SecPro #02: YARA Rules, What is Kerberoasting?
This Week in Security
- RSA 2021: Keynoters reflected on the profound cybersecurity experiences from 2020, bringing never-before-seen threats and attack vectors to the forefront. Rohit Ghai, CEO at RSA, highlighted the Twitter and SolarWinds hack from 2020, and the Microsoft Exchange hack from March 2021 advising to expect the unexpected; trusting no one – in addition to ongoing red teaming, blue teaming, and incident-response trials. It’s safe to say that the theme for this year is “resilience”.
- DarkSide hits Toshiba: DarkSide has been in the news non-stop since it crippled operations at Colonial Pipeline Co. Even before Toshiba disclosed it, the DarkSide ransomware gang had reportedly put up the company’s name on its dark web leak site around a week ago.
- DarkSide’s murky Ransomware-as-a-Service (RaaS) model: DarkSide offers its RaaS to affiliates for a percentage of the profits. The group presents a prime example of modern ransomware, operating with a more advanced business model. Modern ransomware identifies high-value targets and involves more precise monetization of compromised assets (double extortion as an example).
- Rapid7 source code accessed in supply chain attack: Rapid7 confirmed attackers accessed a subset of its source code, which contained internal credentials and alert-related data, following an investigation launched after the Codecov supply chain attack.
- DISA delivers the Zero Trust reference architecture: The Defense Information Systems Agency delivered its zero-trust reference architecture for cybersecurity. This architecture aims to boost cybersecurity and “maintain information superiority on the digital battlefield”.
Threat Detection
YARA Rules
YARA is now extremely popular within the infosec community mainly because of the number of its use cases:
- Identify and classify malware
- Find new samples based on family-specific patterns
- Deploy YARA rules to identify samples and compromised devices for incident response
- Proactive deployment of custom YARA rules
A long list of vendors (including AlienVault, Kaspersky, and Trend Micro) use YARA. Last year, Anton Chuvakin of Chronicle Security (now acquired by Google) in a 3-part blog series mentioned that the Chronicle platform uses YARA-L (inspired by YARA to write expressive, custom detections.)
How to write a custom detection in YARA
Below is a brief overview of YARA rules to help get you started:
- Start of the rule: Every YARA rule should be declared by using the keyword rule followed by an identifier, or unique name you would like to give your rule.
- Add your meta section: The meta section can be used to provide comments or details about your rule. Information provided under meta will not be used for any variation of malware detection.
- Declare strings: This is where you can declare a variable and set its value. Each variable is indicated using the $ sign followed by the variable name.
- Add your condition section: The conditions section is where the rule declares what conditions must be met in order for the YARA rule to trigger a match.
This blog by Tokyoneon from Varonis shows how you can write custom YARA Rules detections.
More YARA Rules love
- Intro to malware detection using YARA
- Whitepaper on YARA-L: A new detection language for modern threats
- How to write YARA rules
What is Kerberoasting?
TL;DR: Ransomware has adapted to leverage pentester tactics to infect business networks by stealing or forging Kerberos tickets.
Great post by Bill Reyor from Blumira in which he outlines clear instructions on how to detect and prevent Kerberoasting. Here are a few parts I enjoyed, along with some brief musings:
What exactly is Kerberoasting?
During Kerberoasting, the adversary attempts to extract password hashes for the target’s Active Directory user accounts through their Service Principal Name (SPN) ticket.
How you can prevent Kerberoasting
You can use several methods to prevent Kerberoasting and improve your Active Directory security hygiene:
- Securely configure Kerberos-related domain controller policies and settings.
- Enable AES Kerberos encryption (or another stronger encryption algorithm), rather than RC4, where possible.
- Consider using Group Managed Service Accounts rather than service accounts with static passwords.
- Consider upgrading to an Active Directory Domain or forest level which supports advanced Kerberos armoring.
- Ensure all of your service accounts have randomly generated 25+ character passwords.
Further Reading
- Kerberoasting – Threat Hunting for Active Directory Attacks
- Steal or Forge Kerberos Tickets: Kerberoasting
- Kerberoasting Revisited
ATT&CK for Containers
MITRE released ATT&CK v9 on April 29th. In this version, MITRE has revamped data sources, consolidated IaaS platforms, added a Google Workspace matrix, updated macOS-based attack techniques, and added macOS-specific malware. More importantly, they also created a brand new ATT&CK for Containers matrix.
The knowledge base of this version includes 16 new groups, 67 new pieces of software, and updates to 36 groups and 51 software entries (more info about specific additions can be found here.)
ATT&CK for Containers covers both orchestration-level (Kubernetes) and container-level (Docker) adversary behaviors. It also includes a set of malware related to containers.
Useful ATT&CK resources
- Roadmap: The next update of the ATT&CK knowledge base is scheduled for October 2021
- Caldera: Scalable Automated Adversary Emulation Platform
- ATT&CK Navigator: Basic navigation and annotation of ATT&CK matrices
DevSecOps
Synk Annual Survey: The shift to cloud native is changing security posture
Synk published their annual State of Cloud-Native Application Security report earlier this month. The report is quite comprehensive as they surveyed nearly 600 developers and security professionals. There’s a clear indication of the path to DevSecOps, with its success hinging on developer involvement and process automation.
Some of the key takeaways from the results, I think are:
- As cloud-native adoption increases, security needs to be built in standard.
- Developers see themselves as an integral part of security.
What’s surprising is that even with the agreement that security needs to be standard, over half of respondents suffered from a misconfiguration or known unpatched vulnerabilities in their cloud-native applications.
The top two incident types were misconfigurations (45%) and known unpatched vulnerabilities (38%). 56% of respondents experienced a misconfiguration or known unpatched vulnerability incident involving their cloud-native applications. When we adjust for the 82% response rate to that question, 69% had a misconfiguration or known unpatched vulnerability in their cloud-native applications.
You may also enjoy
- Embracing DevSecOps: Building Security into Cloud-Native Development Workflows (AWS Blog)
- Adopting DevSecOps in the Cloud-Native Playground
Embedding Cloud Security Controls into GitOps
Bridgecrew’s Taylor Smith shares key considerations for embedding cloud security controls into your GitOps flow. The idea is to embed security guardrails throughout the development and delivery processes that open up new opportunities for improved security posture but requires close collaboration between stakeholders to be done right.
From Ops to GitOps
GitOps works by using Git as a single source of truth for declarative infrastructure and applications. It can be summarized as:
- An operating model for Kubernetes and other cloud-native technologies, providing a set of best practices that unify Git deployment, management, and monitoring.
- A developer experience for managing applications; where end-to-end CI/CD pipelines and Git workflows are applied to both operations and development.
More on GitOps
Data Breaches
Analysis of the Verizon 2021 DBIR (Data Breach Investigations Report)
Verizon’s annual Data Breach Investigations Report (DBIR) is now published. They seem to put more effort into every survey. This year, Verizon analyzed 79,635 incidents, and 5,258 were confirmed data breaches, from 88 countries. Some of the key takeaways:
- Phishing and ransomware attacks dominated the data breaches for 2021.
- Phishing attacks were present in a whopping 36 percent of breaches this year.
- Ransomware attacks increased by 6 percent, accounting for 10 percent of breaches. This increase can likely be attributed to new tactics where ransomware now steals the data as it encrypts it.
- Web applications made up 39 percent of all data breaches. Most of the web applications attacked were cloud-based.
- The majority of web application attacks were through stolen credentials or brute-force attacks.
You can download the full report here.
More DBIR 2021 analysis you may enjoy
Cloud Security Resources
AWS CloudFormation Guard 2.0 now GA
aws-cloudformation/cloudformation-guard
With Guard 2.0, developers can write policy rules for any JSON- and YAML-formatted file such as Kubernetes configurations and Terraform JSON configurations, in addition to already supported CloudFormation templates. This release makes Guard a general-purpose policy-as-code evaluation tool.
KubeStriker
vchinnipilli/kubestriker
A platform-agnostic security auditing tool for Kubernetes. It can identify misconfigurations and perform in-depth checks across a range of services such as kubernetes, Amazon EKS, Azure AKS, Google GKE, etc.
Baserunner: A tool for exploring and exploiting Firebase datastores
iosiro/baserunner
Baserunner is a minimal Firebase client that allows you to load an application’s configuration, log in as a valid user, and issue database queries. Baserunner aims to help security testers map out the datastores of Firebase applications and determine where additional Firebase rules need to be added to prevent abuse.
Red Teaming Resources
Atomic Red Team
redcanaryco/atomic-red-team
The Atomic Red Team is a library of simple tests that security teams can execute to test their controls using “atomic tests” that exercise the same techniques used by adversaries (all mapped to Mitre’s ATT&CK).
Infection Monkey
guardicore/monkey
The Infection Monkey is an open source, data center security testing tool by Guardicore for testing a data center’s resiliency to perimeter breaches and internal server infection.
3 Open Source Endpoint and Network Monitoring Tools
- Osquery: Osquery is SQL-powered, operating system analytics and cloud monitoring tool that enables security engineers to perform sophisticated analysis. You can use Osquery to write SQL-based queries to explore operating system attributes such as running processes, loaded kernel modules, open network connections, hardware events or file hashes.
- Zeek (Formerly Bro): Zeek is an intrusion detection system (IDS) and a network monitoring tool that can identify behavior anomalies, such as suspicious or threat activity. Zeek also captures metadata about activity on a network to better understand the context. For example, you can look at protocols, headers, and domain names in an HTTP call or in certificates.
- OSSEC: OSSEC is a host-based intrusion detection system that is basically a security monitoring platform. You can use it as a log analysis tool for monitoring and analyzing firewalls, IDSs, web servers, and authentication logs.
Podcasts
- Threat Models and Cloud Security: Cloud Security Podcast by Google
- Bridgecrew: Cloud Security with Barak Schoster: SEDaily
- Zeroing in on Zero Trust: The CyberWire
Jobs in Security
- Netskope: Senior Threat Research Engineer. Apply here
- Scale AI: Cloud Security Engineer. Apply here
- ExtraHop: Senior Security Engineer. Apply here
- Facebook: Security Program Manager. Apply here
- AWS: Security Consultant (100% Remote). Apply here
The SecPro is a weekly security newsletter to help you stay sharp and upgrade your skills with trending threat insights, practical tutorials, hands-on labs, and useful resources. Build skills in as little as 10 minutes.