Mar 31, 2022

Getting Started with Microsoft Defender for Cloud


Microsoft Defender for Cloud provides you with a Secure Score, which measures the configuration of the resources in your Azure subscription against the Azure Security Benchmark.

Defender for Cloud can also help you associate these various policies to compare your deployment and configuration.

This video provides a walk through of enabling Defender for Cloud for the first time and associating a compliance policy that is used to measure the security of the subscription.

Links:


Mar 29, 2022

Update on Known Exploited Vulnerabilities

Quick update on known exploited vulnerabilities catalog by CISA.

  • Total vulns : 602
  • Overdue vulns : 247
  • Upcoming vulns : 355
  • Vendors : 120
  • Products: 326

cisa-alerts.py

32 vulnerabilities are added to the list (19 from Microsoft). All the details is available for download at CISA. Please refer to the previous post.

(If you notice there is a extra .2 at the catalog version, it is from CISA)

2022.03.28.2


Links:

  • https://myseq.blogspot.com/2022/03/cisa-known-exploited-vuln-catalog.html

Mar 28, 2022

CISA Known Exploited Vuln Catalog

On Nov 3, 2021, the Cybersecurity and Infrastructure Security Agency (CISA), a branch of the U.S. Department of Homeland Security (DHS), released Binding Operational Directive (BOD) 22-01. It is tend to be high-level and high-impact, and unusually direct to mitigate a specific list of vulnerabilities in a strict time frame.

CISA BOD 22-01 has three lines specific to patching requirements:

  1. Remediate each vulnerability according to the timelines set forth in the CISA-managed vulnerability catalog.
  2. The catalog will list exploited vulnerabilities that carry significant risk to the federal enterprise with the requirement to remediate within six months for vulnerabilities with a Common Vulnerabilities and Exposures (CVE) ID assigned prior to 2021 and within two weeks for all other vulnerabilities.
  3. These default timelines may be adjusted in the case of grave risk to the Federal Enterprise.

Overall, this seems to follow patching guidance many commercial entities already use.This catalog is called Known Exploited Vulnerability (KEV) catalog and it is strongly recommends that everyone to review and monitor the catalog and remediate the listed vulnerabilities to strengthen their security and resilience posture.

CISA will update this catalog with additional exploited vulnerabilities as they become known, subject to CISA review and when they satisfy the following thresholds:

  • The vulnerability has an assigned Common Vulnerabilities and Exposures (CVE) ID.
  • There is reliable evidence that the vulnerability has been actively exploited in the wild.
  • There is a clear remediation action for the vulnerability, such as a vendor provided update.


cisa-alerts.py
 

The simple python script shows the top-n vendors and the top-n products found in the json file. It also can show the Kenna query string on CVE, with overdue and upcoming CVE.


Links:


Mar 21, 2022

CISA’s Supply Chain Task Force

In 2018, the Cybersecurity and Infrastructure Security Agency (CISA) established the Information and Communications Technology (ICT) Supply Chain Risk Management (SCRM) Task Force as a public-private joint effort to build partnerships and enhance ICT supply chain resilience. 

The Task Force is dedicated to identifying threats and developing solutions to enhance resilience by reducing the attack surface of critical infrastructure. This diverse group is poised perfectly to evaluate existing practices and elevate them to new heights by enhancing existing standards and frameworks with up-to-date practical advice.

The core of the task force is the working groups. These groups are created and disbanded as needed to address core areas of the cyber supply chain. Some of the working groups have been concentrating on areas like:

  • The legal risks of information sharing
  • Evaluating supply chain threats
  • Identifying criteria for building Qualified Bidder Lists and Qualified Manufacturer Lists
  • The impacts of the COVID-19 pandemic on supply chains
  • Creating a vendor supply chain risk management template

 

Every week, CISA is promoting resources, tools, and information, including those developed by the public-private ICT Supply Chain Risk Management (SCRM) Task Force.

  • Week 1: Building Collective Supply Chain Resilience
  • Week 2: Assessing ICT Trustworthiness
  • Week 3: Understanding Supply Chain Threat
  • Week 4: Knowing the Essentials


Links:

  • https://www.rapid7.com/blog/post/2022/03/14/an-inside-look-at-cisas-supply-chain-task-force/
  • https://www.cisa.gov/supply-chain-integrity-month

Mar 18, 2022

CodExt – Python Codecs extension

CodExt is a (Python2-3 compatible) library that extends the native codecs library (namely for adding new custom encodings and character mappings), hence its name combining CODecs EXTension. It provides 120+ new codecs and also features a guessing mode for decoding multiple layers of encoding and CLI tools for convenience.


Links:

  • https://github.com/dhondta/python-codext
  • https://hakin9.org/codext-encode-decode-anything-with-python/

Mar 17, 2022

BruteShark - A Network Analysis Tool

BruteShark is a Network Forensic Analysis Tool (NFAT) that performs deep processing and inspection of network traffic (mainly PCAP files). It includes: password extracting, building a network map, reconstruct TCP sessions, extract hashes of encrypted passwords and even convert them to a Hashcat format in order to perform an offline Brute Force attack.

The main goal of the project is to provide solution to security researchers and network administrators with the task of network traffic analysis while they try to identify weaknesses that can be used by a potential attacker to gain access to critical points on the network.

What it can do

  • Extracting and encoding usernames and passwords (HTTP, FTP, Telnet, IMAP, SMTP...)
  • Extract authentication hashes and crack them using Hashcat (Kerberos, NTLM, CRAM-MD5, HTTP-Digest...)
  • Build a visual network diagram (Network nodes & users)
  • Reconstruct all TCP Sessions

Download

$ wget https://github.com/odedshimon/BruteShark/releases/latest/download/BruteSharkCli.zip
$ unzip BruteSharkCli.zip
$ mono BruteSharkCli/BruteSharkCli.exe


Links:

  • https://github.com/odedshimon/BruteShark/
  • https://hakin9.org/brute-shark-a-network-analysis-tool/

Mar 16, 2022

Cloudlist - a tool for listing assets from multiple Cloud Providers by ProjectDiscovery

Cloudlist is a multi-cloud tool for getting Assets (Hostnames, IP Addresses) from Cloud Providers. This is intended to be used by the blue team to augment Attack Surface Management efforts by maintaining a centralized list of assets across multiple clouds with very little configuration efforts.

Festures

  • Easily list Cloud assets with multiple configurations.
  • Multiple cloud providers support.
  • Highly extensible making adding new providers a breeze.
  • STDOUT support to work with other tools in pipelines.


Links:

  • https://github.com/projectdiscovery/cloudlist
  • https://hakin9.org/cloudlist-a-tool-for-listing-assets-from-multiple-cloud-providers/

Mar 3, 2022

OVAL and CVRF

Open Vulnerability and Assessment Language (OVAL)

An OVAL is a definition file that is designed for use by automated test tools to determine the patch state of a machine. It is developed by NIST.

CVRF is not designed as being a way to determine the patch state of a machine, but it can provide an alternative machine-reacable version of security advisories.

 

Common Vulnerability Reporting Framework (CVRF)

The goal of CVRF is to share information about security updates (security advisories) in an XML machine-readable format. It is developed by ICASI (and is integrated to FIRST in Jun 2021).

CVRF has been transitioned to the OASIS Common Security Advisory Framework (CSAF) Technical Committee.

The most common supported CVRF is v1.1 today.


What are the differences between OVAL and CVRF?

OVAL is a definition file that used by scanning tools to perform assessment, and CVRF is security advisories documents.

OVAL is available as a roll up definition file for OS version, such as Ubuntu Focal. It contains all the patch info since day 1.

CVRF document is usually provided by OS vendor at a regular basis. For example, Microsoft provides a monthly security advisories in CVRF format, and can be retrieved via API call with the parameter 2021-apr.

Think of OVAL is for security scanning (with OpenSCAP), and CVRF is just the security advisories (not for assessment) that used for communicating security information to customers.

Both are in XML format that machine-readable.


Vendor Supports

Most OS vendors support OVAL and provide OVAL download for free. For example, RedHat starts provide OVAL definition since 2006, and starts providing CVRF documents for all RedHat security advisories across all products since 2012.

So far, Microsoft only provide CVRF documents and an API call to access the documents based on the YYYY-mmm.


Links:

Global Cyber Conflict

With the increase of Cyber conflict at the global level, we should expect increasing risks of cybersecurity attacks and incidents.

Be prepare to face the types of attacks like:

  • Malware infection
  • DDoS
  • Phishing attacks
  • Brute-force attacks
  • Defacement
  • Ransonware

 

Be prepared for:

  • Evaluate asset and application configurations to ensure resilience
  •  Double-check visibility into the functioning of business-cirtical assets
  • Assess incident response processes in the case of an incident

 

Mitigation and remediation:

  1. Continuous monitoring
  2. Incident response plan
  3. Back up data
  4. Reduce opportunities for attackers
  5. Stay informed 

 

Mar 2, 2022

Containerless on Kubernetes

WebAssembly (Wasm) is one of the most exciting and underestimated software technologies invented in recent times. It's a binary instruction format for a stack-based virtual machine that aims to execute at native speeds with a memory-safe and secure sandbox. 

Wasm is portable, cross-platform, and language-agnostic—designed as a compilation target for languages. Though originally part of the open web platform, it has found use cases beyond the web. WebAssembly is now used in browsers, Node.js, Deno, Kubernetes, and IoT platforms.

WebAssembly on Kubernetes

Though initially designed for the web, WebAssembly proved to be an ideal format for writing platform and language-agnostic applications. 

You may be aware of something similar in the container world—Docker containers. 

People, including Docker co-founder Solomon Hykes, recognized the similarity and acknowledged that WebAssembly is even more efficient (than Docker) since it's fast, portable, and secure, running at native speeds. This means that you can use WebAssembly alongside containers as workloads on Kubernetes. 

Another WebAssembly initiative known as WebAssembly System Interface (WASI) along with the Wasmtime project make this possible.

    If WASM+WASI existed in 2008, we wouldn't have needed to created Docker. That's how important it is. Webassembly on the server is the future of computing. A standardized system interface was the missing link. Let's hope WASI is up to the task! twitter.com/linclark/statu…
    20:39 PM - 27 Mar 2019
    Lin Clark @linclark
    

WebAssembly on Kubernetes is relatively new, but it's already proving to be revolutionary. Wasm workloads can be extremely fast as they can execute faster than a container takes to start. The workloads are sandboxed and hence much more secure than containers; they are way smaller in size due to the binary format than containers.

If you want to learn more about WASI, check out the original announcement from Mozilla.


Links:

  • Learn more about WebAssembly (WASM) at WebAssembly.org.
  • https://dev.to/oktadev/containerless-how-to-run-webassembly-workloads-on-kubernetes-with-rust-2j8f