My heart goes out to those facing violence, loss, and displacement. I hope there is a return to peace soon.
In the meantime, I’ll try to bring some merriment. Clears throat.
🤹 Hark and Well Met, Noble Patrons of the Digital Realm!
Good morrow to thee, cherished reader of my humble scroll.
Within these parchment pixels, I have amassed a veritable treasure trove of cybersecurity codices and links, fit for a king! Fear not, for I’ve taken care to ensure that this guidance is as sharp as a falconer’s eye, and not some jesting foolery.
Performers, workers, and many attendees dressed in period attire and spoke in the dialect of the time. It was delightful.
There were booths to throw axes or spears, a “do it thyself” workshop, and an area where knights jousted.
This knight had some serious ‘tude
There were a few attendees dressed as hangmen with signs that said “Executioners on strike, unionize now!” 🤣
Well, let’s get on with the show.
With quill in hand and parchment spread,
Let these links be your armor ‘gainst the cyber threats that lie ahead!
5pm-8pm in the Semgrep office.
Come for food, drinks, and networking. Talks:
-
“AI applied to Cybersecurity” from me! 🙌
-
“Roadmap to DevSecOps Adoption with Case Studies” by Ankush Jain and Ankita Gupta from Akto
-
“IAM for the DevSecOps Engineers” by Jeff Chao from Abbey Labs
📣 Schedule a Complimentary Threat Briefing On LUCR-3 (aka Scattered Spider)
Learn the cloud TTPs of LUCR-3 (aka Scattered Spider), the group responsible for breaching the cloud environments of some of the largest enterprises in the world. Permiso is now offering complimentary briefings on this threat group with Ian Ahl, SVP of P0 Labs and former head of advanced practices at Mandiant. Learn how to better defend against cloud attacks orchestrated across identity providers, Iaas, Saas and CI/CD pipelines.
📜 In this newsletter…
-
AppSec: Tool to steal CI/CD secrets, how to mitigate risk from recent curl bug
-
Web Security: Static analysis for Elixir, LinkedIn’s CSP journey
-
Cloud Security: CloudGrep, tool to automate permissions in cloud and critical apps, AWS Well-Architected Framework updates, accessing 1000s of client AWS accounts securely, Scattered Spider threat actor breakdown
-
Container Security: Extended Falco rules, Kubernetes security fundamentals
-
Supply Chain: OpenPubkey vs Sigstore
-
Blue Team: Passkeys now the default for personal Google accounts, malware source code collection, NSA and CISA top 10 cybersecurity misconfigs
-
Red Team: Sliver and Cursed Chrome for post exploitation
-
Machine Learning + Security: ChatGPT dating app scams, AI watermarks broken, chatbot hallucinations poisoning web search
-
Machine Learning: Analyzing LLM neurons with LLMs, both LLMs and modern apps need debugging in prod
-
Career: Consulting 101, finding your moat, Moxie’s career advice
-
Misc: Turn your keyboard into a typewriter, 10 concepts that explain the modern world, have apps easily join your tailnet
AppSec
synacktiv/nord-stream
By Synacktiv: A tool that allows you to extract secrets stored inside CI/CD environments by deploying malicious pipelines. It currently supports Azure DevOps, GitHub and GitLab.
Much ado about Curl
Semgrep’s Kurt Boberg provides a great overview of how to minimize risk from “the word cURL vulnerability in a while,” across Node, Python, Rust, C#, Ruby, Go, PHP, and Swift.
📣 What do CISOs really think about AI?
Every day, there’s a new AI-powered app, a fresh debate about its risks and rewards, or a new feature in ChatGPT, and we can’t help but be curious. AI isn’t going away any time soon but it does introduce new risks (and benefits) when it comes to cybersecurity.
One of the most significant concerns with AI is its ability to generate highly convincing fakes — be it deepfakes that replicate real-life personas, AI-driven phishing campaigns that can adapt to user behavior, or voice replication that can deceive even the most vigilant.
Hear from current CISOs on how they are protecting against and incorporating AI into a comprehensive cybersecurity strategy in this blog article from Lacework.
Insights and perspective from 5 CISOs, nice! 🤘
Web Security
For defense in depth, a) the existing traffic headers plugin adds CSP headers to any request that doesn’t already have them, and b) GitHub validation checks are used to block PRs that use risky settings, like setting script-src to a wildcard or a domain that is not approved.
Cloud Security
Announcing updates to the AWS Well-Architected Framework guidance
Changes across all six pillars, and in this release they’ve made the implementation guidance for the new and updated best practices more prescriptive, including enhanced recommendations and steps on reusable architecture patterns targeting specific business outcomes.
Scattered Spider Getting SaaS-y in the Cloud
Permiso’s Ian Ahl walks through how a financially motivated attacker that leverages the Identity Provider (IDP) as initial access into an environment with the goal of stealing Intellectual Property for extortion.
Container Security
tl;dr: Key security aspects must be handled by third-party integrations (e.g. runtime security, vulnerability management, log analysis), and there big differences between managed vs unmanaged distributions (e.g. EKS, AKS, GKE) and even within managed options.
Supply Chain
-
OpenPubKey eliminates the centralized, server-side components (Transparency Log and Certificate Authority) that Sigstore has.
-
Two potential issues with OpenPubkey: 1) publishing raw identity tokens (JWTs) introduces several privacy concerns, and 2) relying directly on OIDC signing keys for verification introduces a large amount of complexity (and attack surface) on clients.
Red Team
Sliver and Cursed Chrome for Post Exploitation
Jeremy Mill walks through using Sliver, a command and control framework (C2) to inject a CursedChrome payload into a victim’s browser, allowing an adversary to proxy requests through CursedChrome through the victim’s browser, allowing you to browse sites as the victim (all sites they’re logged in to / have current sessions with).
Mitigations: use Chrome policies to limit what URLs extensions can use (See Chrome Galvanizer by Matthew Bryant), control extensions at your org, detect new listening debug ports in Chrome.
Machine Learning + Security
Machine Learning
Explainability is key for alignment – as models get smarter/more capable, this will help us ensure they’re doing what we want them to do, and aren’t intentionally deceiving us. Basically this is like doing a brain scan of an LLM.
Charity Major’s 🧵 on leveraging LLMs
Charity argues that modern apps are very complex, with nondeterministic outputs and emergent properties, so that you need to debug code by instrumenting and observing in production.
There’s nothing new about tight feedback loops and observability-driven development. LLMs are simply on the far end of a spectrum that has become ever more unpredictable and unknowable.
The hardest part of software has ALWAYS been running it, maintaining it, and understanding it — not writing it. But this was obscured for a long time by the upfront difficulty of writing code.
Generative AI turns this upside down, and makes it clear where the real costs lie.
Career
Finding Your Moat
Matt Johansen discusses being competitive in the job market by finding and developing your personal and professional moat- what makes you unique and valuable.
-
“Be careful what job you take, because your job will change you.”
-
Prison guards and grief counselor probably see the world differently.
-
“The context of one’s life defines not just what but how one thinks, and a job tends to dominate the context of one’s life — particularly when that job is considered to be part of a career.”
-
-
Observe the older people working at your company or in your field.
-
“They are the future you. Do not think that you will be substantially different. Look carefully at how they spend their time at work and outside of work, because this is also almost certainly how your life will look.”
-
-
Be careful not to discover a career before you’ve discovered yourself.
-
High school → college → internships → job fair. “When we arrive at the ends of these funnels, it’s possible that the direction we’re facing is more a reflection of those structures than it is a reflection of ourselves.”
-
-
“There’s no rush to get started early on a never-ending task.”
Introducing the Tailscale Universal Docker Mod
Xe Iaso announces Tailscale’s new universal Docker mod, which lets you have applications join your tailnet just as easily as machines can. You can have a wiki on http://wiki
, an IDE at http://code
, etc.
✉️ Wrapping Up
Have questions, comments, or feedback? Just reply directly, I’d love to hear from you.
If you find this newsletter useful and know other people who would too, I’d really appreciate if you’d forward it to them 🙏