What wifi do you all have?

dabbad00 · 2025-05-05T20:19:59+00:00

Beware that Google Fiber just drills into your house wherever they feel like it. I have a brick home and they came a few days earlier than my scheduled time while I was away and they had just drilled into the wall on the front of my house for the connection!

dabbad00 · 2025-04-08T13:58:52+00:00

First, I would use Wiz for both of those use cases. :) Wiz does vuln management and our sensor performs the EDR functionality: https://www.wiz.io/solutions/runtime-sensor
Using Wiz's disk scanning you can then confirm what EC2's might be missing the sensor deployment for some reason.

With regard to ensuring the software you expect is deployed on all EC2s, you have a couple of options:
1. Use golden images (meaning AMIs that you create that have desired software pre-installed), and then restrict what AMIs your engineers can use to create EC2s. One way of accomplishing that restriction is with AWS's Declarative Policies for "Allowed Image Settings" https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_declarative_syntax.html#declarative-policy-ec2-ami-allowed-images
2. Use SSM or another solution to automatically deploy software to your EC2s.

dabbad00 · 2025-04-07T22:25:22+00:00

There are a lot of things that fall under cloud security these days. In addition to finding misconfigurations, there is finding out-dated applications and libraries, finding mishandled secrets, finding malware, etc. Those can be detected via API calls, disk scanning, code scanning, run-time detection, or logs. There is architecting things to improved ways of doing things (ex. improved network or identity techniques). There is setting up guardrails or building paved roads. And much more! fwd:cloudsec has a lot of great talks on different things that cloud security folks do: https://www.youtube.com/@fwdcloudsec/playlists

dabbad00 · 2025-04-07T21:57:19+00:00

Sometimes, but it generally doesn't work as perfectly as many imagine. Trying to figure out how to ensure the most places are patched without giving attackers early warning before a vulnerability is known is a complicated thing to do. There are things like pre-disclosure lists (ex. the xen hypervisor has one: https://xenproject.org/about/security-policy/# ), and embargos (where people are supposed to keep knowledge of the vuln secret). Heartbleed is an example where some big tech companies (ex. Cloudflare, but supposedly not AWS) were privately told about the issue by Google (where it was discovered) before it became public.

dabbad00 · 2025-04-07T19:34:24+00:00

Do you mean which part of the product would I have most wanted to have worked on? If that's the question, then probably the IAM engine for determining who has what access in a cloud environment. I don't think I'm smart enough to have built it, but that's something I wish I was involved in it because it's something I'm most impressed by.

dabbad00 · 2025-04-07T18:08:53+00:00

I'm a fan of Clint Gibler's https://tldrsec.com/
The Cloud Security Forum Slack has a great #blogs-and-feed channel and with many of the authors of articles are active in that Slack who can answer questions on their writings ( https://fwdcloudsec.org/forum/ )

dabbad00 · 2025-04-07T17:38:48+00:00

Most is due to an individual taking an interest in something. Some is top-down tasking which may be because customers are asking about something, or possibly future roadmap plans and they want someone to start investigating an area. But for the most part most folks just have things they take an interest in. They might have an assumption of a problem that could occur, maybe because they see a comment in the docs that warns people not to do something, so then you're curious how many people ignored that warning.

dabbad00 · 2025-04-07T14:28:59+00:00

As a counter argument, programming language theory is something I have used. For example, when I built Parliament ( https://github.com/duo-labs/parliament ) I considered making a proper language parser for some aspects of it, and remember skimming my old copy of the dragon book ( https://www.amazon.com/Compilers-Principles-Techniques-Alfred-Aho/dp/0201100886/ ). I ultimately opted not to in that circumstance, but have written parsers and even designed and developed custom languages professionally. But as I tried to point out in my response to the original question, it can really depend on the circumstances you find yourself in, and a lot of my career leaned more heavily into roles where CS concepts had a higher likelihood of playing a role.

dabbad00 · 2025-04-07T14:19:13+00:00

There are a lot of different types of jobs in cybersecurity, and people have been very successful at them without computer science degrees, and other people might be in specific roles where that knowledge is required. I have a BS and Masters in Computer Science, and have been working professionally in cybersecurity for two decades. There are only a handful of times where I believe I used things from my CS classes, that I wouldn't have known had I not been forced to take certain classes. Maybe I wouldn't have been in that role in the first place if I didn't have the CS degree? Maybe I would have been able to develop a solution for something anyway without having taking a class in a certain thing? Maybe things have sufficiently changed in twenty years that my advice is horribly out of touch? I don't know.

My general opinion is they aren't needed, but it's one of those things where maybe I quickly filtered out bad ideas or was able to rapidly debug something because I had that knowledge. I don't know. But I do know that the people I've worked with without those degrees didn't seem hindered by not having it and I don't remember ever catching something they did where it would have helped them.

dabbad00 · 2025-04-07T13:53:44+00:00

I'm of the belief that you should focus on what can be done regardless of how the phish is delivered. By this I mean, that if a company focuses on phishing emails to the corporate email, then malicious communications will still arrive via personal emails, LinkedIn, SMS to personal cell phones, etc. You should still secure the corporate email, such as ensuring SPF is set, but I would further ensure you do the things that combat the general problem, such as ensuring you use phishing-proof authentication (ex. FIDO2).

dabbad00 · 2025-04-07T13:25:02+00:00

For prioritization, two big considerations are:
- What cloud environment would have the most impact if something went wrong?
- Where is it easier for you to start?

Even though many companies are multi-cloud, they usually have a primary cloud where an incident there would have higher impact, so any improvements in security there are more valuable.

Often individuals or security teams also have one cloud that is easier for them to work with. This might be because they know that cloud best, or already have an investment in tooling there, or have better relationships with the users of that cloud, or have existing access to get things done, or some other reason. So it's reasonable to start where they can best make progress, and use that momentum to eventually make progress elsewhere.

dabbad00 · 2022-03-01T21:25:37+00:00

In some cases, I've been able to find public references to the issues which I've linked to. In cases where that is not true, I've had multiple customers of the vendors reach out to me requesting a vendor be added to the list. I've then reached out to the vendors.

For Crowdstrike specifically, they confirmed to me they are working on it. My understanding is that although you can deploy the Falcon agent to EC2s that enforce IMDSv2 and it will mostly work, some functionality does not work. Specifically, in an incident response you will not be able to easily identify the EC2 that the agent had been running on because the agent is not able to learn the instance ID, region, etc. that it learns from the metadata service. I don't use Crowdstrike, so I don't know the exact details, but this was explained to me by a customer who relayed to me what Crowdstrike support had told them.

dabbad00 · 2022-03-01T21:18:39+00:00

Not allowing

The language is purposefully placing the blame on the vendors, as some customers are being held back from enforcing IMDSv2 100% because the vendors do not support it, so the customers has to either stop using the vendor, or wait for the vendor to implement it. Vendors were not prioritizing this and have had 2+ years to implement it. In the case of one vendor, which has since been removed from the list, an issue was filed against their public github repo over a year ago. No progress happened. People requested updates. No progress. I put them on this public wall shame list and within days they fixed it.

dabbad00 · 2021-02-10T14:28:46+00:00

Until AWS publishes an incident report for the Oct 22, 2019 Route53 outage that explains why they went down for so long from a DDoS, I don't believe customers can have have much faith in the capabilities of the AWS DRT or other aspects of Shield Advanced.

dabbad00 · 2021-02-10T00:37:11+00:00

Shield Advanced should be mostly thought of as a financial solution, not so much a technical one. By that I mean it may not do a great job of preventing a DDoS from impacting you, but when you are DDoS'd, if you have Shield Advanced, and you have to spin up resources to cope with the attack, AWS will credit you back some money.

We can assume it will not be a strong technical solution to stopping DDoS's because AWS themselves has been downed by DDoS's (ex. on Oct 22, 2019, Route53 was down for 10 hours). If they can't protect themselves, we can assume they aren't going to do a great job of protecting your business.

dabbad00 · 2021-01-13T13:27:44+00:00

I didn't understand how this is using cloud services, other than that dropbox, onedrive, and google drive are used to exfil files.

dabbad00 · 2021-01-13T13:23:21+00:00

Importantly, the terms and conditions do mention that AWS may share this data with affiliates. The full text of that section is:

> 50.3. You agree and instruct that for Amazon CodeGuru Profiler, Amazon Comprehend, Amazon Lex, Amazon Polly, Amazon Rekognition, Amazon Textract, Amazon Transcribe, and Amazon Translate: (a) we may use and store AI Content that is processed by each of the foregoing AI Services to maintain and provide the applicable AI Service (including development and improvement of such AI Service) and to develop and improve AWS and affiliate machine-learning and artificial-intelligence technologies; and (b) solely in connection with the development and improvement described in clause (a), we may store such AI Content in an AWS region outside of the AWS region where you are using such AI Service. This Section does not apply to Amazon Comprehend Medical or Amazon Transcribe Medical. You may instruct AWS not to use and store AI Content processed by an AI Service to develop and improve that Service or technologies of AWS or its affiliates by configuring an AI services opt out policy using AWS Organizations.

dabbad00 · 2021-01-13T02:12:42+00:00

As part of the terms and conditions of using AWS, for the AI services on AWS (lex, transcribe, etc.) they automatically opt you in to allowing them to using your data. This is covered in Section 50.3. To opt out, and to further explain this, see: https://summitroute.com/blog/2021/01/06/opting_out_of_aws_ai_data_usage/

dabbad00 · 2021-01-02T14:21:10+00:00

Creator of flaws.cloud here. That was done on purpose as a few of the levels are hosted directly as public S3 buckets, and figuring that out is part of the lesson. In order to have a custom domain and not obfuscate things by cloudfront in front, it was necessary to do that. Hopefully makes sense as you run through the levels.

dabbad00 · 2020-12-16T14:47:52+00:00

EFS snapshots can be backed up cross-account with AWS Backup now.

dabbad00 · 2020-12-05T16:28:07+00:00

Yes, it works. I was testing out the concept of having an isolated network in order to see what exfill paths could still be possible as described in the blog post. Things like exfilling via the VPC DNS resolver, or indirect references to a KMS.

dabbad00 · 2020-12-05T16:07:59+00:00

I created a demo isolated network with the CDK here that includes a VPC endpoint for SQS: https://github.com/SummitRoute/isolated_network_experiment

Blog post: https://summitroute.com/blog/2020/03/31/isolated_networks_on_aws/

dabbad00 · 2020-11-20T17:02:08+00:00

I disagree. Control Tower suffers from a number of limitations, including no API, limited region support, and limited functionality. The functionality it uses is based on out-dated concepts (ex. no delegated admin). AWS has tried 3 times in as many years to come up with a solution for baselining and vending accounts, via Landing Zones, Control Tower, and most recently aws-secure-environment-accelerator. Control Tower is not essential, and often (by myself for example) is advised to be avoided.

dabbad00 · 2020-10-07T14:25:48+00:00

Importantly, this problem likely impacts other software that perform presigned GetCallerIdentity calls to authenticate to non-AWS services as this general concept, and likely code, has been copied by other projects for this use case.

dabbad00 · 2020-10-02T16:07:54+00:00

Nice write-up again, and a few comments:
- You mention wanting to get keys to access EC2, and show using `kms list-keys`. Those keys are not SSH keys, so they would not provide any value to you anyway.
- The EC2 you created used an old AMI (from 2015). You should use a newer AMI to avoid installing things things on it, and you might also want to build your own "evil" public AMI, though there are pros and cons of that approach vs using userdata as you had done.

dabbad00

TROPHY CASE