Recently, I finally got into Raspberry Pi hobby-ism, with some free time I had. I had long ago purchased a copy of Matt Timmons-Brown’s “Learn Robotics With Raspberry Pi“, intending to go through it at some point with a Pi 4 kit that a good friend gifted me one year. Halfway through the book, I’ve had to adjust many of the tutorials to the fact that the newer version of Raspberry Pi OS has made some breaking changes since it was called Raspbian. A major development was that Linux has since released a native driver for the Bluetooth Nintendo controllers that works with the Linux Input subsystem as an HID. Unfortunately, the chapter in the book was writted for an older python3-wiimote library that attempts to communicate via raw BT protocol, and has very limited controller support: it was not compatible with my newer Wiimotes for the Wii-U. As a result, I had to learn this standard interface, via the Python evdev package, and adapt the exercises in Chapter 4 to Linux HID and evdev.
Another post discussing Rust today. Two of the more convenient features within Rust are the Option and the Result enum types. Writing a lot of code aggressivley utilizing these in place of “bad thing happened!” values unlocks a lot of cool features in Rust. I’d like to take a moment to discuss the Result.ok() method, and also the Iterator.filter_map() method.
Back in October, as some of you might be aware, I moved out of daily ops and CTI analysis. Since then, I’ve been working on two projects that are being developed in Rust and
Recently, I found myself wanting to host a demonstration of OpenCTI on a single VM. As the system requirements for it are significant, and this is mostly a toy deployment, I decided to save costs (and accept lower availability) by using an AWS Spot Request to host the entire instance. I wanted to still be available from a dedicated domain name, but AWS Spot Requests will receive a new public IP when recycled, which meant having to update the associated resource record in Route53. I’ll discuss how I use the AWS CLI tool to create a systemd start-up script to update the DNS record with the correct IP address when the VM boots up.
The MISP Project is a popular cyber threat intel (CTI) database that has a very active user and development community. Among features available, one key one that has helped adoption a lot is the ease with which MISP administrators can synchronize their data set with others’ MISP deployments, as well as many other data sets served in the STIX structured interchange format standard. In an effort to adopt some more tools common in today’s CTI ecosystem, I set out to host MISP using some of the serverless features offered via AWS. It turned out to be significantly easier than I anticipated, so here is my story.
Earlier this year, AWS made available a new feature named "Traffic Mirroring" to their customers. This feature is available on any compute workload that is built using the new AWS Nitro System (link contains supported EC2 instance types). It is a really interesting feature, and as such I've wanted to try it out, as network traffic inspection and collection is notoriously challenging in the AWS cloud environment.
The next objective I want to deliver is to allow the code that I will be enabling the ability to access the infrastructure I just put together in Malware Analysis Pipeline in AWS (part 0). You see, AWS instances that execute code typically initialize in an unprivileged (and, in the case of Lambda, isolated) state. This means that, if I want these components actually working together, I will need to do additional work to grant them permission to interact with one another.
Many months ago, I purchased some of the following "Hardware Security Key" devices:
Lately I've been teaching myself AWS, as becoming “Cloud Native” is becoming a very popular strategy. During a few presentations, I've shared the benefits of maintaining a “Malware Zoo” for my team. One good example is my Malware Analysis on a Budget talk. The premise is relatively simple: Any security team needs a repository for long-term & organized archiving of malware. Over time, teams adopt or develop many analysis tools that will take malware samples as input, and output analysis. I'd like to share some of my experiments in adapting this approach to an AWS “server-less” architecture.
Welcome traveler! I have finally decided to put together a blog to begin sharing more of my work and discoveries with all of you. This blog will typically lean more toward the geek / computer science / cyber security range of topics.