DANΞ

Are all these zero trust vendors just selling device PKI and an authenticated proxy? Can we just go back to assume breach and not posit putting all your services on the internet as a good idea?

vBulletin was peak web design. We've only gone downhill since then.

This is awesome. https://twitter.com/rwitoff/status/1221563556421718016 …

Yall are the best.https://twitter.com/SpecterOps/status/1220056427567484934 …

I'm looking to become a better writer and feel comfortable receiving feedback. If you have any thoughts on how this could be better, I'd love to hear it. I ended up chopping 30+ pages off this draft to meet a maximum length requirement, so I might pick up on my blog later. 3/3

TLDR: Using terraform + IOC + GHE is awesome, but it erodes the tiering model. Actors can now pop infra directly through code changes. These are some attack scenarios, artifacts, monitoring, and highly actionable best practices for defending infrastructure as code in GHE. 2/3

I just published a ~45 page whitepaper on attacking and defending terraform infrastructure as code in GitHub. Includes attack scenarios, hardening, detections, etc. Deep thanks to @tifkin_ and @harmj0y for their inspiration and research. https://www.sans.org/reading-room/whitepapers/securecode/defending-infrastructure-code-github-enterprise-39380 … 1/3

Friends don't let friends use tanium.

Don't forget that the #shitrix gateway handles authentication. Once it's popped, you should assume that any credentials entered are owned. Perform mandatory credential rotation, look for anomalous remote logons, audit recent 2FA enrollments. Ingress + basic creds = bad juju.

It would sure be awful if someone wormed the #shitrix CVE to nuke that pesky vulnerable perl file and suddenly mitigate all the vulnerable hosts across the world.

Most importantly, vendor has been unresponsive, opaque, failed to deliver a patch, and does not appear to take this issue seriously. If you're in a position to influence tech in your environment, now is a good time to exert power and consider alternatives. Happy hunting. 3/3

- NSG is running OLD FreeBSD. You don't have logs or monitoring tools on it. Remember that adversaries can and will edit logs on target. - You can do some basic forensics on the FS with sleuthkit or other tools. - Deleting or moving those scripts may be a viable option. 2/3

Couple of forensic and defensive notes: - You'll see indicators of directory traversal in web request logs. -NSGs also have a basic shell recording log. - A potentially reliable indicator of compromise includes xml.ttc2 file creation under /var/tmp/netscaler/portal/templates 1/3https://twitter.com/0x09AL/status/1215437443375214593 …