Serverless infrastructure for SecOps

pentesting
opensource
#1

Hey Everyone,

New here. Glad to be here! Love the ideas and conversations on this forum.

Context:

Thought I’d start with something I’ve been working on. From what I’ve noticed over the years in the field (especially during the course of an audit or an external assessment), I end up having quite a few discussions around SecOps in the context of automation . Automation with tangible benefits. For example, answers to questions such as

  1. How do you monitor your TLS endpoints? How often? And how do you enforce a particular version of TLS?
  2. Do you automate pen-tests? If yes, how often do you run them?
  3. What sort of alerts do we get in the SOC? How do we act on them? Etc.

I’ve been exploring (started off as toying with) the idea of leveraging a serverless architecture for SecOps. To demo a few practical applications of a serverless architecture in the SecOps world, I’ve put together a couple of (lightweight) examples attempting to address the above questions.

Here’s a link to my personal GitHub repo: https://github.com/nihalpasham/secautomation, where I’ve built connectors for a few Cloud service APIs. These are just some of the ideas for what I think is possible with serverless SecOps (and I think we are just scratching the surface.)

• Serverless TLS health reporting infrastructure via SSL labs API
• Serverless automation of periodic pentests: a DNS tunneling example
• Serverless SOC tooling basics: Bad IP and domain checks via apility API

This repo contains serverless functions for all of the above i.e. we can pick one and quickly have it deployed atop say AWS lambda or Azure functions. Here is a working link for the TLS Health reporting function - https://bit.ly/2pWqfeF. Add the query parameters ‘hostname={domain name}’ and optionally ‘checkcache=cache’

The benefits:

  1. You set this up once and it can run periodically or in an event-driven manner. No manual intervention needed.
  2. We don’t have to manage or secure the infra. So you’re running security infra that isn’t adding to our existing attack surface i.e. comes with layers of security built-in
  3. You could pretty much automate (and validate) any SecOps related activity.
  4. This complements all of the toolings we’re bringing into the SecOps pipeline.
  5. Quite cheap for the kind of work we need it for.

Possibilities:

  1. Uhh … pretty much everything I can think of
  2. For starters - we can build an automated risk analysis system designed for something like a microservices architecture. Theory of operation - we can passively and continually analyze system dimensions and make decisions.
  • Ex: For each microservice, we could have the following app risk metrics. Develop a risk scoring system for each metric and expose this to developers so they have an idea

  • Instance count Does your app auto scaling group have 3 instances or 300 instances

  • Dependencies Lots of dependencies – more risk

  • Connectivity to sensitive systems connect to say PKI systems

  • Internet-accessibility Direct or Proxied

  • Azure account location some of them can be sensitive accounts

Let me know what you think. Do you think there’s merit or potential in something like this … thoughts/ideas/comments/feedback are welcome.

PS: This only took about 3 hours to put together but I presume there’s (obviously) a lot of ways to improve the example code by a Nodejs/Go expert. Feel free.

2 Likes

#2

Interesting concept, thanks for posting.

The Github site would be better if there were instructions for use. I can figure it out by looking at the scripts and deciphering what they each do, but instructions on the readme would be nice.

0 Likes

#3

Whipped this up quickly and got sent off on some travel. I’ll add some instructions. Thank you for the feedback

[update … added instructions]

2 Likes

#4

What about storing reports in a serverless cloud DB for long term review / trend analysis / etc?

Would you be interested to whip up a serverless IR playbook to participate in the contest described here: Show off your security expertise--join our community-driven contest! ?

1 Like

#5

Interesting thought - So far, I’ve mostly dabbled with serverless ‘compute’ architectures and their ‘security’ applications. There does seem to be a bit of talk around serverless DBs but I haven’t got around to tinkering with them. On that note - I see a lot of promise in the use of ‘graph’ databases for security-related tasks i.e. log analysis, IR timeline analysis etc. Been working on a side project. Will share my findings soon.

Love the idea of a ‘serverless IR playbook’. Will put some ideas together (not sure if it is doable in the timeline for the contest - kind of on the road). Thanks for the challenge!

While we’re on the subject - It just struck me, building IR playbooks with ‘Phantom Cyber’ pretty much feels like serverless IR playbooks, except its much simpler (drag and drop … no code required and lots of out of the box integrations)

0 Likes

#6

@nihalpasham
I should clarify, for the contest you don’t need to build out an actual downloadable, shareable piece of content. Those who participate need to design only the framework and the decision points of the IR use case. The contest is designed to only take a few minutes to gather as many IR use cases as possible before voting begins.

Cheers,
Emma

0 Likes

#7

Got it. Thanks for the clarification.

0 Likes