October 26, 2019

AWS security on the cheap

So, you're on a budget (say, you are voluntarily building a workshop for students in Ghana) and you want a secure AWS environment to allow people to learn on.

How do you setup and secure the account?
You use infrastructure-as-code and a few free tools. I'll discuss the setup and give code in my next blog post.

In this post I'll show something about two of the tools:
How does AWS's Trusted Advisor (free version) compare to NCC group's ScoutSuite?

Well, on a relatively simple AWS account, Trusted Advisor finds no issues:
But ScoutSuite has findings: 




Many of these findings are worth looking into and getting fixed. The rest can be marked as false positives, so they don't show up in future scans.

Please note that getting a paid AWS support plan would enable extra Trusted Advisor features that might produce similar results. But I like to be able to do it for free :D.

October 5, 2019

NSA gives defense advice

The NSA’s Tailored Access Operations unit gives a talk about how they attack the rest of the world. Very interesting for us defenders. 



My take-aways to make these guys' (and other nation state attackers') lives harder: 

  • They get an edge by knowing the network better than the people running it. 
  • 0-days are not such a huge tool for them (!). They can breach most corp networks using known vulnerabilities. So use recent software! 
  • User awareness can only help up to a point. Beyond that (for advanced persistent threats), the users can always be tricked into clicking. You must have technical measures to defend against those. 
  • Older protocols are usually targeted because they are easy to sniff/decode. There is no use in upgrading your apps to use latest (e.g.) SSO technologies if one still uses legacy. 
  • One of their worst nightmares: an out-of-band network tap, monitoring for anomalous behavior. 
  • Don’t use old-school AVs which rely only on signatures, use something with reputation checking.