Hope you all had a great weekend. I'm really excited to move things forward with the newsletter and generate new content around it. During the weekend, I've been implementing a few functionalities around Security Pills to speed up a few things, so I can focus on bringing quality content to you and a few other things down the pipeline!
As always. sit comfortable and enjoy today’s newsletter with a cup of coffee ☕️. For the best experience I recommend checking out this edition on our website, it’s very likely that the email got clipped by your email provider.
I hope you have an incredible week and enjoy Thanksgiving to those who are in the States!
Plundering Postman with Porch Pirate
Mand Consulting Group's Dominik Penner introduces Porch Pirate, a comprehensive Postman recon and framework that facilitates the automated discovery and exploitation of API endpoints and secrets committed to workspaces, collections, requests, users and teams.
Are we doing vulnerability management all wrong?
Justin Pagano discusses the over-reliance on reactive vulnerability management strategies in the industry and advocates for a more proactive approach.He outlines the Proactive Vulnerability Patch Management Lifecycle (PVPM), a continuous process designed to create effective auto-patching workflows that address vulnerabilities quickly without awaiting scans. This approach is enhanced by integrating the Stakeholder-Specific Patching Prioritization (SSPP) framework, which aids in determining the order and priority for developing auto-patching workflows for different software.
A Deep Dive into our Storage Layout Extractor
smlXL's Tal introduces the Storage Layout Extractor, a tool used to recover the storage layouts of solc-compiled contracts without the need for source code. He discusses the strategy and pipeline, and highlights some details around execution and type-checking.
Scaling Detection and Response Operations at Coinbase
Coinbase's James Dorgan writes a three-part blog series covering some of the strategies and systems that Coinbase's CSIRT has implemented to investigate and respond to threats more effectively. James provides in-depth insights into integrating context into detection logic through both machine and user profiling, deploying automated remediation for high-risk threats, and employs a Slackbot for efficient alert triage.
🧰 CVE Watcher
A security tool that uses the National Vulnerability Database (NVD) API to identify recently published CVEs with GitHub references before an official patch is released and underscore the window of opportunity for attackers to harvest this information and develop exploits. By Aqua Nautilus' Ilay Goldman and Yakir Kadkoda.
A blue team multi-tool that allows you to utilise and enhance the power of BloodHound in a more automated fashion. It is designed to be used in conjunction with a SIEM or other log aggregation tool. By FalconForce's Olaf Hartong.
Terraform Security Best Practices
Sysdig's Nigel Douglas outlines essential security practices for using Terraform. He emphasizes the importance of secure credential management, frequent key rotation, and enforcing the principle of least privilege access policies. Additionally, Douglas highlights the necessity of keeping Terraform modules updated and securely managing state files, among other recommendations.
State of Cloud Security
Datadog's analysis of security data from thousands of cloud users uncovers persistent challenges, such as widespread use of static, long-lived credentials and insufficient MFA enforcement, impacting a significant portion of AWS IAM users. The report also emphasizes the low adoption of IMDSv2 in AWS, and highlights the risks associated with publicly exposed virtual machines and excessive privileges in cloud workloads.
Lambda Extensions: Exploring Misuse Scenarios and Stratus Red Team Module Development
Adan Álvarez discusses how Lambda extensions provide attackers with an easily exploitable method to compromise AWS Lambda functions. These extensions can persist across Lambda invocations and operate independently, enabling attackers to gain persistent access and control over the execution environment and the processed data. Highlighting this vulnerability, the author introduces LambdaSpy, a proof of concept that demonstrates the interception and modification of Lambda invocation events and has integrated this technique into the Stratus Red Team tool.
Kubernetes Security Observability & Runtime Enforcement
Isovalent's Thomas Graf announces the release of Tetragon 1.0, a Kubernetes-native tool designed for advanced security observability and runtime enforcement. By leveraging eBPF for in-kernel filtering, Tetragon achieves significant reductions in performance overhead, while providing thorough monitoring and logging of network events.
Key Takeaways from the 2023 Kubernetes Security Report
Wiz's Shay Berkovich and Rotem Lipowitch highlight the low container security maturity and the increasing security risks in Kubernetes environments, evidenced by the fact that new clusters are attacked within 22 minutes of creation. The research, based on over 200,000 cloud account scans, reveals that only 9% of clusters use network policies for in-cluster traffic separation, indicating a lack of adoption of the main security features.
The authors propose proactive measures such as continuous external exposure scanning, regular vulnerability remediation, and the aggressive use of in-cluster separation controls with smart namespace-based isolation and RBAC.
Adversarial Attacks on LLMs
OpenAI's Lilian Weng writes a deep dive into five types of adversarial attacks on large language models (LLMs)—token manipulation, gradient-based attacks, jailbreak prompting, human, and model red-teaming. These methods aim to trigger LLMs into producing undesirable content. The author not only details these attack methodologies but also discusses potential defenses to prevent such attacks
Probably one of the most thorough and detailed articles that I've seen on adversarial attacks, a must-read for understanding LLM security! 🤯
Multi-modal prompt injection image attacks against GPT-4V
Simon Willison describes various image-based prompt injection attacks on GPT-4 Vision, such as visually hiding the injection within an image and using it for data exfiltration. Simon also reflects on how prompt injection attacks remain a stubbornly unsolved problem, since LLMs are gullible and differentiating between 'good' and 'bad' instructions is currently an intractable problem.
YouShallNotPass! Hardening CI/CD pipelines on mission critical environments
Kudelski's Pierre Dumont presents the development of YouShallNotPass (YSNP), an open-source tool crafted to improve the security of GitLab and GitHub pipeline executions. YSNP serves as a gatekeeper, verifying job executions against predefined criteria, including repository permissions, approved Docker images, and pre-approved jobs, among others. Additionally, Pierre outlines three key use cases where YSNP effectively thwarted potential threats, such as runner hijacking, malicious modification of the repository, and user impersonation.
CI/CD Secrets Extraction, Tips and Tricks
Synacktiv's Hugo Vincent and Theo Louis-Tisserand describe the inner mechanisms of CI/CD pipeline secrets extraction by presenting different scenarios on Azure DevOps and GitHub, such as extracting secrets from Azure RM service connection or using OpenID connect trust relationships in GitHub. The authors also describes some bypass techniques against hardened environments and have published Nord Stream, a tool to automate this process.
SLSA - Supply chain threats
A really well documented introduction with real-world examples of possible attacks throughout the supply chain and how SLSA can help.
Hunting Vulnerable Kernel Drivers
VMWare's Takahiro Haruyama details the process used to identify vulnerable kernel drivers that grant firmware access via port I/O and memory-mapped I/O. The article focuses on drivers, including those for legacy hardware, that remain in use despite lacking active support. As Haruyama explains, these drivers present a unique attack vector, since Windows allows loading drivers with expired or revoked certificates.
More than 250+ production-ready osquery queries for detection & incident response. The detection queries are formulated to return zero rows during normal expected behavior, so they can be configured to generate alerts when rows are returned.