Threat Stack Announces New and Enhanced CloudTrail Rules

AWS Security, Dev & DevOps Knowledge, Security Research & Strategy
4 Min Read

As AWS continues to expand its services landscape, Threat Stack has made a commitment to keeping in step by crafting additional coverage that keeps your cloud environment secure. The latest additions we’ve made to Threat Stack’s CloudTrail rules are focused on giving more granular alerting and context to your interactions with the AWS control plane.

Threat Stack has significantly expanded the CloudTrail Base Ruleset in its Cloud Security Platform®. Not only have we increased the number of rules from 26 to 87 — we have also provided rules for five AWS Services that were not covered previously (DynamoDB, Elastic Container Service, Elastic Kubernetes Service, Security Token Service, and AWS Support). And don’t forget — the Cloud Security Platform still gives you the flexibility to create custom rules based on CloudTrail event data.

While we’re not going to comment on all 87 rules in this post, we are going to focus on important highlights, including:

  • New rules to cover five additional AWS Services
  • Expanded rules for Identity and Access Management (IAM)
  • Expanded rules for Virtual Public Cloud (VPC)

The new rules for five additional AWS Services are discussed in Part 1 below, while Part 2 gives an overview of the expanded rules for AWS Services that we already support. Read more “Threat Stack Announces New and Enhanced CloudTrail Rules”

Detecting Unsafe Data Deserialization With Threat Stack

AWS Security, Security Research & Strategy
6 Min Read

UPDATED — January 22, 2019
The Threat Stack SOC is aware of the recent disclosure of a breach of the PHP Extension and Application Repository (PEAR). Details of the breach have not been disclosed publicly, and we have no special knowledge of the breach. However, attacks against code repositories and injection of malicious code into third-party application dependencies help to underscore the importance of behavioral detection methods to identify and mitigate the exploitation of insecure PHP deployments. We will update this blog as appropriate pending additional public information on the PEAR breach.

UPDATED — February 1, 2019
Several weeks after the original publication of this blog, the PHP Extension and Application Repository (PEAR) disclosed a breach of its website, which led to the compromise of go-pear.phar. While Threat Stack has no inside or special knowledge of the breach at PEAR, based on publicly available information, we have confirmed that the Threat Stack Cloud Security Platform and Cloud SecOps Program can detect and mitigate an attack leveraging this injected PHP code.

It appears the attackers in this incident leveraged the research Sam Thomas presented at Black Hat 2018, which we discussed in this blog post. Based on publicly available information, the attackers appeared to be performing the first step in the attack chain by attempting to deliver injected phar files into a target environment. It is possible this attack was part of a poison well tactic targeting a specific or multiple organizations known to use PEAR and this file.

Insecure data deserialization first made its way into OWASP’s 2017 Top 10 list by way of community feedback. In the history of application security, that makes it a relatively new vulnerability that can be harder to detect due to the way it uses popular code libraries that are commonly used in web development.

The Threat Stack Cloud SecOps Program℠ exists not only to monitor customer environments and investigate alerts, but also to work with customers to help them improve their security postures. Occasionally, here in the SecOps Program’s security operations center (SOC), we get questions about the detection capability of the Threat Stack Cloud Security Platform®, and whether it is capable of detecting new and advanced attack vectors. (Our system uses behavioral detection, which is an extremely robust methodology for detecting new and old attack techniques.)

In this post, I’ll walk through how my colleagues and I in the SOC addressed an inquiry regarding a specific insecure deserialization exploit seen in the wild. Read more “Detecting Unsafe Data Deserialization With Threat Stack”

Aligning SecOps Teams With Compliance Roadmaps

All Things Compliance, Security Research & Strategy
4 Min Read

Compliance is essential, and organizations need to get it right. Despite the importance of compliance, organizations often treat it as an afterthought, rather than a business driver. Some see it as a hurdle or uninvited challenge, even though it can have a significant positive impact on the business.

With the rise of new compliance frameworks like GDPR, the stakes are even higher. If you aren’t compliant, there are heavy fines. Now, more than ever, it’s time to ensure that your organization is adhering to the applicable compliance guidelines.

In this post, we show how SecOps teams can align with compliance roadmaps to drive a more continuous, proactive approach to meeting compliance objectives. Read more “Aligning SecOps Teams With Compliance Roadmaps”

AWS re:Invent 2018 Recap: Security, DevOps, ML, & Hybrid Cloud Take Center Stage

AWS Security
3 Min Read

Another year at AWS re:Invent has come and gone. As usual it was a jam packed show full of exciting announcements, great keynotes, sessions, and interesting conversations. In case you couldn’t make it to Vegas this year or could use a summary of what you missed while you were running between sessions, here are some of the highlights from our week in the desert. Read more “AWS re:Invent 2018 Recap: Security, DevOps, ML, & Hybrid Cloud Take Center Stage”

Inside a Docker Cryptojacking Exploit: Webinar Preview

Containers, Orchestration & Security
1 Min Read

Inside a Docker Cryptojacking Exploit Webinar
Dec 13, 2018 | 1:00 P.M. ET

Container usage is on the rise, and tools like Docker are a key element in successful container deployments. Almost every organization operating in a DevOps environment sees the benefits of containers, but it’s important to remember that services like Docker are not security tools.

Coming up on December 13, Ethan Hansen a security analyst for the Threat Stack Cloud SecOps Program℠ will discuss an active cryptojacking exploit attempt he observed within a Docker container environment and how it was identified and mitigated. Read more “Inside a Docker Cryptojacking Exploit: Webinar Preview”

Three Old-School Network Security Tips That (Still!) Work for Modern Infrastructure

AWS Security, Containers, Orchestration & Security, Security Research & Strategy
2 Min Read

The adage “Everything old is new again,” rings true in the cybersecurity industry as much as anywhere else. Some of the best practices from old-school network security still apply to modern virtual server or containerized environments.

Even though hackers are becoming increasingly sophisticated with their attacks, applying some of these oldies but goodies to your arsenal could help reduce the risk of a security incident or breach.

Here are a few security best practices that stand the test of time. Read more “Three Old-School Network Security Tips That (Still!) Work for Modern Infrastructure”

50 Useful Kubernetes Tutorials for IT Professionals

Containers, Orchestration & Security, Dev & DevOps Knowledge, Uncategorized
23 Min Read

Technologies like Docker have made it easier to continuously deploy applications across any number of host servers. They eliminate the need for having your own virtual machine because all the code and configuration settings you need to run your app is packaged into one container.

Google created Kubernetes to automate a number of tasks and processes involved in managing containerized apps. You can use Kubernetes to automatically deploy, scale, and decommission containerized applications. Of course, Kubernetes is not a silver bullet, and Kubernetes deployments have opened up a new set of infrastructure security concerns for DevOps teams. That’s why it’s important to be well versed in how to work with Kubernetes, as well as the tactics and solutions you can employ to create a more secure environment. For instance, Threat Stack now provides security and IT leaders transitioning to container-based infrastructure with the expertise and enhanced security visibility necessary to effectively manage the addition of container-based cloud environments through our Threat Stack Cloud Security Platform® and Threat Stack Cloud SecOps Program℠.

If you are planning to take a systematic approach to learning Kubernetes, then you should be on the lookout for quality tutorials. The good news is that a lot of resources are available online. There are also more structured courses that sometimes offer certification — if you’re willing to pay, that is. Read more “50 Useful Kubernetes Tutorials for IT Professionals”

A Guide to AWS re:Invent 2018

AWS Security
3 Min Read

In just a few weeks, 40,000 cloud developers, engineers, architects, and security practitioners will descend on Las Vegas. AWS re:Invent officially kicks off on Monday, November 26, and anybody who has attended previous shows will tell you it takes a lot of planning to get everything you can out of the event. That’s why we wanted to lend a hand with a quick primer, a note on some of the sessions we’re most excited about, and a summary of what Threat Stack will be up to at the show.

Let’s get started Read more “A Guide to AWS re:Invent 2018”