[tl;dr sec] #209 – State of Cloud Security, Breach Report Collection, Abusing Slack for Offensive Operations

Aaaand we’re back! If you celebrate, I hope you had a wonderful holiday break last week!

For me, I hosted a small Friendsgiving at my place.

I don’t often host groups. It’s been that way for a long time, but I’ve never really reflected why.

After thinking for a bit, I believe it’s at least partly because of insecurity: subconsciously I was worried people would judge the decor, or not show up, and it’d feel like rejection.

People did show up, and we had a great time!

The main reason I decided to host was a friend recently moved to the Bay Area and I wanted to make sure he and his partner had something fun to do on Thanksgiving.

I’m not going to lie, it feels awkward to share this, but hopefully it’s helpful for someone.

Is there something you would like to do more of, but hold back? Why do you think that is?

Alright enough feelings, it’s hacking time 🤘 *elaborate heavy metal guitar riff*

You’ve probably heard of ASPM by now—the newest acronym in AppSec promising to transform your application security program into a holistic, risk-based strategy.

But why do we really need ASPM? And what are the must-haves for an ASPM to really provide that time-saving, risk-reducing value? 

Go deep(er) on those answers in this guide to:

• Get a breakdown of ASPM

• Learn what really goes into prioritizing application risk

• Explore what an AppSec control plane can do for you

• Understand if ASPM is for you

The docker-in-docker executor requires the container to run in Privileged mode, when combined with Instance-level runner configuration effectively allows any user to compromise the runner Docker infrastructure and gain access to all information and secrets for any project which uses that runner (e.g. environment variables that include production creds).

They also released CVE-Half-Day-Watcher, a tool that leverages the National Vulnerability Database (NVD) API to identify recently published CVEs with GitHub references before an official patch is released.

I’ve wondered for awhile if people were doing this, neat to see someone execute it and release a tool. Bonus points if you build automation that leverages an LLM to automatically write an exploit (example post). I’d be surprised if nation states and criminal orgs weren’t already prototyping this…

When you’re the person responsible for your company’s security, things can get complex fast. One solution? Continuous monitoring from Vanta.

Vanta automates compliance monitoring for your most critical programs and workflows. By streamlining vendor security reviews and asset discovery, you can quickly find and eliminate points of unauthorized access and proactively address potential threats.

And because Vanta automates up to 90% of the work for SOC 2, ISO 27001, and more, you’ll be able to focus on strategy and security, not maintaining compliance.

Try Vanta free for 7 days — no costs or obligations.

BSidesSF CFP Deadline: December 11
BSidesSF is one of my favorite conferences: super sharp attendees, great talks and networking, and it’s right before RSA. You should submit a talk or workshop! *gestures encouragingly* I always go, hope to see you there 😃 

AWS pre:Invent 2023
Chris Farris gives a great overview of 40+ recent AWS announcements related to security and governance, with his usual delightful snark. “Kubernetes was the ancient Greek God of resume-padding.”

State of Cloud Security
Great report by Datadog analyzing the security posture data from thousands of orgs that use AWS, Azure, or GCP. Interesting stats across long-lived access keys, MFA, IMDSv2 enforcement, over-privileged workloads, and more.

pete911/kubectl-iam4sa
A tool to debug IAM roles for service accounts in Kubernetes. Includes commands for retrieving cluster information, listing service accounts, and verifying the OIDC provider.

Gitleaks, TruffleHog, and Trivy did not detect these secrets at the time of testing.

Result: benign typos happen often, so they are not sufficient to detect malicious behavior.

My thought: I love when people post “negative results” (“I tried this and it didn’t work”), as that can be as or even more instructive than attempts that work out as expected.

Building your first Metasploit exploit
Kevin Joensen walks through creating a Metasploit exploit (for the authenticated RCE vulnerability in PRTG), including setting up the development environment, building the exploit, and submitting it to Metasploit’s public repository.

Hunting Vulnerable Kernel Drivers
Takahiro Haruyama describes how the Carbon Black Threat Analysis Unit identified 34 unique vulnerable Windows drivers that could be exploited to disable security software or install bootkits (an attacker without the system privilege could erase/alter firmware, and/or elevate privileges). They released the IDAPython script, results, and exploit PoCs.

Abusing Slack for Offensive Operations
SpecterOps’ Cody Thomas describes how Slack stores user cookies in plaintext on disk, which you can use to impersonate the user in all the workspaces they’ve logged into, even if they have MFA. You can: list the Slack workspaces a user is in, the files they’ve downloaded, log into a workspace even without knowing their password, etc.

Adversarial Attacks on LLMs
Great overview post by Lilian Weng covering the threat model, types of attacks (token manipulation, gradient based attacks, jailbreaking, human in the loop red teaming, model red teaming), and mitigations. Love the paper references.

• Assess vendor security practices faster by automatically extracting relevant info from SOC 2 reports, DPAs, and other vendor documents.

• Auto-fill out vendor security questionnaires based on your existing library, previous responses, and uploaded policies and documents.

• If you want to add a new framework, it will automatically suggest the best tests and policies for each control based on what you already have.

LLMs are great at text. Notice how these applications are basically a) extract relevant info from text or b) answer questions based on an existing knowledge base.

Where else might these primitives apply at your work?

I had basically a full newsletter worth of links this week, so to keep this email short, I created a standalone page for it.

Check it out for GPTs, tons of advancements in music, images and video, understanding what happened at OpenAI, and more.

Athena-OS/athena-iso
An Arch Linux-based distro focused on cybersecurity, with a range of blue team, red team, pen testing, bug bounty, forensics, mobile analysis, and more tools.

Have questions, comments, or feedback? Just reply directly, I’d love to hear from you.

If you find this newsletter useful and know other people who would too, I’d really appreciate if you’d forward it to them 🙏