Conference Talks – September 2020

This month, NCC Group researchers will be presenting their work at the following conferences: Rami McCarthy, “AWS Security: Easy Wins and Enterprise Scale,” to be presented at BSides Boston (Virtual – September 26 2020) Dirk-Jan Mollema, “Walking Your Dog in Multiple Forests: Breaking AD Trust Boundaries through Kerberos Vulnerabilities,” to be presented at Black Hat … Continue reading Conference Talks – September 2020

Are you oversharing (in Salesforce)? Our new tool could sniff it out!

Unauthorised access to data is a primary concern of clients who commission a Salesforce assessment. The Salesforce documentation acknowledges that the sharing model is a “complex relationship between role hierarchies, user permissions, sharing rules, and exceptions for certain situations”[1]. It is often said that complexity and security are natural enemies. Salesforce empowers its users with … Continue reading Are you oversharing (in Salesforce)? Our new tool could sniff it out!

The Extended AWS Security Ramp-Up Guide

On November 25th, AWS released the Ramp-Up Learning Guide for AWS Cloud Security, Governance, and Compliance. The Security Ramp-Up is a curated list of educational AWS resources. The goal is “to teach in-demand cloud skills and real-world knowledge that you can rely on to keep up with cloud security, governance, and compliance developments and grow … Continue reading The Extended AWS Security Ramp-Up Guide

Conference Talks – May 2021

This month, members of NCC Group will be presenting their work at the following conferences: Sourya Biswas, “Psychology of the Phish: Leveraging the Seven Principles of Influence”, to be presented at ISACA Conference North America (Virtual – May 5 2021) Sourya Biswas, “Cybersecurity is War: Lessons from Historical Conflicts”, to be presented at Secure360 (Virtual … Continue reading Conference Talks – May 2021

Conference Talks – October 2020

This month, members of NCC Group will be presenting their work at the following conferences: Dirk-Jan Mollema, “Walking Your Dog in Multiple Forests: Breaking AD Trust Boundaries through Kerberos Vulnerabilities,” to be presented at Black Hat Asia 2020 (Virtual – October 1 2020) Sanne Maasakkers, “Improve Security Awareness Campaigns by Applying Phishing Research,” to be … Continue reading Conference Talks – October 2020

Demystifying AWS’ AssumeRole and sts:ExternalId

Amazon Web Services’ AssumeRole operation accepts an optional parameter called “sts:ExternalId” which is intended to mitigate certain types of attacks. However, both the attacks that sts:ExternalId mitigates and how to properly use it are widely misunderstood, resulting in large numbers of vulnerable AWS-based applications. This post aims to describe what std:ExternalId does, when to use … Continue reading Demystifying AWS’ AssumeRole and sts:ExternalId

Detection Engineering for Kubernetes clusters

Written by Ben Lister and Kane Ryans This blog post details the collaboration between NCC Group’s Detection Engineering team and our Containerisation team in tackling detection engineering for Kubernetes. Additionally, it describes the Detection Engineering team’s more generic methodology around detection engineering for new/emerging technologies and how it was used when developing detections for Kubernetes-based … Continue reading Detection Engineering for Kubernetes clusters

10 real-world stories of how we’ve compromised CI/CD pipelines

by Aaron Haymore, Iain Smart, Viktor Gazdag, Divya Natesan, and Jennifer Fernick Mainstream appreciation for cyberattacks targeting continuous integration and continuous delivery/continuous deployment (CI/CD) pipelines has been gaining momentum. Attackers and defenders increasingly understand that build pipelines are highly-privileged targets with a substantial attack surface. But what are the potential weak points in a CI/CD … Continue reading 10 real-world stories of how we’ve compromised CI/CD pipelines

NSA & CISA Kubernetes Security Guidance – A Critical Review

Last month, the United States’ National Security Agency (NSA) and Cybersecurity and Infrastructure Security Agency (CISA) released a Cybersecurity Technical Report (CTR) detailing the security hardening they recommend be applied to Kubernetes clusters, which is available here. The guidance the document contains is generally reasonable, but there are several points which are either incorrect or … Continue reading NSA & CISA Kubernetes Security Guidance – A Critical Review

Public Report – Android Cloud Backup/Restore

In the summer of 2018, Google engaged NCC Group to conduct a security assessment of the Android Cloud Backup/Restore feature, which premiered in Android Pie. This engagement focused on a threat model that included attacks by rogue Google employees (or other malicious insiders) with privileges up to and including root-in-production. The Android backup/restore feature is only one … Continue reading Public Report – Android Cloud Backup/Restore