Building the Roadmap
As said, these high-level goals provide macro-areas that can be worked against, but they are very general (and open to interpretations). Taking a step further, how can they be applied to a cloud native platform, where multiple cloud service providers and Kubernetes clusters are involved?
Ideally, we would like to use a framework which:
1 Allows to embrace an agile approach (with multiple iterations, which enable continuous improvement).
2 Is transparent to other engineering teams (i.e., security teams should be low friction and not be blockers).
3 Will ultimately lead to a solution that is compliant with industry regulations (e.g., ISO27001, PCI DSS, etc.) by “default”.
Hence, I took the Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM) and started performing a gap analysis and RACI matrix to map controls to Security teams, and selecting areas directly applicable to a cloud security team (i.e., excluding controls like physical security of a data center, usually not directly applicable to such teams). Then, I enhanced this list by adding cloud-specific controls I thought are essential for a comprehensive program (usually also backed by CNCF) and re-organized them in areas of interest.
In the sections below I will explain in detail these main areas (Domains), workstreams (Controls), and actionable Tasks which compose the Roadmap: from the definition of high-level security policies, network architecture, IAM, and assets inventory; to monitoring, code provenance, policy as code; and up to automatic enforcement of security policies, runtime anomaly detection, and business continuity.
Domains
Domains can be considered as “macro-areas” which can be used to group set of Controls:
Domain
Description
[1] Policies & Standards
Definition of Security Policies and Standards which provide reference documentation on best practices for cloud security, with a particular focus on cloud providers and containerization solutions.
[2] Architecture
Definition and review of architectural decisions, with particular focus on network architecture, identity and access management, secrets management, and data classification.
[3] Verification
Continuously verify and enforce all cloud resources are abiding by the policies and expected baseline configuration.
[4] Supply Chain Security
Enforce security controls throughout the pipeline:
• Image/Pod Security: enforcement of hardened base images and linting.
• Continuous Integration (CI): IaC scanning (Dockerfiles, Kubernetes manifests, Terraform, etc.).
• Continuous Delivery (CD): protect Supply Chain Integrity.
• In-Cluster Controls: preventative controls like admission controllers.
• Cloud provider-Specific Controls: deploy guardrails (SCPs/Org Policies), restrict access.
[5] Monitoring and Alerting
Implement logging, monitoring, and alerting systems so to have visibility around activities and/or changes affecting the environments.
[6] Incidents and Remediation
Implement processes for containment, forensics, and automatic remediation of security violations.
[7] Business Continuity
Prepare countermeasures for unexpected incidents or disasters.
Controls
These domains can then be fleshed out into a variety of workstreams (or Controls).
Before exploring them in detail, it is worth noting that, generally speaking, a cloud security program can be implemented throughout a series of maturity levels. The sub-sections below will provide an overview of the main initiatives that, for each Domain, could be undertaken at each level of maturity.
Maturity Level 1 - The foundations
• Definition of Security Policies: start by defining some overarching policies that will define your overall approach and that the business will have to abide by (e.g., Cloud Security Policy, Vulnerability/Patch Management Standard).
• Architecture: review the network architecture and ensure proper segregation of environments (especially production), review the Identity and Access Management Framework, as well as how secrets management is performed.

• Verification: start by getting the so-called “low hanging fruits” by validating no obvious misconfigurations (both at the CSP and K8s level) are present, as well as by starting obtaining a list of public endpoints.
• Supply Chain: deploy container image scanning, and start restricting access to privileged AWS/GCP users.
• Monitoring: start defining a security logging strategy (I provided examples for both AWS and GCP).
Maturity Level 2
• Definition of Security Standards: continue developing standards covering more “advanced” topics like Key Management/Generation and Data Handling/Labeling.
• Architecture: depending on the current state of IAM and Secrets management (found in Level 1), you might want to tackle processes like credentials management and user access provisioning.
• Verification: start deploying a solution that can continuously provide an up-to-date asset inventory (for example, see “Mapping Moving Clouds: How to stay on top of your ephemeral environments with Cartography”). Improve the validation of the environments by deploying automation that can continuously report misconfigurations and drift.
• Supply Chain: start working on securing the images used (define a list of base images and harden them). Enforce the use of these secure images in the CI/CD pipeline, and add automation able to scan Infrastructure as Code for security issues. Work with your Application Security team to ensure a system to prevent the leaking of secrets through the codebase is integrated into the pipeline.
• Monitoring: deploy the security logging solution designed at Level 1, and ensure logs are collected from all environments. Start defining monitoring and alerting rules to act on indicators of compromise and/or known classes of issues.
Maturity Level 3
• Definition of Security Standards: keep extending standards to cover Identity and Access Management, Encryption, Key Management/Generation, Data Handling/Labeling, Change Management.
• Verification: provide continuous identification of deviations from defined Security Policies and compliance frameworks (e.g., via AWS Security Hub and GCP Security Command Center), with a process integrated within the security pipeline (i.e., your SIEM). Start deploying guardrails (e.g., SCPs and Org Policies) to prevent entire classes of misconfigurations.
• Supply Chain: ensure automatic validation of the configuration of the Kubernetes clusters and running containers is performed so to detect any misconfiguration. Address hardening of the AWS/GCP organizations.
• Monitoring: start aggregate and report on both logged data and anomalies, and create visualizations/dashboards to facilitate their consumption. Deploy processes and tools to detect cases of credential compromise.
• Remediation: Employ processes to automate the remediation of (at least) the most common types of misconfigurations.
Maturity Level 4
• Business Continuity: start tackling Business Continuity issues (Audit Planning, Business Continuity Planning, Incident Management).
• Monitoring: any changes made to production should be logged and eventually alerted upon. In addition, file integrity (host) and network intrusion detection (IDS) tools should be deployed to help facilitate timely detection, investigation by root cause analysis, and response to incidents. In particular, processes and tools shall be put in place to implement a runtime anomaly detection solution, aligned with MITRE ATT&CK for Cloud.
• Remediation: start creating playbooks to define detailed processes to follow in case of an incident. Timely de-provisioning of user access to data and systems should be implemented.
• Business Continuity: a Disaster Recovery Plan should be outlined, in the eventuality of the outage/failure of one or more core components of the infrastructure (e.g., failure of an AZ or Region).
Maturity Level 5
• Supply Chain: utilize a framework (like TUF, in-toto, providence) to protect the integrity of the Supply Chain.
• Monitoring: a solution should be put in place to detect exfiltration of data, by monitoring egress traffic.

• Remediation: automated processes should be put in place to automate the containment of (at least) the most common compromise types, and to automate the forensic collection of evidence after the declaration of a security incident.
• Business Continuity: tabletop exercises and live tests should be conducted to test the effectiveness of controls put in place to mitigate an eventual failure of one or more core components of the infrastructure.
Tasks
At a first glance, the list of initiatives outlined above might seem quite dense (and not super-actionable). That’s why I expanded them into a set of Tasks (94 at the time of writing), which can be individually worked upon.
Having almost a hundred controls in a blog post wouldn’t be practical, though, so I created a micro-website to host them in a spreadsheet-style format.

A Cloud Security Roadmap Template
Each row represents a Task, and has the following attributes:
Attribute
Description
Domain
The Domain the Task belongs to
Control
The Control the Task belongs to
Task
The Task name
Description
A description of what the Task involves
Status
To keep track of progress (NOT STARTED, IN PROGRESS, BLOCKED, DONE)
Priority
The Maturity Level the Task belongs to (1-5)
Maturity
How mature is the deployment/rollout of the Task, once you started working on it
Layer
Whether it affects a Cloud Provider, Kubernetes cluster, or both
Epic
Link to Jira/Issue Tracker, to keep track of progress
Deliverable
Type of deliverable for the Task (Documentation, Tooling, etc.)
Artifact
Link to the final deliverable for the Task
Useful Resources
Some useful resources that can help during the implementation phase
Metrics
Metrics that can be used to track the success of the Task
CSA CCM
Reference to the related entry in the CSA CCM, if any
From there, you’ll have the ability to export it as CSV and tailor it to your needs.
I’d like to stress that you don’t have to follow the tasks in order, but you should use the Priority column to define your own priorities, which can change based on your business priorities and industry.


‎-آگاهي رساني امنيت سايبري-

Up2date 4 Defence Today,
Secure Tomorrow
@CisoasaService
1400.03.25

Cloud Security
Deep Dive into AWS Penetration Testing
https://infosecwriteups.com/deep-dive-into-aws-penetration-testing-a99192a26898

Threat Research
1. Bypassing MFA in Exchange Online😁
https://www.microsoft.com/security/blog/2021/06/14/behind-the-scenes-of-business-email-compromise-using-cross-domain-threat-data-to-disrupt-a-large-bec-infrastructure
2. Cisco Akkadian Provisioning Manager Multiple Vulnerabilities (CVE-2021-31579, CVE-2021-31580, CVE-2021-31581, CVE-2021-31582)
https://www.rapid7.com/blog/post/2021/06/08/akkadian-provisioning-manager-multiple-vulnerabilities-disclosure

Offensive security
Exploit Development: Swimming In The (Kernel) Pool - Leveraging Pool Vulnerabilities From Low-Integrity Exploits
https://connormcgarr.github.io/swimming-in-the-kernel-pool-part-1

Blue Team Techniques
Cyber Defenders Malware Traffic Analysis 2 Walkhthrough✌🏼
https://infosecwriteups.com/cyber-defenders-malware-traffic-analysis-2-walkhthrough-9dee33e3d5e7


‎-آگاهي رساني امنيت سايبري-

Up2date 4 Defence Today,
Secure Tomorrow
@CisoasaService
1400.03.25

People and process
PingCastle was born based on a finding: security based only on technology does not work. That’s why the company focuses on process and people rather than just technology. We do not sell products !
Download our tool and apply our methodology or check how our partners can bring more value to you.

A methodology based on maturity
We do not provide solutions to protect your infrastructure. Instead, we provide tools to discover what you have to protect, evaluate its security level and provide insights on if the budget you have provided has been successfully used.
https://www.pingcastle.com/


‎-آگاهي رساني امنيت سايبري-

Up2date 4 Defence Today,
Secure Tomorrow
@CisoasaService
1400.03.25

Vulnhub
Ahh the holy grail, the Garden of Eden. Usually, the first place we beginners stumble upon when we type “How to Hack”, this incredible website developed by the famous g0tm1lk hosts various vulnerable machines that you can download and fire up to start hacking in the safety of your personal home environment, can’t talk a lot on this since it’s better if you see so yourselves.
https://www.vulnhub.com/

Hack The Box
Yes, yes hackthebox the best alternative once you start running out of storage from your personal PC, and just want to start hacking this incredible site hosts a ton of vulnerable machines that go from Easy to Insane levels of difficulty it was a great experience and since this, it has been almost 2 years since I joined other great things have been added that helped on my focus with Red Team such as the ProLabs, a best place to continue practicing and don’t forget ippsecs videos since they are great and ridiculously easy to follow. The amazing thing is that he explains the attacks as well, not just throws you into ok run this command and you got in.
https://app.hackthebox.eu/login

TryHackMe
Another incredible site for hosting vulnerable machines, some of the key differences about tryhackme that differs with hackthebox is that you are GUIDED throughout the machine, there are steps to follow to reach your goal. So, this is a great alternative to hackthebox since you will fire up a machine have a guide to follow and learn while doing. I think this is a great way to approach newcomers by doing while learning, they also have a great offensive path to follow that will get you closer to red team or offensive security, you should also check the other paths that are available and the pro labs since they are immensely useful and a very great place to start learning into Active Directory.
https://tryhackme.com/login

OSCP
Ok, ok this is not a lab and place to learn but this is the first course I took when trying to jump into the cybersecurity workspace, when new to this your eyes sparkle at the fact that this exam is hands-on nothing about multiple choice test, you get 5 machines, hack them! And gain your certificate an incredible way to demonstrate not only that you understand cybersecurity but that you can also implement it on the real world.
https://www.offensive-security.com/courses-and-certifications/

MITRE ATT&CK
Oh boy, oh boy was this one enlightening, this place was the best thing I have ever reached out too when trying to step my game up into Red Teaming. It was incredible but damn was it difficult, the thing about ATT&CK is, this place is not much of a learning grounds or course. It is a framework that explains the TTP (Tactics, Techniques and Procedures) that APT (Advanced Persistent Threats) take when trying to compromise a Network. This place IS THE PLACE we all need to look at when working into Red Team, forget everything and jump on this (well maybe don’t forget). For me to understand these techniques and learn the tactics, tools or anything related to Red Team (Shameless plug) I wrote a gitbook that helped me grasp the information on the techniques, but fair warning I mostly wrote it only focusing on the Windows side of things, Linux is cool, but you hardly see it, and Mac is pricey didn’t want to research it at all back then, maybe now would be good.
https://attack.mitre.org/

RTO by ZeroPointSecurity
Aaah this course, so many things about this, I do not know, I just do not know, let me start with some simple words, amazing it is, amazing. Elegant yet simple, it has a finesse that I have not encountered in some other courses. This course WILL have you thinking and doing a ton of Red Team it follows the MITRE Framework in a simple yet sophisticated way. We go through Initial Access and end with Exfiltration, you will start from 0 to creating your Phishing payload to moving to Domain Admin and Exfiltrating Data, I have nothing but good things about this course and the best part? You get access to updates Forever, para siempre, per sempre.

Yes, sir you heard that right attacks are getting more sophisticated and we are always presented with new techniques this course keep up to date in its knowledge and its labs. I highly recommend this. This was my first red team related course. Do take this, yes go, now.
https://www.zeropointsecurity.co.uk/red-team-ops

Pentester Academy Red Team Labs
And finally, Pentester Academy I had approached this labs in the past but the other modules not the Red Team section, this was new when I discovered it some time back, it is really focus on Active Directory Attacks which Red Team is heavily concentrated on, the course was great, very useful and a great way to jump into Active Directory Techniques, I tried this once and I failed. Yep, that was almost more than a year ago and probably will jump back to it later in the future.
https://www.pentesteracademy.com/redlabs


‎-آگاهي رساني امنيت سايبري-

Up2date 4 Defence Today,
Secure Tomorrow
@CisoasaService
1400.03.25

Pen-test Challenge
So the reason I am calling this a Pentest Challenge is cause it seems that a few people new to the industry don’t understand the fact of computer security seems that the famous ‘iPhone’ is still unbreakable and looks like they still don’t understand that this “hacking” can happen to ANYBODY you do not need to be a celebrity or any high status profile all you need to be in the eyes of a Hacker is a target and that will do .
They challenged me thinking that I can never gain access into there PC, which they gladly showed me [Cut’s enumeration time for me 🙂 ] but well I will continue with this since they said I am a “Hacker” I should be able to get everything from 0 just like in the movies so by that they mean I will need to crack the Wi-Fi key and gain Access to the PC with “Proof” so OK I was up to the task and this was a perfect situation for me since its kinda a real engagement but no AD so let’s get start it
AIRCRACK-NG
I will start with the “easy” part getting the key so he gave me the name of his current WiFi network so I can start working on it I fire up Airodump-NG with my WiFi card and locate the target
محتواي آفنسيو جذاب و كاربردي
https://dmcxblue.net/page/2/


‎-آگاهي رساني امنيت سايبري-

Up2date 4 Defence Today,
Secure Tomorrow
@CisoasaService
1400.03.25

Today we will have a look at Metasploit which is one of the best Exploitation framework owned by Rapid7 and is integrated with many exploits to completely destroy our target. Metasploit is written in Ruby Language and comes pre-packaged with many exploits, scanners, encoders which can perform different tasks. Metasploit has a large database which has more than 2000 exploits related to all the protocol versions and also related to Windows, Linux and much more.

Features:
1. It comes pre-packaged with Kali Linux and parrot OS .
2. It is constantly updated and new exploits are added to it in every 2 to 3 days.
3. It also has the capability to scan the target for open ports and also for vulnerabilities.They are called auxillary modules.
4. Whenever an interesting exploit is discovered it is soon added to the Metasploit Framework.
5. It also has an additional functionality called as meterpreter which is a kind of shell with very advance functionalities.
6. It can be used for both exploitation and post-exploitation.
7. It also include exploit related to Android devices and also related to voip and other attacks.
8. It also has capability to attack various IOT devices.
9. With msfvenom we can create a malacious payload which when executed cam be used to gain access to our target machine

Some Important Terms:

Exploit: It is a piece of code which triggers the vulnerability and successfully exploit it

Payload: It is the preice of code which is run after the exploit has successfully executed on the victim. The payload can be made to gain shell or to perform malacious tasks.


How to Use ?

To launch Metasploit you can type the command "msfconsole" on your terminal.

>>msfconsole

#Now we would see that the Metasploit has loaded and we are greeted with a banner

To change the banner we can use the banner command on the msf terminal.
msf> banner

To make the loading of Metasploit even faster we can start postgresql service.

>>service postgresql start

How to Use ?

1. search utility - search is used to search for strings such as
msf>search exploits - search for all the exploits
search MySQL - search for all exploit and auxillary with keyword MySQL .
search ftp - Search for all modules having word ftp

@ Like this we can search for exploits and auxillary modules related to our needs

2. Now when you have selected which exploit you want to use now we have to select that exploit . We can do that by 'use' command.
msf>use exploit/ftp/vsftpd2.3.4
This will load the specified exploit and you will notice that the exploit name is shown in red color.
This is a indication that the exploit was successfully loaded.

3. Now we have to set some options which we need to run the exploit. The options may include the RHOST, LHOST, LPORT and sometimes password or hashes or even wordlists.

LHOST = Local Host(your IP)
RHOST = Remote Host (victim IP)

show options = This will show you all the options you need to set to the exploit you just loaded for it to run properly.

Synatx to set Value: set <option> (value)

For example set LHOST 182.168.45.33
set LPORT 4444

Similarly we can set all the required options


4. Now we have set all the options so now it is time to set the payload which would be executed when our exploit code is successfully executed.

To see all the available payload type "show payloads "

Now we will see all supported payload with our supported exploit.

Use set payload <payload name> to set the payload .

Now Everything is done and we are Ready to run the exploit. Before that lets summerize:

1. Select a exploit
2. Show options
3. Set option
4. Show payload
5. Set payload
6. RUN !!

To run the exploit just type "run","exploit" and if your target would be vulnerable then our payload would get executed and the task of the payload would be performed.

Most common payload is
windows/shell/reverse_tcp
windows/meterpreter/reverse_tcp

The above 2 payload are used to get shell on your windows target if your exploit was successful.


‎-آگاهي رساني امنيت سايبري-

Up2date 4 Defence Today,
Secure Tomorrow
@CisoasaService
1400.03.25

Researchers uncover "distinctive" tactics, techniques and procedures (TTPs) used by Hades ransomware operators that set them apart from the rest of the pack, attributing it to a financially motivated threat group called GOLD WINTER.
https://thehackernews.com/2021/06/experts-shed-light-on-distinctive.html


‎-آگاهي رساني امنيت سايبري-

Up2date 4 Defence Today,
Secure Tomorrow
@CisoasaService
1400.03.25

A step by step of Darkside Malware Analysis
https://cybergeeks.tech/a-step-by-step-analysis-of-a-new-version-of-darkside-ransomware/


‎-آگاهي رساني امنيت سايبري-

Up2date 4 Defence Today,
Secure Tomorrow
@CisoasaService
1400.03.26

Whitepaper
"Smuggling Via Windows Services Display Name - Lateral Movement", 2021.

// This research paper explains how to take advantage of windows services, how to mimic display names to deploy malicious beacons or even Meterpreter sessions


‎-آگاهي رساني امنيت سايبري-

Up2date 4 Defence Today,
Secure Tomorrow
@CisoasaService
1400.03.26

Red Team Tactics
Conduct Lateral Movement Attack By Leveraging Unfiltered Services Display Name To Smuggle Binaries As Chunks Into The Target Machine
https://github.com/lawrenceamer/TChopper

Threat Research
Mistune - iOS RCE vulnerabilities that have been hiding for a decade
https://blog.chichou.me/mistune

Malware analysis
1. Multi Perimeter Device Exploit Mirai Version Hunting
For Sonicwall, DLink, Cisco and more
https://isc.sans.edu/forums/diary/Multi+Perimeter+Device+Exploit+Mirai+Version+Hunting+For+Sonicwall+DLink+Cisco+and+more/27528
2. Stealing tokens, emails, files and more in Microsoft Teams through malicious tabs
https://medium.com/tenable-techblog/stealing-tokens-emails-files-and-more-in-microsoft-teams-through-malicious-tabs-a7e5ff07b138

Analytics
Attribution of the ColunmTK Campaign against Air India
to APT41
https://blog.group-ib.com/colunmtk_apt41


‎-آگاهي رساني امنيت سايبري-

Up2date 4 Defence Today,
Secure Tomorrow
@CisoasaService
1400.03.26

امنيت در اينترنت 😁معنا ندارد حتي با استفاده از …


‎-آگاهي رساني امنيت سايبري-

Up2date 4 Defence Today,
Secure Tomorrow
@CisoasaService
1400.03.26

Claroty CTD automatically identifies exact-match vulnerabilities in OT assets and creates context-rich tickets within SOAR solutions, enabling effective and efficient prioritization and remediation
https://claroty.com/security-orchestration-automation-response/


‎-آگاهي رساني امنيت سايبري-

Up2date 4 Defence Today,
Secure Tomorrow
@CisoasaService
1400.03.26

This is a comprehensive toolkit for establishing and developing Information Sharing and Analysis Centres, or ISACs. It includes activities, documents and tools, everything you need to set up and run an ISAC. The toolkit is divided into 4 different phases corresponding to the development of the ISAC. Each phase contains different topics for developing the organisation in that particular phase.
The topics have been classified into "New" for ISACs starting from scratch and "Established" for already established ISACs taking the next step in their maturity process. The ones concerning mainly new ISACs are marked with an "N" and the ones concerning established ISACs are marked with an "E
https://www.enisa.europa.eu/topics/national-cyber-security-strategies/information-sharing/isacs-toolkit/view


‎-آگاهي رساني امنيت سايبري-

Up2date 4 Defence Today,
Secure Tomorrow
@CisoasaService
1400.03.26

platform.
A threat intelligence platform for sharing, storing and correlating Indicators of Compromise of targeted attacks, threat intelligence, financial fraud information, vulnerability information or even counter-terrorism information. Discover how MISP is used today in multiple organisations. Not only to store, share, collaborate on cyber security indicators, malware analysis, but also to use the IoCs and information to detect and prevent attacks, frauds or threats against ICT infrastructures, organisations or people
https://www.misp-project.org/features.html


‎-آگاهي رساني امنيت سايبري-

Up2date 4 Defence Today,
Secure Tomorrow
@CisoasaService
1400.03.26

Which 9 industries are most (and least) hardened against attack and why
Best practices for making the attackers’ jobs harder
The most common types of vulnerabilities per industry
How to be a Guardian of Trust for your business
Download the Report
The 2020 Trust Report
How different industries and sectors of the economy measure up when it comes to security preparedness
How to benchmark your industry against others using the Attacker Resistance Score Metric
Why organizations with a continuous approach to testing have up a 23% higher ARS metric than periodic testing
How industries are finding and closing vulnerabilities faster and reducing their remediation time by 73%
https://www.synack.com/
https://www.synack.com/trust-report/


‎-آگاهي رساني امنيت سايبري-

Up2date 4 Defence Today,
Secure Tomorrow
@CisoasaService
1400.03.26

https://www.malwarearchaeology.com/


‎-آگاهي رساني امنيت سايبري-

Up2date 4 Defence Today,
Secure Tomorrow
@CisoasaService
1400.03.26

This “Windows Sysmon Logging Cheat Sheet” is intended to help you understand where Microsoft’s FREE Sysinternals Sysmon agent can supplement and enhance your Windows Logging, NOT replace it. Sysmon can provide more information than standard default Windows logs provide. Sysmon is great to collect data you need for Incident Response, malware labs, high security situations, your own personal systems, or just improve the existing log data you are collecting with more details.
https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/5eb3687f39d69d48c403a42a/1588816000014/Windows+Sysmon+Logging+Cheat+Sheet_Jan_2020.pdf


‎-آگاهي رساني امنيت سايبري-

Up2date 4 Defence Today,
Secure Tomorrow
@CisoasaService
1400.03.26

Security Company Names
اينم بيزينسي هست😁
The Cyber Security Company Names you choose will be front and center on business cards, websites, and advertisements. It will be everybody’s first impression of your business. By thoughtfully choosing a premium business name, you are giving your business the best chance at success
https://www.nameestate.com/business/cyber-security-company-names/


‎-آگاهي رساني امنيت سايبري-

Up2date 4 Defence Today,
Secure Tomorrow
@CisoasaService
1400.03.26