there,

I hope you’ve been doing well!

The Truth is in the Data

Sometimes, you’re excited about an idea, but the interest isn’t quite there.

For example, last week I teased the idea of OnlySec, a sultry, security-focused OnlyFans clone, but it didn’t get many clicks (though I chatted with one person on Twitter about it). It’s OK, I’ll keep my day job.

But what I did find interesting is ~100 people were interested in dating on the blockchain, and ~150 were curious about meme-based dating.

To both groups, I wish you the best: may your love be public and mathematically provable, and may your memes be relevant and dank.

If you’re curious, the most clicked link from last issue was Cybersecurity - The Board’s Perspective, by Google’s Phil Venables.

These hardcore data insights brought to you by: me looking at MailChimp stats for 5 minutes.

Meme courtesy of The Hustle.

Sponsor

📢 Evolving Risks, Insecure Defaults, Watering Hole Threats – Oh, My!

Adoption of cloud native technologies are on the rise, changing the threat landscape faced by organizations. Accurics’ research identifies common trends, like Identity and Access Management moving into Infrastructure as Code, rapid adoption of CSP-managed services in dev and pre-prod, and insecure default configurations for many resource types.

📜 In this newsletter...

  • Mobile Security: Run Android in Docker

  • Web Security: Identify parts of your web apps more vulnerable to DDoS

  • AppSec: Customizing Semgrep to target a given framework

  • Cloud Security: How Segment got rid of bastion hosts with AWS SSM, using ansible over SSM, infrastructure guardrails with Terraform and OPA, tool to easily cherrypick Azure guardrails

  • Container Security: Kubernetes operator that simplifies RBAC, run self-hosted GitHub Actions on your Kubernetes cluster

  • Blue Team: Test your Okta threat detection, Google whitepaper on 10X-ing your SOC,

  • Politics / Privacy: China clamps down on EdTech, the disinformation for hire industry is booming

  • Crypto: Three great self-learning platforms full of exercises

  • OSINT: Achieving enterprise-grade attack surface monitoring with opens ource, attack surface tool by CISA, location OSINT mind map

  • Misc: SQLite -> web UI and JSON API, how much tech CEOs are paying on personal security

  • COVID-19 Great roundup of stats and perspective on the Delta variant

Mobile Security

sickcodes/dock-droid
By @sickcodes: Run QEMU Android x86 and Android ARM in Docker. X11 Forwarding, WebCam and audio forwarding, and more.

Web Security

Cyberlands-io/epiphany
Cyberlands’ Sergey Khariuk et al’s Epiphany identies weak spots of a web property that may be more vulnerable to DDoS, by crawling pages, measuring their timing, and using heuristics to determine if pages are cached.

AppSec

Customizing Semgrep Rules for Flask/Django and Other Popular Web Frameworks
Include Security’s Ayaz Mammadov and Nick Fox describe the process of writing custom Semgrep rules from scratch, using open redirect in Flask as an example.

We customize and use Semgrep a lot during our security assessments at IncludeSec because it helps us quickly locate potential areas of concern within large codebases.

In conclusion, Semgrep makes it relatively painless to write custom static analysis rules to audit applications. Improper usage of framework APIs can be a common source of bugs, and we at IncludeSec found that a small amount of up front investment learning the syntax paid dividends when auditing applications using these frameworks.

Cloud Security

Bye bye bastion hosts…Hello AWS IAM!
Segment’s Pablo Vidal describes how they replaced their SSH bastion hosts with AWS Systems Manager Session Manager, which gives engineers terminal access, with session logging for the Security team. Engineers can then get access to infrastructure only through IAM Roles, which can be requested through Access Service, which uses Okta.

Ansible over AWS Systems Manager Sessions – a perfect solution for high security environments
Ansible requires an SSH connection to the target host, which is not great for hosts where SSH is not allowed or when the host is on a VPC without external connectivity. Łukasz Tomaszkiewicz describes how to execute Ansible playbooks with AWS SSM Sessions.

Policy-based infrastructure guardrails with Terraform and OPA
Styra’s Anders Eknert discusses how OPA can be leveraged to secure infrastructure deployments by building policy-based guardrails around them.

salesforce/cloud-guardrails
Tool by Kinnaird McQuade that allows you to rapidly cherry-pick cloud security guardrails by generating Terraform files that create Azure Policy Initiatives (basically AWS SCPs but for Azure). Cherry-pick and bulk-select the security policies you want, enforce low-friction policies within minutes, and easily roll back policies that you don’t want. See Kinnaird’s great thread about it here.

Container Security

FairwindsOps/rbac-manager
By Fairwinds: A Kubernetes operator that simplifies the management of Role Bindings and Service Accounts. Supports declarative configuration for RBAC with new custom resources. Instead of managing role bindings or service accounts directly, you can specify a desired state and RBAC Manager will make the necessary changes to achieve that state.

actions-runner-controller/actions-runner-controller
This controller operates self-hosted runners for GitHub Actions on your Kubernetes cluster.

Blue Team

Testing your Okta visibility and detection with Dorothy and Elastic Security
Elastic’s David French discuses Dorothy a new tool to help security teams test their visibility, monitoring, and detection capabilities for Okta Single Sign-On (SSO) environments. It contains 25+ modules to simulate actions an attacker may take, mapped to the relevant MITRE ATT&CK® tactics.

Google Cloud Autonomic Security Operations - 10X SOC
Product announcement: “Autonomic Security Operations is a stack of products, integrations, blueprints, technical content, and an accelerator program to enable customers to take advantage of our best-in-class technology stack built on Chronicle and Google’s deep security operations expertise.”

Autonomic Security Operations: 10X Transformation of the Security Operations Center
Accompanying whitepaper by Iman Ghanizada and Dr. Anton Chuvakin. The “How to achieve Autonomic Security Operations” section at the end has some solid, actionable ideas worth reading. Some key takeaways that stuck out:

  • Solidify the basics; don’t hunt before you can detect well

  • Drive an “SRE” approach - evolve to 50% time towards automation work, not just triaging alerts

  • Add hunting, testing and analytics afterwards

  • Continuously monitor all new assets using automation

  • Invest in detection as code and SOAR

  • Auto enrich alerts with relevant data to reduce analyst time

Based on the table of contents, someone apparently lost (or won) a bet with marketing 🤣 

Politics / Privacy

China Bans School Curriculum-Tutoring Firms From Going Public
“China unveiled a sweeping overhaul of its $100 billion education tech sector, banning companies that teach the school curriculum from making profits, raising capital or going public.”

They sow discord, meddle in elections, seed false narratives and push viral conspiracies, mostly on social media. And they offer clients something precious: deniability.

Experts say it is becoming more common in every part of the world, outpacing operations conducted directly by governments.

The result is an accelerating rise in polarizing conspiracies, phony citizen groups and fabricated public sentiment, deteriorating our shared reality beyond even the depths of recent years.

Commercial firms conducted for-hire disinformation in at least 48 countries last year — nearly double from the year before, according to an Oxford University study. The researchers identified 65 companies offering such services.

Crypto

Crypto means crytography, not cryptocurrency.

CryptoHack
A free gamified platform to get your hands dirty and learn about modern cryptographic protocols by solving a series of interactive puzzles and challenges. H/T Laurence Tennant.

The Cryptopals Crypto Challenges
“48 exercises that demonstrate attacks on real-world crypto derived from weaknesses in real-world systems and modern cryptographic constructions.” By Thomas Ptacek, Sean Devlin, Alex Balducci, and Marcin Wielgoszewski.

Mystery Twister C3: The Crypto Challenge Contest
Many of these challenges focus more on crypto design and didactical aspects (like a tutorial in differential cryptanalysis) and it includes many challenges with historic or “obscure” procedures and machines.

OSINT / Recon

How to achieve enterprise-grade attack-surface monitoring with open source software
Luke Stephens describes how to continuously monitor your attack surface using SpiderFoot, Datasette by Simon Willison to turn SpiderFoot’s SQLite3 database into a JSON API, Aquatone by Michael Henriksen for screenshotting new domains, and Bash scripts and cronjobs to tie it all together so you get Discord notifications when new domains are detected.

cisagov/crossfeed
Tool by CISA that continuously enumerates and monitors an organization’s public-facing attack surface in order to discover assets and flag potential security flaws. List of data sources here.

Misc

simonw/Datasette
Referenced in Luke’s article above, but Simon Willison tool is too cool to not call out separately. Basically, point it at a SQLite3 database and it’ll give you a nice, interactive web UI that you can search, sort, and filter by, or access via JSON API.

Data shows tech CEO security costs for Mark Zuckerberg, Tim Cook
Mo’ money mo’ problems. Mark Zuckerberg’s personal security budget in 2020 was $23.4 million, $10M of which is a yearly stipend from Facebook.

Looking at what other CEOs spend, it’s almost like running a company that continually leaks people’s data, fuels extremism and divisiveness, and has indirectly resulted in people dying (antivaxx misinformation, genocides) causes people to not like you 🤔

Great article by Tomas Pueyo rounding up a bunch of stats, figures, and perspective.

Transmissibility

The original Coronavirus variant has an R0 of ~2.71. Alpha—the “English variant” that caused a spike around the world around Christmas—is about 60% more infectious. Now it appears that Delta is about 60% more transmissible yet again. Depending on which figure you use, it would put Delta’s R0 between 4 and 9, which could make it more contagious than smallpox.

Fatality Rates

It looks like the risk of death is 2x higher for Delta than for the original variant.

How Good Are Vaccines Against Delta?

Before Delta, it appeared that full vaccinations reduced infections, hospitalizations, and deaths by 93%, 93%, and 91% respectively. Partial vaccinations were quite good, but not as good.

Now, with Delta, it looks like the figures are 64%, 93% and 93% according to Israel, and 79% for symptomatic infection and 96% hospitalization according to the UK.

Herd Immunity Threshold

If we assume an R0 of 8 and a vaccine effectiveness of 90% against transmission, you need at least 90% of the population vaccinated before you can declare victory

An R0 of 8 is bad news for herd immunity. It puts its threshold at ~90% of people protected, which is impossible to reach if vaccines are only 65% protective of infection.

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,
Clint