This command-line tool helps to manage and check IP ranges for various service providers. It allows you to update IP ranges for specific providers, check if an IP belongs to any provider’s range, and even verify a list of IPs from a file. Some GitHub Actions are helping to create a nice workflow around the CLI-Tool.

In the ever-evolving landscape of cybersecurity, staying ahead of threats is paramount. A critical component of this proactive defense is identifying and mitigating vulnerabilities in your system before they can be exploited by malicious actors. The CVE PrioMarble tool emerges as a valuable asset in your arsenal, offering a novel approach to vulnerability prioritization by harnessing the power of CVSS, EPSS, and CISA’s Known Exploited Vulnerabilities catalog.

CloudTrail is the central logging source for each AWS account. It provides a perfect foundation for creating threat hunting queries, which can be used for offline analysis or integrated into a SIEM based on Athena, (H)ELK, Splunk, or a custom solution.

Greetings, fellow defenders of the digital realm! Today, we’re diving into a unique and captivating approach to threat modeling that draws inspiration from the world of the Dark Knight himself - Batman. I’m excited to introduce you with this workshop into the concept of a Batman-themed threat modeling workshop. Just like Batman meticulously plans for every possible threat in Gotham City, I’ll guide you through the process of identifying, assessing, and mitigating security risks in your projects using a touch of Batman flair.

Mirroring CISA KEV daily and stores it on GitHub - since CISA restricts access and applied a rate limit. This simply automation helps to keep everything at one place, and my automation up and running.

CyberChef is a powerful tool that can be used for a variety of tasks. It is easy to use and has a wide range of features, making it a valuable addition to any security toolkit.

After playing around with ChatGPT and f.e. created some CloudCustodian policies, Splunk queries and other cool things like unit tests for written code, it’s time to move on to something else. Since IAM is the killer feature, but also the killer feature - we could simply use the APIs and get some automated feedback. This isn’t entirely automated yet but still a lot of fun to see. The results are nearly always very precise and astonishing. I used BishopFox/iam-vulnerable in a Sandbox, as a proof of concept since I don’t want to mess around with my real stuff in combination with an AI.

Follow me through a journey across Mirai. In this slide deck you’ll learn starting from the history history across technical of the source code till the attack capabilities of Mirai. Next to the attack methods of Mirai, the code also contains some curiosities like Rick Rolling and russian comments. The territorial predator capabilities of the botnet gives also a glimpse to the psyche of the authors based on the leakage of the code.

A short review on the history of Containers at a glance. If you take one step back from docker you’ll probably read about chroot spelled as change root. It’s a Linux command that allows you to set the root directory of a new process. This is the very heart of the containerization approach and how the isolation works. In this way, we can just set the root directory to be where-ever the new container’s new root directory should be. After that isolation the new container group of processes can’t see anything outside of it. This isolation is eliminating common security issues, because the new process has no visibility outside of its new root.

Tiny collection of scripts to isolate an EC2 instance and start with the joy of forensics. In the case of a compromised EC2 instance within your fleet, it’s time for getting prepared for Incident Response and Threat Hunting. To get started you have two Options:

1. Use the manual bash scripts to isolate the Instance either by AWS CLI or from inside the instance
2. A predefined Step-Function that helps you to automate the isolation step as much as possible including basic forensic actions

Ever wanted to become a Security Millionaire? Instead of money we play this time for the quota of a devastating DDoS-Attack. Guide me across common concerns, threats and issues in the cloud. Each of the ten questions also it’s knowledge base in the end. Can you master your way to the Top?

AWS provides the AssumeRole action in STS to temporarily elevate the access of an entity to another role. If you perform such a request against STS you’ll receive in the response an access key ID, secret key, and a session token for the specified ARN.

After reading the cheatsheet about weird proxies I had the epiphany to mess around with some default proxy setups in my Kubernetes cluster.

While crafting a new lab to learn more about sniffing through docker images, I had the idea to make things more realistic. Therefore the usage of canarytokens might be nice to spice it a little up. Since these tokens can’t cause no real harm - but look and behave realistic, they went straight into the public GitHub repository. In less then 5min, the first token was scanned and automatically tried to validate. This was somehow mind blowing (but also really expected - since I build a similar token scan service years ago for my ex-employer to protect secrets from unintended leakage). Well now let me show some of the things I learned and discuss it a little.

To better understand different kinds of attacks, I’ve created some custom CTF challenges that might be fun for you too. If you want to host a CTF event you can use my helm charts to spin up a CTFd platform to host the challenges.

Some tiny Infrastructure as Code to mess around with AWS, Terraform and k8s. Time to combine all the stuff and get the hands dirty.

Ever found some AWS credentials and wondered how to find out what they are used for, or if they are even valid?

Ever wondered who is lurking around in the shadows of your AWS Account? Get notified if strange login activities occurred in your AWS Account

After creating some Templates for AWS it’s time to make a first step into Containerization. The created Docker Templates are based on OWASP Container Security and Liz Rice’s Container Security. Especially the last point needs some more facilitation to fill the gaps.

These are some first steps to create Templates for cloud based Threat Models. The AWS Templates include the best practices from the AWS Well Architected Framework, Trendmicro Cloud Conformity Knowledge-Base and parts of my own experience. The included threats/risks are still in progress - also some more AWS Services and dedicated Docker Templates will soon be implemented. Stay tuned :)